Microsoft IT Increases Security and Streamlines Antimalware Management by Using Microsoft Forefront Endpoint Protection 2010Published: December 2010

Microsoft® Information Technology (Microsoft IT) deployed Microsoft Forefront™ Endpoint Protection 2010 to simplify and improve endpoint protection. Because Forefront Endpoint Protection 2010 builds on Microsoft System Center Configuration Manager 2007 R2 and R3, Microsoft IT was able to use its existing infrastructure to implement a centralized antimalware management and reporting solution that provides a holistic view of more than 100,000 clients' malware status and reduces the number of systems running outdated malware definitions. Using Forefront Endpoint Protection, Microsoft IT improved their SLA for antimalware policy deployment from more than a day to four hours.

SituationOne of the core responsibilities of Microsoft Information Technology (Microsoft IT) is to help maintain a highly secure corporate network and protect end users. The ever-increasing onslaught of viruses, Trojan horses, and other malicious software—collectively termed malware—requires that computers be properly protected with antimalware software running the most up-to-date definitions.

Microsoft IT had been using endpoint protection technology that supported scanning for malware but did not include any out-of-the-box detailed reporting capabilities. Of special concern was the inability of the earlier technology to report when a particular machine became infected by malware. Furthermore, the technology did not offer a dashboard, data collection, or the ability to drill down into infected machines to identify the nature of the malware and the extent of the infection, and then initiate remediation.

Another challenge with the previous antimalware was that antimalware policy was included with the installation package. This model required deploying the policy at the time of client installation with little opportunity for updates during the life of the client software. Interim policy changes required a laborious, manual effort on a system-by-system basis.

Microsoft IT needed a centralized antimalware management and reporting solution that could quickly alert the team whenever a client machine encountered malware and then identify whether the system was successful in quarantining or removing the malware. The solution needed to provide data collection, which is critical to enabling Microsoft IT to effectively manage and improve the security of the corporate network.

SituationMicrosoft IT had limited monitoring and reporting functionality with its existing antimalware system. Although the system could scan for malware, there was no reporting capability or configurable means to alert administrators when a specified number of machines became infected. The system also was limited in supporting policy changes. Microsoft IT needed a centralized antimalware management solution that could alert the team as soon as an infection was detected and then identify whether the system was successful in quarantining or removing the malware. The solution also needed to provide robust reporting and a more flexible means of applying policies.

SolutionUsing Microsoft Forefront Endpoint Protection 2010 as the foundation of a new antimalware monitoring and reporting solution, Microsoft IT can easily target a set of machines across many collections of systems and configure them to any number of policies at any time. And because Forefront Endpoint Protection 2010 installs on top of Microsoft System Center Configuration Manager 2007, Microsoft IT was able to deploy the new technology to its existing Configuration Manager network with minimal new hardware.

Benefits Simplified implementation of large-

scale endpoint protection with centralized administration

Faster response to infections and better knowledge of the type of malware

Improved SLA for antimalware policy deployment from more than a day to four hours

Use of existing infrastructure with minimal impact to network performance; bandwidth usage is from 50 KB to 100 KB per client

Products and Technologies Microsoft Forefront Endpoint

Protection 2010 Microsoft System Center

Configuration Manager 2007 R2, R3

From cost and ease of management perspectives, Microsoft IT wanted the solution to run on top of the current infrastructure and integrate seamlessly with existing management consoles. The new solution also needed to be able to apply multiple policies in a managed way for various collections of machines across a large environment.

Finally, the solution needed to be deployed to employees without affecting their work environment due to system performance or security issues.

SolutionAs the company’s first and best customer, Microsoft IT regularly adopts early releases of Microsoft technologies, tests them in a real-world environment, and provides critical feedback to improve products before they are generally available to the public. In order to improve its ability to manage antimalware across the network, Microsoft IT worked closely with the Microsoft Forefront Endpoint Protection 2010 product group to deploy the beta and then later the release candidate of Forefront Endpoint Protection 2010.

Why Forefront Endpoint Protection and System Center Configuration Manager?By using Forefront Endpoint Protection 2010, which is the next version of Forefront Client Security, businesses can simplify and improve endpoint protection while limiting infrastructure costs. The product builds on Microsoft System Center Configuration Manager 2007 R2 and R3, enabling Microsoft IT to use their existing client management infrastructure to deploy and maintain endpoint protection.

Microsoft IT saw Forefront Endpoint Protection 2010 as the foundation of a new antimalware monitoring and reporting solution. With Forefront Endpoint Protection, Microsoft IT administrators would be able to roll out a large-scale endpoint protection solution to all managed user desktop and portable computers. The product comes with recommended policies and deployment packaging that is ready to use, taking the guesswork out of security management. Microsoft IT was especially interested in the product’s ability to easily target a set of machines across many collections of systems and configure that set to any number of security policies at any time.

Because an important aspect of the deployment was to test the impact that Forefront Endpoint Protection 2010 had on System Center Configuration Manager, Microsoft IT planned to use its existing set of System Center Configuration Manager 2007 R2 and R3 servers. This would enable the implementation of the new technology with minimal new hardware requirements and confirm that the addition of Forefront Endpoint Protection components would not significantly degrade server performance.

Implementation Microsoft IT implemented its new antimalware monitoring and reporting solution by installing the beta and release candidate of Forefront Endpoint Protection 2010 on top of existing System Center Configuration Manager 2007 servers. As illustrated in Figure 1, the implementation involved utilizing the existing network of Configuration Manager servers across multiple continents.

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 2

Figure 1. Microsoft IT's implementation of Forefront Endpoint Protection

The Forefront Endpoint Protection 2010 environment was deployed in the following manner:

1. The Forefront Endpoint Protection 2010 was added to the Configuration Manager Console in the System Center Configuration Manager central site server (see Figure 2).

Figure 2. Forefront Endpoint Protection 2010 extension added to the Configuration Manager Console tree

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 3

2. A Forefront Endpoint Protection 2010 database that holds current systems’ health states was added to the Configuration Manager database server (running Microsoft SQL Server® 2008 SP1 Enterprise edition data management software).

3. The Forefront Endpoint Protection 2010 reporting database was provisioned on a dedicated server running SQL Server 2008 Reporting Services. This was the only new piece of hardware added for the Forefront Endpoint Protection deployment.

Note: The Forefront Endpoint Protection 2010 reporting database can reside on the Configuration Manager database server and run alongside the Configuration Manager databases, or be deployed to a dedicated server running SQL Server 2008 Reporting Services. Microsoft IT chose the latter implementation option because the Forefront Endpoint Protection 2010 reporting database can grow quickly when a large number of clients are being managed.

4. Through the use of Configuration Manager software distribution, Forefront Endpoint Protection 2010 client software was pushed to client systems via regional Configuration Manager distribution points.

5. Once the client systems were running the Forefront Endpoint Protection 2010 client, Microsoft IT security and Configuration Manager administrators used Forefront Endpoint Protection policy management capabilities to push out a standard security policy.

6. After the security policy was deployed, Microsoft IT security administrators used the server-side Forefront Endpoint Protection user interface—an extension to their Configuration Manager console—to monitor and manage antimalware across the system (see Figure 3).

Figure 3. Forefront Endpoint Protection 2010 dashboard showing system-wide antimalware status

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 4

ResultsMicrosoft IT used the existing System Center Configuration Manager software distribution capability on 72 existing physical and virtual servers across multiple continents to push the Forefront Endpoint Protection 2010 client software to more than 100,000 client systems. In addition, Microsoft IT added one dedicated physical server to their deployment for Forefront Endpoint Protection SQL Server 2008 Reporting Services data warehouse reporting, bringing the total number of servers to 73.

System Deployment Summary

The following list identifies the System Center Configuration Manager servers and Forefront Endpoint Protection clients involved in the deployment:

System Center Configuration Manager central site

- System Center Configuration Manager (physical server)

- SQL Server (physical server)

Corporate headquarters

- Serving 46,000 clients

- 6 software update points (virtual servers)

- 6 management points (virtual servers)

- 16 distribution points (4 physical servers, 12 virtual servers)

- System Center Configuration Manager (physical server)

- SQL Server (physical server)

Australia and Asia

- Serving 59,000 clients

- 2 software update points (virtual servers)

- 3 management points (virtual servers)

- 22 distribution points (10 physical servers, 12 virtual servers)

- 6 secondary sites with distribution role (4 physical servers, 2 virtual servers)

- System Center Configuration Manager (virtual server)

- SQL Server (physical server)

Forefront Endpoint Protection SQL Server 2008 Reporting Services data warehouse reporting server (physical server)

Performance Impact to System Center Configuration Manager

Microsoft IT successfully pushed the Forefront Endpoint Protection 2010 client software to more than 100,000 machines in a single deployment without creating significant impact to daily System Center Configuration Manager operations. By carefully monitoring bandwidth usage, Microsoft IT was able to confirm the minimal impact that Forefront Endpoint Protection had on the existing Configuration Manager infrastructure:

Average network traffic generated by Forefront Endpoint Protection 2010 during installation and ongoing daily operation was minimal—101 KB per client

Average network traffic caused by malware events generated even less traffic—approximately 49 KB per client

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 5

Database growth caused by the initial client deployment was minimal—51 KB per client

- Microsoft IT projects database growth of approximately 12 gigabytes (GB) across 250,000 clients

Database growth generated by malware events was minimal—an average 17 KB per client

- Microsoft IT projects database growth of approximately 4 GB across 250,000 clients

Note: This minimal database growth occurred on the existing Configuration Manager database that contains current Forefront Endpoint Protection state information. The separate Forefront Endpoint Protection data warehouse that stores all historical malware details can quickly grow much larger, but it was not part of Microsoft IT’s existing set of Configuration Manager servers.

Best PracticesIn the course of working with Forefront Endpoint Protection 2010 to design, implement, and operate the new malware monitoring solution, Microsoft IT followed these best practices:

Implementation Deploy in phases to reduce potential for negative impact to the environment. In its

rollout, Microsoft IT used three environments—user acceptance testing, pre-production, and full production—and deployed one at a time in that order, scaling up by a factor of 3 or 4 per phase.

Allow an opt-out option. During initial deployment, consider providing an opt-out option for users because security-related deployments might affect some people's working processes. These machines can be added to a security group, which then can be imported into a System Center Configuration Manager collection and excluded in the client targeting logic. When it comes time to enforce use of Forefront Endpoint Protection, a custom policy can be deployed to this machine collection that excludes the offending directories or processes.

Re-deploy the client to failed machines. A common remediation for several installation failure types is to re-deploy the client to the collection of failed machines. Microsoft IT found a significant percentage of initial failures succeeded on subsequent attempts.

Security Separate development, test, and production domains. To maximize security and

performance, allocate resources to separate domains as appropriate to support development and test activities while maintaining a security-enabled and stable production network.

Monitoring and Reporting Identify multiple sources for malware definitions. Know where you want your

definition updates to come from, such as Windows Server® Update Services, a local server, or even an Internet source. Using multiple sources will provide fallback opportunities to help keep more machines up to date.

Determine the best times for scanning. Do your employees leave machines on at night? If not, consider setting weekly scans to occur when the maximum amount of client machines are running, while reducing scanning CPU usage in order to consume minimal system resources.

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 6

Consider installing the reporting database on a dedicated server. When possible, Microsoft IT allocates dedicated hardware for hosting of specific functions (such as data warehousing). The addition of a separate reporting data warehouse for Forefront Endpoint Protection 2010 enables the collection of historical data for in-depth analysis and reporting. It also provides a mechanism for importing additional machine metadata from other data sources to aid in malware forensics and incident management.

BenefitsBy implementing Forefront Endpoint Protection 2010, Microsoft IT derived a number of benefits:

Simplified implementation of large-scale endpoint protection. Use of Forefront Endpoint Protection 2010 simplified Microsoft IT's effort to roll out a large-scale endpoint protection solution to all managed desktop and portable computers.

Unified protection. Forefront Endpoint Protection 2010 delivers single-agent, multithreat protection for desktop and portable computers. It includes:

- Antimalware

- Rootkit detection (a rootkit is malicious software that takes control of a computer at the administrator—or root—level, where it can hide from detection from standard antimalware scans and would require a full scan to be detected)

- Critical vulnerability assessment and automatic updates

- Integrated host firewall management

- Network vulnerability shielding

- Device lockdown

Faster response to malware infections. By using the configurable alerts capability, Microsoft IT security administrators receive email alerts when a specified number of systems become infected within a given period of time. Administrators also can set alerts on specific collections of sensitive machines, sending email whenever these machines are infected with a specific threat level of malware (low, medium, high, or severe).

Holistic view of all managed clients. With the combination of live status views in the System Center Configuration Manager Console and detailed reports that display malware trends over time—including specific malware names, infection rates, and severity—Microsoft IT administrators can more quickly and accurately gauge the overall health of the corporate environment.

Insight into the nature of malware. Forefront Endpoint Protection 2010 provides detailed forensics data about the nature of detected malware, including type, number of systems infected, and locations within clients where the infection occurs, helping Microsoft IT more effectively manage and secure the corporate environment.

Enhanced IT management with improved SLA. With Forefront Endpoint Protection 2010, Microsoft IT gained a scalable security solution that integrates seamlessly with existing management of desktop and portable computers. Thanks to the ability to target a set of machines across many collections of systems and configure that set to any number of policies at any time, the team improved its SLA for antimalware policy deployment from more than a day to four hours.

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 7

Note: The four-hour SLA is based on an organizational agreement; it is not a technical requirement. Microsoft IT’s SLA includes a separation of duties based on security best practices. The key driver enabling the faster SLA is the efficiency gained by using the Forefront Endpoint Protection 2010 extension in the System Center Configuration Manager console.

Use of existing infrastructure. Forefront Endpoint Protection 2010 is a cost-effective enterprise security solution for Microsoft IT, because it was deployed to the existing System Center Configuration Manager 2007 R2 and R3 environments. The implementation that Microsoft IT designed required only a single new piece of hardware dedicated to the reporting database.

ConclusionUsing Microsoft Forefront Endpoint Protection 2010, Microsoft IT created a new centralized antimalware management and reporting solution. Running on existing System Center Configuration Manager 2007 R2 and R3 servers, Microsoft IT deployed the beta and release candidate of the Forefront Endpoint Protection 2010 client software and definitions to more than 100,000 client systems across the globe, as of December 2010. Careful monitoring of the Configuration Manager servers confirmed that the installation and operation of Forefront Endpoint Protection components provided negligible impact to overall performance, averaging approximately 101 KB per client in network traffic during installation and 49 KB per client during malware events.

Before implementing the antimalware monitoring and reporting solution, Microsoft IT had no means by which it could view the entire set of managed clients across the corporate environment. Once Forefront Endpoint Protection 2010 was deployed, Microsoft IT security administrators for the first time could get a holistic view of overall system health and obtain deep forensic details about the nature of infections, specific files and folders under attack, and other key data that are critical to system health management. The ability to monitor malware status and generate reports is also a new benefit; such functionality was not available in the previous system.

Because Forefront Endpoint Protection 2010 is an extension in the familiar System Center Configuration Manager Console, Microsoft IT security administrators now are able to view summary health information for all managed clients within a single window. Response times to malware infections have improved because administrators receive email alerts as soon as certain malware conditions occur anywhere in the managed network. Microsoft IT now has much more control over its antimalware software, defining a variety of policies and applying them to various collections of systems based on type of usage and potential impact of an infection. As a result of incorporating Forefront Endpoint Protection 2010, Microsoft IT's SLA for applying policy changes has improved from more than a day to four hours.

As Forefront Endpoint Protection 2010 approaches general availability, Microsoft IT plans to update its servers and clients with the final release of the software, moving the implementation to full-scale operations by the end of fiscal year 2011. By that time, Microsoft IT estimates the number of managed clients will increase to more than 200,000. By widely deploying Forefront Endpoint Protection, Microsoft IT anticipates higher productivity due to increased efficiencies, reduced downtime from infected systems, and potential cost savings from overlaying the solution on existing infrastructure.

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 8

For More InformationFor more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:

http://www.microsoft.com/

http://www.microsoft.com/technet/itshowcase/

http://www.microsoft.com/fep/

http://technet.microsoft.com/en-us/systemcenter/ee942121.aspx

© 2010 Microsoft Corporation. All rights reserved.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Forefront, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Increasing Security and Streamlining Antimalware Management Using Forefront Endpoint Protection Page 9