Microsoft Forefront Client Security

Transcription

1 Microsoft Forefront Client Security Deployment Guide Prepared by Microsoft First published 13 February 2008

2 Copyright This document and/or software ( this Content ) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content. Readers are referred to for further information on the NHS CUI Programme. All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft Corporation and Crown Copyright 2008 Disclaimer At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in time, these links may become invalid. Microsoft is not responsible for the content of external Internet sites. The example companies, organisations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, address, logo, person, places, or events is intended or should be inferred. Page ii

3 TABLE OF CONTENTS 1 Executive Summary Introduction Value Proposition Knowledge Prerequisites Skills and Knowledge Training and Assessment Infrastructure Prerequisites Audience Assumptions Using This Document Document Structure Plan Planning the Forefront Topology Small/Medium Topology (Fewer Than 2,500 Managed Clients) Large Topology (More Than 2,500 Managed Clients) More Than 10,000 Managed Clients Unmanaged Environments Planning Definition Updates Hardware and Software Requirements Server Sizing Forefront Client Security Licensing and SQL Server Database Sizing Security Planning Security Planning Review Checklist Forefront Specific Security Configuration Planning Security Accounts Network Ports Used by Forefront Client Security Components Stabilise Areas for Testing Server Role Installation Client Policy Deployment Client Deployment Management Console Definition Updates Reporting Data Transformation Services Job Functioning Migration Testing Page iii

4 6 Deploy Installing Forefront Client Security Prerequisites Installing Group Policy Management Console with Service Pack Installing Microsoft Management Console Installing Internet Information Services 6.0 and ASP.NET Installing.NET Framework Enabling Network COM+ Access Installing and Configuring WSUS Installing and Configuring SQL Server Internet Explorer Configuration Installing Forefront Client Security Installing the Forefront Client Security Server Installing the Database Server Installing the Collection Server Installing and Configuring the Management Server Installing the Distribution Server Forefront Client Security Client Installation Installing the Forefront Client Security Client Using WSUS Installing the Forefront Client Security Client Manually Verifying the Forefront Client Security Installation Operate Daily Tasks Check General Forefront Client Security State Check Windows Event Logs Ensure Data Transformation Services Job Success Weekly Tasks Ensure Backup Job Success Run Disk Defragmentation Tools Ad Hoc Tasks Using the Forefront Client Security Best Practice Analyzer Restoring Backup into the Test Environment APPENDIX A Skills and Training Resources PART I Forefront Client Security Training and Skills Assessment Resources PART II Microsoft Operations Manager Training and Skills Assessment Resources PART III Supplemental Training Resources APPENDIX B Troubleshooting APPENDIX C Document Information PART I Terms and Abbreviations PART II References Page iv

5 1 EXECUTIVE SUMMARY This guide is the first document that makes up the guidance for Microsoft Forefront Client Security (FCS). The document covers the planning, deployment and configuration of FCS and should be read prior to the Forefront Client Security Operations Guide 1 which covers the operational tasks required to use and maintain the FCS infrastructure effectively. The aim of this guidance is to assist healthcare IT professionals in the tasks and processes required to install and configure an FCS infrastructure, which will provide anti-malware protection for the healthcare organisation. The guidance takes into consideration the varied network infrastructure that healthcare organisations need to support. The guidance also provides information on using the product on a day-to-day basis, and the actions required for responding to malware outbreaks within the healthcare organisation. This document pulls together the wealth of information available for FCS into a concise and easy-to-follow implementation guide. Links to supporting information are also provided together with training references. 1 Forefront Client Security Operations Guide {R1}: Page 1

6 2 INTRODUCTION This document is the first in a set of documents that make up the Forefront Client Security guidance. The documents that comprise the FCS guidance are: Forefront Client Security Deployment Guide (this document) Forefront Client Security Operations Guide {R1} The Forefront Client Security guidance has been created to reduce the amount of time the healthcare IT Administrator requires to implement FCS and to ensure that the product is implemented according to current best practice. 2.1 Value Proposition This guide takes the healthcare IT Administrator through the necessary steps to plan, design and deploy FCS within a healthcare organisation. Deploying FCS using this guidance will assist in ensuring the FCS infrastructure will be supported by Microsoft Product Support Services (PSS). The guidance will assist in reducing the time and resources required to deploy FCS, by providing a single reference for information relating to the tasks and decisions required to deploy FCS effectively. 2.2 Knowledge Prerequisites To implement the recommendations made throughout this document effectively, a number of knowledge-based and environmental infrastructure prerequisites should be in place. This section outlines the knowledge and skills required to use the Forefront Client Security Deployment guidance, while section 2.3 details the necessary infrastructure prerequisites. Section details the prerequisite skills and knowledge, and section details the information and suggested training resources or skill assessment Skills and Knowledge The technical knowledge and minimum skills required to use this guidance are discussed in the following sections: Forefront Client Security Overview Windows Server Update Services Overview Forefront Client Security Overview FCS provides anti-malware protection for desktops, laptops, and server operating systems and helps guard against emerging threats such as spyware and rootkits, as well as traditional threats such as viruses, worms, and Trojan horses. There are two parts to the FCS solution. The first is the security agent which is installed on desktops, laptops, and server operating systems. This client agent provides real-time protection and removal of threats such as spyware, viruses, and rootkits along with scheduled scanning for such threats. The second is the central management server, which enables healthcare IT Administrators to easily manage and update malware protection agents, and to generate reports and alerts about the security status of their environment. For a fully managed deployment of FCS, a number of Microsoft technologies are required including Microsoft Operations Manager (MOM) 2005, Microsoft SQL Server 2005 and Windows Server Update Services (WSUS). Page 2

7 Figure 1 shows how the FCS components interact with each other and Table 1 discusses the process for each stage in more detail: Figure 1: Forefront Client Security Product Overview Number Description 1. Policies are created in the Management Console, which runs on the Management server, to control the way the client is configured. These settings include the frequency at which the client scans, configuration of real-time protection, how much information is sent back to the healthcare IT Administrators as well as other client configuration settings. The Management Console creates Group Policies that are associated with Microsoft Active Directory objects such as Organisational Unit (OU) or Group, which are then delivered to clients on policy refresh. The Management Console can also export the policies as files so healthcare IT Administrators can apply them to machines manually if Active Directory cannot be used. 2. A fully managed FCS client includes a MOM agent which sends event and alert data back to the Collection server. This data includes information about the client health and any malware related incidents that have occurred, such as a virus outbreak or definition update failure. The healthcare IT Administrator can configure how much detail is returned to the Management Console. For example, a client can be configured to alert a healthcare IT Administrator if a virus is detected and quarantined or only alert the healthcare IT Administrator if the quarantine failed or if the client becomes re-infected. 3. All of the data that is returned by the MOM agent on the FCS client is stored in the Reporting database. The Management Console uses this data to provide the healthcare IT Administrator with a detailed view of the general health of the whole FCS deployment. The Management Console includes links to predefined reports that give granular detail of the status of all clients in the FCS deployment, thereby allowing the healthcare IT Administrator to drill into specific problem areas and make informed decisions on how to proceed. 4. Definition updates can be delivered to the FCS client using WSUS. WSUS 3.0 allows for automatic approvals for definition updates and the FCS deployment server component allows the WSUS server to synchronise definition updates every hour. This allows the FCS clients to always have the very latest anti-malware and security state assessment definitions from Microsoft. The client can also be configured to receive the definition updates directly from Microsoft Update (MU) if they are unable to contact the WSUS server. Table 1: Forefront Client Security Product Process Page 3

8 Windows Server Update Services Overview WSUS enables healthcare IT Administrators to deploy the latest Microsoft product updates to computers running Windows Vista, Microsoft Windows XP with Service Pack (SP) 2, Windows 2000 with SP4 and Windows Server 2003 operating systems. By using WSUS, healthcare IT Administrators can fully manage the distribution of updates that are released through Microsoft Update, to computers in their network. Definition updates for the FCS client can be delivered using an existing WSUS infrastructure with no changes to the existing architecture. WSUS can also be used to distribute and install the FCS client to servers and workstations. More information on WSUS can be found in the following documentation: Windows Server Update Services 3.0 Design Guide 2 Windows Server Update Services 3.0 Operations Guide Training and Assessment Guidelines on the basic skill sets that are required in order to make best use of this guidance are detailed in APPENDIX A. These represent the training courses and other resources available. However, all courses mentioned are optional and can be provided by a variety of certified training partners. 2.3 Infrastructure Prerequisites The following are prerequisites for implementing FCS: FCS server requirements: Windows Server 2003 SP1 or later Microsoft Windows Active Directory (for managed deployments) SQL Server 2005 SP2 (see section for edition requirements) Protected machines: Note Windows 2000 Professional SP4 Update Rollup 1 or later Windows XP SP2 or later Windows Vista x64 versions of the operating system are supported only for the FCS client. No server components can run on 64-bit versions of Windows Server Windows Server Update Services 3.0 Design Guide {R2}: 3 Windows Server Update Services 3.0 Operations Guide {R3}: Page 4

9 2.4 Audience The guidance contained in this document is targeted at a variety of roles within the healthcare IT organisations. Table 2 provides a reading guide for this document, illustrating the roles and the sections of the document that are likely to be of most interest. The structure of the sections referred to is described in section 3.1. Role IT Manager Document Usage Review of the entire document to understand the justification and drivers, and to develop an understanding of the implementation requirements Executive Summary Plan Stabilise Deploy Operate IT Architect Review the relevant areas within the document against local architecture strategy and implementation plans IT Professional/ Administrator Table 2: Document Audience Detailed review and implementation of the guidance to meet local requirements 2.5 Assumptions The guidance provided in this document assumes that healthcare organisations that want to share services and resources between sites already have suitable IP Addressing schemes in place to enable successful site-to-site communication, that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap. It also assumes that all necessary software licences will be purchased by the healthcare organisation prior to deployment. Page 5

10 3 USING THIS DOCUMENT This document is intended for use by healthcare organisations and healthcare IT Administrators who wish to use FCS. This document should be used to assist with the planning and implementation of FCS. 3.1 Document Structure This document contains four sections that deal with the project lifecycle, as illustrated in Figure 2: Plan Stabilise Deploy Operate Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more detail in Microsoft Solutions Framework Core Whitepapers 4 and MOF Executive Overview 5. The MSF Process Model and MOF describe a high-level sequence of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects. Figure 2: MSF Process Model Phases and Document Structure 4 MSF Process Model White Paper {R4}: 5 MOF Executive Overview {R5}: Page 6

11 4 PLAN The Plan phase is where the bulk of the implementation planning is completed. During this phase the areas for further analysis are identified and a design process commences. Figure 3 acts as a high-level checklist, illustrating the sequence of events which the IT Manager and IT Architect need to determine when planning for Forefront Client Security within an healthcare organisation. Planning the Forefront Topology Small/Medium Topology (Fewer than 2,500 Managed Clients) Large Topology (More than 2,500 Managed Clients) More than 10,000 Managed Clients Unmanaged Environments Planning Definition Updates Hardware and Software Requirements Server Sizing Forefront Client Security and SQL Server Database Sizing Security Planning Security Planning Review Checklist Forefront Specific Security Configuration Planning Security Accounts Network Ports Used by Forefront Client Security Components Figure 3: Sequence for Planning Forefront Client Security Deployment 4.1 Planning the Forefront Topology This guidance provides three different strategies for deploying FCS within healthcare organisations. These strategies are: Healthcare organisations that need to manage fewer than 2,500 clients Healthcare organisations that need to manage between 2,500 and 10,000 clients Healthcare organisations that are not able to or do not want to manage any clients It is likely that most healthcare organisations will require either one or a mixture of two of these strategies. The decision regarding which strategies to employ depends on the current infrastructure within the healthcare organisation. Each of the strategies is described in more detail in the following sections. Note The small/medium and large topologies described in this document are recommended for use in healthcare organisations. Additional topologies can be utilised if required. More information on the alternative topologies can be found in the Choosing your Topology 6 section of the Forefront Client Security TechCenter 7. 6 Choosing your Topology {R6}: 7 Forefront Client Security TechCenter {R7}: Page 7

12 4.1.1 Small/Medium Topology (Fewer Than 2,500 Managed Clients) Healthcare organisations that plan to manage fewer than 2,500 clients should deploy a small/medium topology. A small/medium topology consists of two servers; one FCS server and one WSUS server. For more information on deploying WSUS in a healthcare organisation, see the Windows Server Update Services 3.0 Design Guide {R2}. Table 3 details the server roles deployed in the FCS small/medium topology. Server Name Description Distribution server FCS server The Distribution server role in FCS is a server that runs WSUS. FCS installs a service which allows the WSUS server to download definition files every hour without interrupting the normal synchronisation schedule. This means that FCS clients can receive the most up to date definition files as soon as they are released by Microsoft The FCS server hosts all components required to manage the FCS clients. If the healthcare organisation is managing fewer than 2,500 clients, SQL Server 2005 Standard or Enterprise Edition can be used. See section for more details on FCS licensing and SQL Server Table 3: Server Roles in Small/Medium Topology Figure 4 represents a small/medium FCS deployment in an healthcare organisation with two remote geographical locations. In this scenario, the clients in Remote Location 1 are part of the same trusted Active Directory forest as those in the Main Location. The clients in Remote Location 2 are workgroup clients or clients in a different forest. In this environment, FCS would be able to manage all clients in the Main Location as well as those in Remote Location 1. The clients in Remote Location 2 would be unmanaged but should be configured to use the WSUS server in the Main Location. See section for more information on unmanaged clients. Figure 4: Example Small/Medium Topology Page 8

13 4.1.2 Large Topology (More Than 2,500 Managed Clients) Healthcare organisations that plan to manage between 2,500 and 10,000 clients should deploy a large topology consisting of five servers. Four servers are dedicated to FCS and the fifth server is for WSUS. In larger healthcare organisations, an additional WSUS server may be required depending on the network configuration and other factors. For more information on deploying WSUS in a healthcare organisation, see the Windows Server Update Services 3.0 Design Guide {R2}. Table 4 details the server roles deployed in a large FCS topology. Server Name Description Distribution server Database server Collection server Reporting server The Distribution server role in FCS is a server that runs WSUS. FCS installs a service which allows the WSUS server to download definition files every hour without interrupting the normal synchronisation schedule. This means that FCS clients can receive the most up to date definition files as soon as they are released by Microsoft The Database server is the Microsoft SQL Server that hosts the Collection and Reporting databases. When deploying a large FCS topology, it is strongly recommended that Microsoft SQL Server 2005 Enterprise Edition is used. See section for more information on FCS licensing and SQL Server The Collection server is the server to which all FCS clients connect when reporting events, alerts, and so on. FCS uses an optimised version of MOM 2005 to collect this data from clients. The Collection server runs the MOM server components and handles passing rules to the clients. In addition, it receives data and passes the data to the Database server The Reporting server runs Microsoft SQL Server 2005 Reporting services. This server generates all of the FCS reports using the data contained in the FCS reporting database Management server The Management server is where the FCS Management Console is installed. The Management Console uses data from the Collection and Reporting databases to show a detailed view of the malware threat condition of all managed FCS clients. It also allows the healthcare IT Administrator to control the FCS clients using policies. These policies are created in the FCS Management Console and are deployed through Active Directory or using registry files Table 4: Server Roles in a Large Forefront Client Security Topology Page 9

14 Figure 5 represents a large FCS deployment in a healthcare organisation with two remote geographical locations. In this scenario, the clients in Remote Location 1 are part of the same trusted Active Directory forest as those in the Main Location. The clients in Remote Location 2 are workgroup clients or clients in a different forest. In this environment, FCS would be able to manage all clients in the Main Location as well as those in Remote Location 1. The clients in Remote Location 2 would be unmanaged but should be configured to use the WSUS server in the Main Location. See section for more information on unmanaged clients. Figure 5: Example Large Topology More Than 10,000 Managed Clients The maximum number of clients that can be supported in a single FCS management group is 10,000. In some cases there may be a requirement to manage more than this. Forefront Client Security Enterprise Manager (FCSEM) allows up to 10 FCS management groups to be configured in a hierarchy. This is achieved by configuring a central FCS management group using a variation of the small/medium topology, described in this document, which communicates with each of the down-level management groups, to collate data into a single console. This allows the healthcare IT Administrator to view the consolidated data from a number of management groups and schedule scans for all or any computer in the entire healthcare organisation. Specific details for deploying Enterprise Manager are available from the Client Security Enterprise Manager 8 section of the Forefront Client Security TechCenter. 8 Client Security Enterprise Manager {R8}: Page 10

15 Figure 6 represents an FCS deployment consisting of three geographic locations that contain up to 10,000 FCS clients each. Management Groups 1, 2 and 3 are large topologies, as described in section 4.1.2, that manage all FCS clients in their respective geographic locations. Location 1 also contains the FCS Enterprise Manager Console which consolidates the data from Management Groups 1, 2 and 3. Figure 6: Example Enterprise Topology Unmanaged Environments The FCS client can be deployed without any of the management components. If the FCS client is deployed in this way, none of the centralised reporting and control capabilities are available to the IT Administrator. There are two scenarios where this will be necessary within a healthcare organisation. The first scenario is where no additional hardware is available to support the management components of the FCS deployment. In this scenario, it is strongly recommended that the healthcare organisation deploys WSUS 3.0 in order to deploy definition updates. Using WSUS 3.0 will allow the IT Administrator to view reports that will show if any clients are failing to update FCS definition files. Even though there will be no ability to centrally manage the FCS clients and as such, have a view of any threats in the healthcare organisation, the use of WSUS reporting will allow the IT Administrator to respond to any situations where definition files are not being received. This ensures that the healthcare organisation always maintains an up-to-date anti-malware solution. This will significantly reduce the possibility of a malware outbreak in the organisation s environment. Page 11

16 The second scenario is where some of the clients that will be installed, are not part of the same trusted Active Directory forest as the FCS servers. This is the case for the Remote Location 2 in Figure 4 and Figure 5. The reporting component of the FCS client requires mutual authentication between the client and server. By allowing both the client and server to verify each other s identity before communicating with each other, what is known as a man-in-the-middle-attack is prevented. In this scenario, FCS should be deployed in managed mode to all clients that are part of the Active Directory forest (for example, Main Location 1 and Remote Location 1), and should be deployed in unmanaged mode to all clients that are not part of the Active Directory forest (for example, Remote Location 2 in Figure 5). Again, it is strongly recommended that the clients within the organisation s infrastructure, both those that are part of the Acive Directory forest and those which are not, are configured to receive updates from a WSUS 3.0 server. This gives the IT Administrators visibility of any client machines that are not receiving definition updates. Further information on using WSUS reports to ensure definitions are being received by unmanaged clients, is provided in the Forefront Client Security Operations Guide {R1}. If the client is going to be installed in unmanaged mode, it must be installed manually. See section for information on manually installing the FCS client Planning Definition Updates The recommended method for providing anti-malware and security state assessment definition updates to clients is by using WSUS. FCS clients can be configured to use MU if the WSUS server is unavailable. Depending on the healthcare organisation s environment, either WSUS or MU, or a combination of the two, should be used. It is also possible to use any software distribution method to deploy the full definition file to clients. Note At the time of writing, it is only possible to deploy delta definition files between.5 MB and 1 MB via WSUS or MU. If deploying the updates via an Enterprise Software Distribution (ESD) solution, the full definition files must be deployed, ~20 MB. If the healthcare organisation decides to use an ESD solution instead of WSUS, there will be a significant increase in the network traffic required for definition updates due to the difference in the size of the definition files. 4.2 Hardware and Software Requirements The hardware required for the FCS server roles must be adequately specified to cope with the performance demands of the product Server Sizing It is important to configure disk drives appropriately as FCS relies heavily upon them to store data within the SQL database. To increase the read/write performance of FCS, it is recommended that certain types of data are separated onto their own drives. These drives should be separate physical drives which are either standalone disks or configured as part of an array. An array is preferred as this can significantly improve performance and in some cases provide resilience. For more information on using Redundant Array of Independent Disk (RAID) arrays, see RAID Levels and SQL Server 9. Table 5 lists the recommended hardware configurations for each of the server roles in either a small/medium or large FCS deployment. It may not always be possible (due to hardware restrictions, budget and so on), to achieve the recommended server specification and RAID levels. For this reason, these figures should be treated as guidelines only. 9 RAID Levels and SQL Server {R9}: Page 12

17 Caution It is not recommended that any FCS server roles are installed on a Windows Server acting as a domain controller. Small/Medium Deployment (Fewer than 2,500 Managed Clients) Server Role CPU RAM Array RAID Level (Order of Preference) 9 Data Disk Space Operating System Distribution server 2 GHz 2 GB 1 (C:) 1 OS and WSUS binary files RAM + 10 GB Windows Server 2003 SP1 or later 2 (D:) 10,5,1 WSUS Content Directory 30 GB + FCS server (all other roles) Dual 2 GHz 4 GB 1 (C:) 1 OS and FCS binary files 2 (D:) 10,1,5 Reporting and Collection data files RAM + 10 GB 30 GB + Reporting (see section ) Windows Server 2003 SP1 or later 3 (E:) 1 Collection database log file 20% total size of the Collection database Reporting database log file 50% total size of the Reporting database 4 (F:) 10,1,5 tempdb 45 GB Large Deployment (Fewer than 10,000 Managed Clients) Server Role CPU RAM Array RAID Level (Order of Preference) 9 Data Disk Space Operating System Distribution server 3 GHz 2 GB 1 (C:) 1 OS and WSUS binary files RAM + 10 GB Windows Server 2003 SP1 or later 2 (D:) 10,5,1 WSUS Content Directory 30 GB + Database server Quad 2 GHz 8 GB 1 (C:) 1 OS RAM + 10 GB Windows Server 2003 Enterprise Edition SP1 or later 2 (E:) 10,1,5 Reporting and Collection data files 30 GB + Reporting (see section ) 3 (F:) 1 Collection database log file Reporting database log file 20% total size of the Collection database 50% total size of the Reporting database Collection server Reporting server Management server Dual 2 GHz Dual 2 GHz Dual 2 GHz 4 (G:) 10,1,5 tempdb 45 GB 4 GB 1 (C:) 1 OS RAM +10 GB Windows Server 1 (D:) FCS binary files 20 GB 2003 SP1 or later 2 GB 1 (C:) 1 OS RAM +10 GB Windows Server 1 (D:) SQL Reporting Services and FCS binary files 20 GB 2003 SP1 or later 2 GB 1 (C:) 1 OS RAM +10 GB Windows Server 1 (D:) FCS binary files 20 GB 2003 SP1 or later Table 5: Hardware and Software Requirements Page 13

18 Important If using more than 4 GB of RAM, Windows Server 2003 Enterprise Edition must be used to take advantage of the additional memory. Operating systems required to run the FCS client (Unmanaged (Client only)) Windows 2000 Server and Professional SP4 with Update Rollup 2 Windows Server 2003 SP1 or later Windows XP Professional SP2 or later Windows Vista Important To run the FCS client with any other antivirus software is not supported. See section for further information on migration testing Forefront Client Security Licensing and SQL Server The healthcare organisation requires software licences when deploying either the small/medium or large topologies. The following licensing options exist: Microsoft Forefront Client Security Management Console, a separately licensed copy of SQL Server 2005 Standard Edition, a SQL Server Client Access License for each managed FCS client and a Microsoft Forefront Client Security Agent licence for each managed FCS client Microsoft Forefront Client Security Management Console with SQL Server 2005 Enterprise Edition and a Microsoft Forefront Client Security Agent licence for each managed FCS client Microsoft SQL Server 2005 Enterprise Edition is required when deploying a large topology. Microsoft Forefront Client Security Management Console with SQL Server 2005 Enterprise Edition includes the licence to run SQL Server Enterprise Edition for use only with FCS Database Sizing To determine the amount of disk space that the FCS databases will require, it is necessary to estimate the number of clients that FCS will manage as well as the amount of data each client will return. As it is impossible to determine how much data will be returned by each client, it is not possible to determine the size exactly. When calculating the disk and database space requirements, it is recommended that the requirements are overstated significantly in order to avoid time-consuming changes to hardware or software configuration in the future Collection Database Table 6 shows the approximate size of each different type of data when it is stored in the FCS Collection database. Object Type Approximate Size Required in Collection Database (KB) Event 6 Alert 7 Attribute 0.5 Threat 0.5 Table 6: Average Sizes of Forefront Client Security Objects in the Collection Database Page 14

19 The way the data is stored in SQL Server varies slightly between SQL Server Standard Edition and SQL Server Enterprise Edition. Table 7 shows the approximate size of the Collection database for each Edition. The information in the table is based on each client returning 27 events and 0.3 alerts per day. Number of Managed Clients Collection Database Size for 10 Days Using SQL Standard Edition (GB) Collection Database Size for 10 Days Using SQL Enterprise Edition (GB) , , , , , Table 7: Approximate Collection Database Sizes Using the information in Table 7, the healthcare IT Administrator can estimate the size requirements for the FCS Collection database for the healthcare organisation. It is recommended that an adequate margin of error be included in the calculation, therefore allow for an additional 50 percent on top of the requirements listed. For example, if the healthcare organisation is planning to manage 3,000 clients, the Collection database should be sized to at least 7.5 GB (5 GB + 50 percent). Note The maximum supported size of the Collection database is 30 GB Reporting Database The Reporting database is where FCS stores data from clients. This allows healthcare IT Administrators to view reports of client behaviour and threat levels for up to 395 days (by default). The data is transferred every day from the Collection database using the Data Transformation Services (DTS) job and includes all client information that is older than four days. During the installation of FCS, the setup routine will determine the specification of the hardware on the Database server and configure reporting data to be retained for either 180 days or 395 days. Table 8 shows the approximate sizes of the Reporting database using either SQL Standard Edition or SQL Enterprise Edition. The information in the table is based on each client returning 27 events and 0.3 alerts per day. Number of Managed Clients Size of Reporting Database Retaining 180 Days of Data (GB) Standard Edition Enterprise Edition Size of Reporting Database Retaining 395 Days of Data (GB) Standard Edition Enterprise Edition , , , , , Table 8: Approximate Reporting Database Sizes Page 15

20 Note Data retention periods can be modified if required. For more information on modifying data retention periods, see the knowledge base article How to modify the number of days to retain data in the SystemCenterReporting database in Microsoft Operations Manager The sizes listed in Table 8 are approximate and for informational purposes only. They should however, give a good indication of the required disk space for the Reporting database based on the number of managed clients and the edition of SQL server in use. Again, when calculating the disk requirements for the Reporting database, an adequate margin for error should be included in the calculation. For example, if the healthcare organisation is planning on managing 3,000 clients with SQL Server Enterprise Edition with the data being retained for 395 days, the Reporting database should be sized at GB (163 GB + 50 percent). Note The maximum supported size of the Reporting database is 1 TB (1024 GB) tempdb The tempdb database is a SQL Server system database that is used globally by all SQL Server databases on a single server. It is used as the temporary storage location for database operations such as temporary tables, work tables, and indexes. The tempdb database needs to be large enough to hold the data transferred during the MOM DTS job from the Collection database to the Reporting database. By default, tempdb is set to autogrow to the maximum of the available disk space; its log is configured to autogrow to 2 GB in size. To enable the DTS data transfer to be successful, the healthcare IT Administrator needs to verify that tempdb is located on a disk that has adequate free space for its growth during these transactions. If tempdb does not have adequate disk space to house the temporary data from the DTS transactions, the DTS job will fail. The maximum supported size of the Collection database is 30 GB. It is recommended that the disk containing the tempdb has at least 45 GB of free disk space. This will ensure that the tempdb will always be able to grow large enough to transfer data from the Collection database when the DTS job is running. 4.3 Security Planning Security Planning Review Checklist The FCS solution uses a number of Microsoft technologies which should be secured according to current best practices. Table 9 lists the security-specific documentation with which the healthcare IT Administrator should be familiar, as part of the security planning process. Title Description Link Windows Server 2003 Security Guide Security Configuration Wizard (SCW) for Windows Server 2003 Security Guidance for various server roles using Windows Server 2003 Guidance on using the SCW to configure servers running Windows Server 2003 in order to provide the minimum required functionality to perform a server s role. This ensures the minimum possible attack surface How to modify the number of days to retain data in the SystemCenterReporting database in Microsoft Operations Manager 2005 {R10}: Page 16

21 Title Description Link Best Practice Guide for Securing Active Directory Installations Microsoft Operations Manager 2005 Security Guide SQL Server 2005 Security and Protection Secure Your WSUS Deployment Security in Internet Information Services (IIS) 6.0 Table 9: Securing the Infrastructure Guidance to help the healthcare IT Administrator ensure the healthcare organisation s Active Directory deployment is as secure as possible The main component of the FCS management solution is MOM This guide gives the healthcare IT Administrator a good understanding of the MOM infrastructure and how to secure it Guidance on the features available to secure the SQL Server 2005 installation Guidance on securing the WSUS installation used on the Distribution server Details on the security infrastructure provided with IIS Forefront Specific Security Configuration Planning Section 6 contains detailed step-by-step procedures for deploying FCS. In some cases, it may be necessary to perform additional steps to secure the FCS deployment. This will depend on the security requirements and existing infrastructure of the healthcare organisation. These will not be covered in detail in this document, however, the healthcare IT Professional should review the documentation for each of the tasks in Table 10, in order to evaluate if the additional security will be required within the healthcare organisation s FCS deployment. Task Description Link to Additional Documentation Securing Communications Using Internet Protocol Security (IPSec) IPSec is a network encryption protocol provided in Windows. Using IPSec ensures private, secure communications when using an Internet Protocol (IP) network IP Security (IPSec) Compatibility of IPSec, SSL, OLEDB Encryption and SMB Packet Signing Securing the Reporting server using Secure Sockets Layer (SSL) encryption Securing connections to the Database server Securing the Distribution server SSL certificates can be used on the Reporting server to encrypt the Reporting Web site Connections to the Database server can be secured using either IPSec or SSL Connections to WSUS on the Distribution server can be secured using SSL Securing the Reporting server Internet Protocol Security for Microsoft Windows Server SQL Server 2005 Security and Protection Secure Your WSUS Deployment Secure WSUS 3.0 Deployment en/library/7e21a374-5bc0-41bb-991c- 26abe5c5cd8b1033.mspx Table 10: Forefront Specific Security Configuration Planning Page 17

22 4.3.3 Security Accounts Table 11 details the accounts required for each of the FCS server roles and the minimum privileges required for each role. Account Description Required Privileges Topology Type SQL Server Service User account Domain account Both Installation account Shared account Reporting account Database Access Service (DAS) account Action account DTS account Table 11: Security Accounts Domain account Member of the Administrators group on all FCS server machines Domain account Local Administrator on FCS server Requires db_owner rights to the Reporting database (see for procedure to grant this privilege in SQL Server. Must be performed once the database has been created) Domain account Requires db_owner rights to the Collection and Reporting databases (see for procedure to grant this privilege in SQL Server. Must be performed once the database has been created) Domain account Additional permissions granted automatically during setup Domain account Member of the Administrators group on the Collection server Requires db_owner rights to the Collection database (see for procedure to grant this privilege in SQL Server. Must be performed once the database has been created) Domain account Additional permissions granted automatically during setup Both Small/medium only Large only Large only Large only Large only When configuring FCS using the small/medium topology, it is recommended that a single account is used for all FCS components. For the most secure, large topology deployment, it is recommended that a different Windows user account is used for each role, as listed in Table 11. It is possible to use the same account for all roles in the large topology deployment to reduce the administrative overhead. If the healthcare IT Administrator chooses to use a single account, it should be granted the privileges for the Action account, as detailed in Table 11. Page 18

23 4.3.4 Network Ports Used by Forefront Client Security Components Table 12 details the network ports used by each of the different FCS components. The healthcare organisation must ensure that these ports are open on any firewalls that may block FCS communications. Server Role Connection To Topology Port (Protocol) Notes Management server Collection server Large only 445 (TCP and UDP) 135 (TCP) DCOM port range Collection server Database server Large only 1433 (TCP) 1434 (UDP) Management server Database server Large only 1433 (TCP) 1434 (UDP) Reporting server Database server Large only 1433 (TCP) 1434 (UDP) Using a firewall between these roles is not supported Used when inputting client information into the database Used when querying data from the Collection and Reporting databases Used when querying data from the Reporting database Distribution server MU or upstream WSUS server Both 80 (TCP) or 443 (TCP) To obtain updates from MU or an unsecured upstream WSUS server, HTTP (80) is used. If synchronising with a secured upstream WSUS server, HTTPS (443) is used Client computer Collection server Both 1270 (TCP) 1270 (UDP) Client computer Reporting server Both 80 (TCP) 443 (TCP) If the client is a member of a different trusted domain, the client will also require access to a domain controller that has a two-way trust with the domain where the FCS servers are installed. This is not required if the FCS client is unmanaged Users accessing reports on the FCS Reports server will use HTTP (80) or HTTPS (443) if the Reporting server is using SSL Client computer Distribution server or Microsoft Update Both 80 (TCP) 443 (TCP) HTTP (80) is used to connect to Microsoft Update or an unsecured WSUS server. HTTPS (443) is used to connect to a secured WSUS server Table 12: Network Ports Used by Forefront Client Security Page 19

24 5 STABILISE The Stabilise phase involves testing the solution components whose features are complete, resolving and prioritising any issues that are found. Testing during this phase emphasises usage and operation of the solution components under realistic environmental conditions. This involves testing and acceptance of Forefront Client Security. Figure 7 acts as a high-level checklist, illustrating the critical components which an IT professional responsible for stabilising the design of Forefront Client Security needs to determine. Figure 7: Sequence for Stabilising Forefront Client Security 5.1 Areas for Testing When testing the FCS deployment, it is recommended that the deployment is tested in a lab environment before deploying to the live network. For best results, the test environment should replicate the live network as closely as possible. Once testing has been completed satisfactorily, the solution can be deployed to the live network. Any testing performed in the test environment should be repeated, where appropriate, in the live environment, to ensure the product is functioning as expected. Extensive testing prior to the product being deployed into the live environment significantly reduces the possibility of any unexpected results. The following areas should be considered as a minimum, for testing: Server Role Installation Client Policy Deployment Client Deployment Management Console Definition Updates Reporting DTS Job Functioning Migration Testing Server Role Installation There are different options available when deploying FCS. The healthcare IT Administrator should deploy the topology that was decided upon as part of the planning phase in section 4. It is important to ensure that the installation performs as expected in the healthcare organisation s environment. Ensure that the software prerequisites and server installations are thoroughly tested. Software prerequisites and server role installation are covered in section 6 of this document. Page 20

25 5.1.2 Client Policy Deployment All client settings are managed via the FCS Client Policy. FCS Client Policies are distributed to the FCS clients either via Group Policy or manually using the fcslocalpolicytool.exe. The healthcare IT Administrator should thoroughly test the following areas with regards to client policy deployment: Targeting client policy using Active Directory OUs Targeting client policy using Active Directory Security Groups Deploying client policy using the fcslocalpolicytool.exe More information on creating and deploying client policies can be found in the Forefront Client Security Operations Guide {R1} Client Deployment There are a number of options for deploying the FCS client, each requiring full testing prior to use in an healthcare organisation. Once deployed, the healthcare IT Administrator should verify that the client is reporting to the Management Console. A quick or full scan should also be triggered, which is performed remotely using the Management Console. The healthcare IT Administrator should thoroughly test the following areas if clients are to be used in the deployment: Client deployment using WSUS Client deployment using the ESD solution Manual client deployment (managed and unmanaged) Verifying client deployment using the Management Console Running a full or quick scan using the Management Console More information on client deployment is available in section 6.3. More information on using the FCS Management Console can be found in the Forefront Client Security Operations Guide {R1} Management Console The FCS Management Console obtains data from a number of sources. The healthcare IT Administrator should fully test the following areas of the Management Console: Charts display correctly Reports open correctly when selected MOM Operators Console is opened correctly when the link is clicked Full and quick scans are executed as expected More information on using the FCS Management Console can be found in the Forefront Client Security Operations Guide {R1} Definition Updates Definitions can be provided to the FCS clients via WSUS, MU or any ESD solution. The healthcare IT Administrator should fully test the following areas with regards to definition updates: Definition update via WSUS (if client is connected to the healthcare network) Definition update via MU (if client is not connected to the healthcare network or if WSUS failure occurs) Definition update via ESD solution (if applicable) Page 21

26 5.1.6 Reporting Reporting is an essential part of the FCS solution. It is important to ensure that all aspects of FCS Reporting are working as expected, prior to deploying FCS to the live network. The healthcare IT Administrator should thoroughly test the following reporting components: Access to the reporting Web site Running reports Subscribing to reports ed reports are delivered as expected Graphs are displayed correctly Data Transformation Services Job Functioning The DTS Job is responsible for moving data from the Collection database into the Reporting database on a daily basis. If this job fails, then no data is groomed (deleted) from the Collection database. Instead, the Collection database will eventually fill up and data will no longer be collected from clients. It is therefore important for the healthcare IT Administrator to understand how to identify if the DTS job is failing and to ensure that this procedure is tested before implementing FCS in production. The following tasks should be performed in a test environment: Use the event log to ensure the DTS job runs successfully Review the troubleshooting steps to understand how to troubleshoot the DTS job if it fails More information on troubleshooting the FCS DTS job can be found in the Forefront Client Security Operations Guide {R1} Migration Testing When deploying the FCS client, it is important to ensure that any existing antivirus software has been removed prior to deployment. To run the FCS client with any other antivirus software is not supported. This process could be scripted or it could take advantage of an existing software distribution mechanism that is in place within the healthcare organisation. For detailed information on the correct procedure for removing existing antivirus software solutions, the healthcare IT Administrator should contact the software vendor of that solution. A number of sample scripts are available on the Forefront Client Security Tools 11 Project on to assist with automated removal of some of the most popular antivirus solutions. Important The scripts and tools available on are provided as examples only and should be thoroughly tested before being used in a healthcare production environment. The healthcare IT Administrator should ensure that the following processes have been fully tested prior to deployment on the live network: Automated removal of existing antivirus client on all operating systems in use in the healthcare organisation Ability to be notified if a removal fails Integration with FCS client deployment if required Automation of required reboots is handled appropriately and without user interruption 11 Forefront Client Security Tools {R11}: Page 22

27 6 DEPLOY During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is then transitioned to operations and support. Figure 8 acts as a high-level checklist, illustrating the critical components which an IT Professional responsible for deploying Forefront Client Security needs to determine. Figure 8: Sequence for Deploying Forefront Client Security Page 23

28 6.1 Installing Forefront Client Security Prerequisites FCS requires a number of software prerequisites to be installed before installing the sever components. Table 13 describes all prerequisites required for each of the different server types, in both the small/medium and large deployment types. The healthcare IT Administrator should follow all prerequisite steps for each of the server roles required, in the order in which they appear in the table. Note The privileges required for the user that is logged on for the installation of all FCS prerequisites, is detailed in Table 11. Small or Medium Deployment (Fewer than 2,500 Managed Clients) Server Role Required Prerequisites Section Distribution server IIS 6.0 and ASP.NET Section NET Framework 2.0 Section WSUS 2.0 SP1 or later Section FCS server (single server) IIS 6.0 and ASP.NET Section NET Framework 2.0 Section SQL Server 2005 SP2 or later Section MMC 3.0 Section GPMC with SP1 Section Internet Explorer Configuration Section Large Deployment (Fewer than 10,000 Managed Clients) Server Role Required Prerequisites Section Distribution server IIS 6.0 and ASP.NET Section NET Framework 2.0 Section WSUS 2.0 SP1 or later Section Database server SQL Server 2005 SP2 or later Section Collection server.net Framework 2.0 Section Enable Network COM+ Access Section Reporting server IIS 6.0 and ASP.NET Section NET Framework 2.0 Section SQL Server 2005 SP2 or later (Reporting Services) Section Internet Explorer Configuration Section Management server.net Framework 2.0 Section MMC 3.0 Section GPMC with SP1 Section Internet Explorer Configuration Section Table 13: Installing Forefront Client Security Prerequisites Page 24

29 6.1.1 Installing Group Policy Management Console with Service Pack 1 The Group Policy Management Console (GPMC) with SP1 should be installed for the following server roles: FCS server Management server Download and installation instructions for the Group Policy Management Console with Service Pack 1 are available at: Installing Microsoft Management Console 3.0 The Microsoft Management Console (MMC) 3.0 should be installed for the following server roles: FCS server Management server Download and installation instructions for the Microsoft Management Console 3.0 for Windows Server 2003 are available at: Installing Internet Information Services 6.0 and ASP.NET Internet Information Services (IIS) and ASP.NET should be installed for the following server roles: Distribution server FCS server Reporting server Table 14 shows the steps involved in installing and configuring IIS 6.0 and enabling ASP.NET. 1. Select Control Panel > Add or Remove Programs > Add/Remove Windows Components. Page 25

30 2. Select Application Server and click Details. 3. Select the following options: ASP.NET Enable network COM+ access Internet Information Services (IIS) Click OK and then click Next. Note It may be necessary to provide the location of the Windows Server 2003 Installation files during this process. Table 14: Installing IIS 6.0 and ASP.NET Installing.NET Framework 2.0 The.NET Framework 2.0 should be installed for all FCS server roles. Download and installation instructions for the Microsoft.NET Framework Version 2.0 are available at: Once the.net Framework is installed, the healthcare IT Administrator should ensure the server is fully patched using Windows Update (WU), MU or WSUS. Important Depending on the order in which the.net Framework and IIS 6.0 instances have been installed, it is possible that ASP.NET v will not have installed correctly. Once the.net Framework is installed, check ASP.NET 2.0 is properly registered with IIS 6.0 by running the following command: C:\Windows\Microsoft.NET\Framework\v > aspnet_regiis I enable Page 26

31 6.1.5 Enabling Network COM+ Access Network COM+ access needs to be enabled on the Collection server only. Table 15 shows the steps involved in enabling Network COM+ access on the Collection server. 1. Select Control Panel > Add or Remove Programs and click Add/Remove Windows Components. 2. Select Application Server and click Details. Page 27

32 3. Select Enable network COM+ access. Click OK and then click Finish. Table 15: Enabling Network COM+ Access Installing and Configuring WSUS 3.0 WSUS should be installed on the Distribution server only. Information on the design, installation and configuration of WSUS 3.0 is available in the following documents: Windows Server Update Services 3.0 Design Guide {R2} Windows Server Update Services 3.0 Operations Guide {R3} The healthcare IT Administrator should review these documents and deploy WSUS 3.0 according to the guidelines contained therein Installing and Configuring SQL Server Installing SQL Server 2005 SQL Server needs to be installed for the following server roles: FCS server Database server Reporting server Table 16 shows the steps involved in installing SQL Server The healthcare organisation will install either the Standard or the Enterprise Edition, depending on the number of FCS clients to be managed. Information on choosing the appropriate SQL Server edition is included in section 4. The following information is required to perform this task: User name and password details for the SQL Server User account if installing SQL Server User name and password details for the Reporting account if installing SQL Server Reporting Services Page 28

33 1. Run Default.hta from the SQL Server 2005 installation source. Click Server components, tools, Books Online, and samples. 2. Read the End User License Agreement (EULA). If applicable, select I accept the licensing terms and conditions and click Next. Page 29

34 3. Click Install. Once the installation has completed successfully, click Next. 4. On the Welcome page, click Next. Page 30

35 5. Ensure that the System Configuration Check page displays Success, then click Next. 6. Complete the Name and Company fields. Note If using SQL Server Standard Edition, enter the 25 character Product Key. This will not be required if using the Enterprise Edition version of SQL Server 2005 as it is included with the FCS Management Console w/sql subscription licence. See section for more information. Page 31

36 7. If there are fewer than 2,500 clients, select the following check boxes when installing the FCS server: SQL Server Database Services Reporting Services Integration Services Workstation components, Books Online and development tools If there are more than 2,500 clients, select the following check boxes when installing the Database server: SQL Server Database Services Integration Services Workstation components, Books Online and development tools If there are more than 2,500 clients, select the following check box when installing the Reporting server: Reporting Services Click Next. 8. Select the Default instance option and click Next. Page 32

37 9. Select Use a domain user account and complete the SQL Server user account information. Note If installing the Reporting server role in a large FCS deployment, use the Reporting account details. Details on the privileges required for the SQL Server User account and the Reporting account, are shown in Table 11. From the check boxes in the Start services at the end of setup panel, select the following services: SQL Server SQL Server Agent Reporting Services Click Next. Note If installing the Reporting server, proceed to step Select Windows Authentication Mode and click Next. Page 33

38 11. Select the Collation designator and sort order option and the Accent - sensitive check box and click Next. 12. Click Next to accept the default settings. Note When installing the Reporting server, the Install the default configuration option will not be available. Important When installing the Reporting server, follow the additional steps in Page 34

39 13. Click Next to accept the default settings. 14. Verify that the components displayed are correct and then click Install. Page 35

40 15. Click Next to accept the default settings. 16. Review the detail in the summary page and click Finish. Table 16: Installing SQL Server 2005 Page 36

41 Configuring Reporting Services on the Reporting Server The steps in this section are only required when installing the Reporting server. Table 17 contains the steps required to configure Reporting Services on the Reporting server. Note When installing the Database server in a large topology deployment or the FCS server in a small/medium topology deployment, do not follow the steps below. Instead, proceed to section The steps below should only be followed when installing the Reporting Server in a large topology deployment. The following information is required to perform this task: User name and password details for the Reporting account 1. Run Reporting Services Configuration from Programs > Microsoft SQL Server 2005 > Configuration Tools. 2. Ensure the server (machine) name and instance name details are correct and then click Connect. 3. Select Report Server Virtual Directory and click New. 4. Click Ok. Page 37

42 5. Select Report Manager Virtual Directory and click New. 6. Click Ok. 7. Select Web Service Identity. Ensure both the Report Server and Report Manager fields display DefaultAppPool and then click Apply. Page 38

43 8. Select Database Setup. Type the name of the Database server in the Server Name field. Click Connect. 9. Click OK to confirm the database server name details. 10. To connect to the database, click New. Page 39

44 11. Click OK to confirm the details. 12. From the Credentials Type drop-down list, select Windows Credentials. Complete the Account Name and Password fields for the Reporting account. Note The Account Name must be entered in the DomainName\AccountName format. Click Apply. If prompted for SQL connection, click OK. Click Exit. Table 17: Configuring Reporting Services on the Reporting Server Verifying SQL Reporting Services Installation Once the installation and configuration of SQL Reporting Services is complete, it is important to ensure that the Web site is working correctly before installing FCS. In order to verify that the installation has been successful, open the following Web pages, where the <ReportServerName> is the machine of the server with SQL Reporting Services installed: Important Depending on the order in which the.net Frameworks have been installed, it is possible that ASP.NET v will not be correctly installed and the Web sites will not show correctly. If the Web pages do not load correctly, run the following command: C:\Windows\Microsoft.NET\Framework\v > aspnet_regiis I enable This will register ASP.NET 2.0 with IIS 6.0 and will ensure all directories have the correct permissions. Page 40

45 Installing SQL Server 2005 Service Pack 2 It is recommended that the healthcare organisation always uses the latest service pack available for SQL Server. At the time of writing, SQL Server 2005 SP2 is the latest service pack available. For more information on downloading and installing the software, see How to obtain the latest service pack for SQL Server Configuring the Default Database and Log File Locations In order to ensure the FCS databases are placed on the correct drives as specified in Table 5, the healthcare IT Administrator should configure the default database and log file locations in SQL Server Table 18 shows the steps required to configure the default database and log file locations. 1. Run SQL Server Management Studio from Programs > Microsoft SQL Server Click Connect. Note The user that is logged in will need to have permissions to administer SQL server. 12 How to obtain the latest service pack for SQL Server 2005 {R15}: Page 41

46 3. Right-click on the server object and select Properties. 4. Select Database Settings Modify the values in the Database default locations section, as described in Table 5, for example: Data: D:\SQLDATA Log: E:\SQLLOGS Click OK and close SQL Server Management Studio. Table 18: Configuring the Default Database Locations Page 42

47 Moving the tempdb Database The tempdb database is shared by all databases in a single instance of SQL Server Additional performance enhancements can be gained by moving the tempdb data and log files to a different physical disk. If the server in use has different physical disks available, as suggested in Table 5, the T-SQL statements in Table 19 can be used to move the tempdb database to the new location. For more information on running T-SQL commands in SQL Server 2005, see SQL Server Books Online 13. Table 19 shows the steps required to move the tempdb database to a different physical disk. These steps should be performed on the FCS server in a small/medium topology or on the Database server in a large topology. T-SQL Statement 1. Run SQL Server Management Studio from Programs > Microsoft SQL Server Click Connect. Note The user that is logged in will need to have permissions to administer SQL server. 3. Click New Query. 13 SQL Server Books Online {R16}: Page 43

48 4. Type the query opposite to determine the logical file names of the tempdb database along with their current location on the disk and click Execute to run the query. Record the locations of the existing tempdb.mdf and tempdb.ldf files. 5. Type the query opposite to change the location of each file using the ALTER DATABASE command and click Execute. 6. Stop and then restart the SQL Server service using the Services tool in Administrative Tools. 7. Type the query opposite to verify the file change and click Execute. If successful, the new locations for the tempdb.mdf and tempdb.ldf will be shown in the query results. T-SQL Statement SELECT name, physical_name AS CurrentLocation FROM sys.master_files WHERE database_id = DB_ID(N'tempdb'); GO USE master; GO ALTER DATABASE tempdb MODIFY FILE (NAME = tempdev, FILENAME = 'F:\SQLData\tempdb.mdf'); GO ALTER DATABASE tempdb MODIFY FILE (NAME = templog, FILENAME = 'F:\SQLLog\templog.ldf'); GO SELECT name, physical_name AS CurrentLocation, state_desc FROM sys.master_files WHERE database_id = DB_ID(N'tempdb'); GO Table 19: Moving the tempdb Database Enabling Address Windowing Extensions Memory for SQL Server Address Windowing Extensions (AWE) allow 32-bit operating systems to access large amounts of memory. The physical memory accessible by AWE depends on which operating system is being used. The following list provides the maximum physical memory accessible by each Windows Server 2003 operating system, at the time of writing. Windows Server 2003, Standard Edition supports physical memory up to 4 GB Windows Server 2003, Enterprise Edition supports physical memory up to 32 GB Windows Server 2003, Datacenter Edition supports physical memory up to 64 GB If the healthcare organisation is deploying a SQL server that contains more than 4 GB of RAM, it is recommended that AWE memory is enabled. For information on enabling this option, see Enabling AWE Memory for SQL Server Enabling AWE Memory for SQL Server {R17}: Page 44

49 Enabling the /3GB Switch for Windows Server 2003 In addition to the SQL Server AWE, the computers running SQL Server may benefit from a memory tuning option that is available for Windows Server This is the /3GB switch option, which can be added to the Boot.ini file of computers running Windows Server Adding this switch changes the way virtual memory is allocated between the kernel-mode processes and the usermode processes running on the server. Typically, 32-bit Windows uses a 4 GB virtual address space regardless of the amount of RAM on the system. Of this, 2 GB is allocated to kernel-mode processes, and 2 GB is allocated to user-mode processes. Using the /3GB switch changes this allocation, allocating 1 GB to kernel-mode processes and 3 GB to user-mode processes. For more information about the /3GB switch, see How to Set the /3GB Startup Switch in Windows 15. This option should be enabled if the healthcare organisation is supporting more than 2,500 clients, or should be enabled on an installation supporting fewer clients if performance issues are experienced Internet Explorer Configuration Internet Explorer should be configured on the following server roles: FCS server Reporting server Management server Table 20 details the steps required to add the Reporting server Uniform Resource Locator (URL) to the local intranet zone in Internet Explorer. 1. Open Tools > Internet Options and select the Security tab. Select the Local intranet zone and click Sites. 15 How to Set the /3GB Startup Switch in Windows {R18}: Page 45

50 2. Click Advanced. Note This screen only appears when using Internet Explorer 7. For Internet Explorer 6, proceed to step Type the name of the Reporting server into the Add this Web site to the zone: field and click Add. Click Close, then click OK and then click OK again. Table 20: Internet Explorer Configuration Page 46

51 6.2 Installing Forefront Client Security Table 21 describes all the tasks required to install and configure each of the different server types in both the small/medium and large deployment types. The healthcare IT Administrator should follow all steps for each of the server roles required, in the order in which they appear in the table. Note The privileges required for the user that is logged on for the installation of all FCS server roles is detailed in Table 11. Small/Medium Deployment (Fewer than 2,500 Managed Clients) Task Description Section Install all FCS roles Install the Distribution server component Configure the Management Console This contains all roles required to run FCS except for WSUS. This covers the installation of the FCS Distribution component on an existing WSUS server. This component allows the WSUS server to synchronise definitions every hour. Specific steps required after installation to configure the Management Console. Section Section Section Large Deployment (Fewer than 10,000 Managed Clients) Task Description Section Install the Database server Installation of the Collection and Reporting databases. Section Install the Collection server Installation steps for the Collection server. Section Install and Configure the Management server Install the Distribution server Installation steps for the Management server as well as post installation configuration steps. This covers the installation of the FCS Distribution component on an existing WSUS server. This component allows the WSUS server to synchronise definitions every hour. Section Section Table 21: Task List for Installing Forefront Client Security Important It is necessary to copy the Forefront Client Security installation folder to the local server before installing FCS. This is because FCS cannot be installed from a network share unless permission has been granted to the application. For more information, see How to deploy a.net Framework application to run from a network location How to deploy a.net Framework application to run from a network location {R19}: Page 47

52 6.2.1 Installing the Forefront Client Security Server Table 22 shows the steps required to install the FCS server when deploying a small/medium topology. The following information is required to perform this task: User name and password details for the Shared account 1. Run Splash.hta from the autorun directory of the FCS installation source. Click Run the Setup wizard. 2. Complete the Your name and Organization fields and click Next. Page 48

53 3. Read the license agreement. If applicable, select I accept the terms in the licensing agreement and click Next. 4. Ensure all check boxes are selected except Distribution server and click Next. 5. Type the name of the FCS server in the Collection server field. Type the User name and the Password for the Shared account and click Next. See Table 11 for more detail on the permissions required for the Shared account. Note The User Name must be entered in the DomainName\AccountName format. Page 49

54 6. Type the name of the FCS server in the Collection database field and click Next. Note There may be a requirement in some healthcare organisations, to increase the default size of the Collection database. See section for more detail. 7. Type the name of the FCS server in the Reporting database field and click Next. Note Specify a minimum of 15 in the Database size field. See section for details on calculating a specific figure. 8. Type the name of the FCS server in the Reporting server field and click Next. Page 50

55 9. Click Next to accept the default settings. 10. Modify the install location to D:\Program Files and click Next. 11. Review and verify the summary information and click Next. Page 51

56 12. Click Close. Table 22: Installing the Forefront Client Security Server Installing the Database Server The database server hosts the Collection and Reporting databases. Table 23 shows the steps required to install the Collection database, Reporting server and Reporting database components of FCS when deploying a large topology. The following information is required to perform this task: User name and password details for the DAS account User name and password details for the Reporting account User name and password details for the DTS account Server name of the Reporting server 1. Run Splash.hta from the autorun directory of the FCS installation source. Click Run the Setup wizard. Page 52

57 2. Complete the Your name and Organization fields and click Next. 3. Read the license agreement. If applicable, select I accept the terms in the licensing agreement and click Next. 4. Ensure only the Collection database and the Reporting server and reporting database check boxes are selected and click Next. Page 53

58 5. Type the User name and Password for the DAS account and click Next. See Table 11 for more detail on the permissions required for the DAS account. Note The User Name must be entered in the DomainName\AccountName format. If the healthcare organisation plans to manage more than 10,000 clients using multiple FCS management groups, the name in the Management group name field must be unique. Record the name as it will be required when installing the Collection server in section and when configuring the Management Console in section Type the name of the Database server in the Collection database field. Note There may be a requirement in some healthcare organisations to increase the default size of the Collection database. See section for more detail. Clear Re-use the DAS account for the reporting account if required. Type the User name and Password for the Reporting account and click Next. See Table 11 for more detail on the permissions required for the Reporting account. Note The User Name must be entered in the DomainName\AccountName format. Page 54

59 7. Type the name of the Database server in the Reporting database field. Note Specify a minimum of 15 in the Database size field. See section for details on calculating a specific figure. Clear Re-use the DAS account for the DTS account if required. Type the User name and Password for the DTS account and click Next. See Table 11 for more detail on the permissions required for the DTS account. Note The User Name must be entered in the DomainName\AccountName format. 8. Type the name of the Reporting server in the Reporting server field and click Next. 9. Modify the install location to D:\Program Files and click Next. Page 55

60 10. Review and verify the summary information and click Next. 11. Click Close. A reboot may be required. Note In some cases, the Install MOM Reporting Service task may fail due to a timing issue. If this occurs, click Back and then Next to restart the installation procedure. Table 23: Installing the Database Server Page 56

61 Granting SQL Permissions An FCS deployment typically requires a separate account for each of the different components. These accounts perform various roles and require different permissions. When the account requires access to the FCS databases that are stored in SQL Server, the healthcare IT Administrator must grant these permissions once the Collection (OnePoint) and Reporting (SystemCenterReporting) databases have been created. Table 24 shows the steps involved in granting the Action account and the Reporting account the required privileges in SQL Server Run SQL Server Management Studio from Programs > Microsoft SQL Server Under Security > Logins, right-click the account to which permissions are to be added and select Properties. Note If installing a small/medium topology configuration, proceed to step The Action account requires the db_owner role on the OnePoint database. Select the OnePoint check box in the User mapped to this login section, ensure db_owner and public are selected and click OK. Page 57

62 4. Select the Reporting account using the procedure in step 2. The Reporting account requires the db_owner role on both the OnePoint and SystemCenterReporting databases. Select the OnePoint check box in the User mapped to this login section and ensure that db_owner and public are selected. Select the SystemCenterReporting check box in the User mapped to this login section, ensure that db_owner and public are selected and click OK. Important Additional permissions have already been granted to the Reporting account. These should not be modified. Note If installing a large topology configuration, proceed to section once step 4 has been completed. 5. Select the Shared account using the procedure in step 2. The Shared account requires the db_owner role on the SystemCenterReporting database. Select the SystemCenterReporting check box in the User mapped to this login section, ensure that db_owner public are selected and click OK. Important Additional permissions have already been granted to the Shared account. These should not be modified. Table 24: Granting SQL Permissions to Forefront Client Security Accounts Page 58

63 6.2.3 Installing the Collection Server Table 25 shows the steps required to install the Collection server component of FCS when deploying a large topology. The following information is required to perform this task: User name and password details for the DAS account User name and password details for the Action account Server name of the Database server Server name of the Reporting server 1. Run Splash.hta from the autorun directory of the FCS installation source. Click Run the Setup wizard. 2. Complete the Your name and Organization fields and click Next. Page 59

64 3. Read the license agreement. If applicable, select I accept the terms in the licensing agreement and click Next. 4. Ensure only the Collection server check box is selected and click Next. 5. Type the User name and Password for the DAS account and click Next. See Table 11 for more detail on the permissions required for the DAS account. Note The User Name must be entered in the DomainName\AccountName format. If the healthcare organisation plans to manage more than 10,000 clients using multiple FCS management groups, the Management group name must be unique. Record the name as it will be required when configuring FCS in section Page 60

65 6. Type the name of the Database server in the Collection database field and click Next. 7. Type the name of the Database server in the Reporting database field and click Next. 8. Type the name of the Reporting server in the Reporting server field and click Next. Page 61

66 9. Type the User Name and Password for the Action account and click Next. See Table 11 for more detail on the permissions required for the Action account. Note The User Name must be entered in the DomainName\AccountName format. 10. Modify the install location to D:\Program Files and click Next. 11. Review and verify the summary information and click Next. Page 62

67 12. Click Close. Table 25: Installing the Collection Server Installing and Configuring the Management Server Installing the Management Server Table 26 shows the steps required to install the FCS Management Server when deploying a large topology. 1. Run Splash.hta from the autorun directory of the FCS installation source. Click Run the Setup wizard. Page 63

68 2. Complete the Your name and Organization fields and click Next. 3. Read the license agreement. If applicable, select I accept the terms in the licensing agreement and click Next. 4. Ensure only the Management server check box is selected and click Next. Page 64

69 5. Modify the install location to D:\Program Files and click Next. 6. Review and verify the summary information and click Next. 7. Click Close. Table 26: Installing the Management Server Page 65

70 Configuring the Management Console Table 27 shows the steps required to configure the FCS Management Console when deploying either a small/medium or large topology. The following information is required to perform this task if configuring the Management Console in a small/medium topology deployment: User name and password details for the Shared account Server name of the FCS server The following information is required to perform this task if configuring the Management Console in a large topology deployment: User name and password details for the Reporting account Server name of the Database server Server name of the Reporting server Server name of the Collection server 1. Run Microsoft Forefront Client Security Console from Programs > Microsoft Forefront > Client Security. 2. On the Before You Begin page, click Next. Page 66

71 3. Type the Collection server name into the Collection server field. Type the Database server name into the Collection database field and click Next. Note If configuring the FCS server in a small/medium FCS deployment, enter the name of the FCS server in both fields. If the Management group name was modified during the installation, enter the modified name in the Management group name field. 4. Type the name of the Database server in the Reporting database field. Type the User name and Password for the Reporting account and click Next. See Table 11 for more detail on the permissions required for the Reporting account. Note The User Name must be entered in the DomainName\AccountName format. If configuring the FCS server in a small/medium FCS deployment, enter the name of the FCS server in the Reporting database field and the Shared account details in the User name and Password fields. 5. Type the name of the Reporting server in the Reporting server field and click Next. Note If configuring the FCS server in a small/medium FCS deployment, enter the name of the FCS server in the Reporting server field. Page 67

72 6. Review and verify the summary information and click Next. 7. Click Close. Table 27: Configuring the Management Console Configuring the Microsoft Operations Manager Administrator and Operator Consoles Both the MOM Administrator and MOM Operator Consoles require the name of the Collection server to be configured before they will work correctly. Table 28 shows the steps required to configure both consoles when deploying to a large topology. The steps below will not be required when deploying a small/medium topology deployment. The following information is required to perform this task: The server name of the Collection server Page 68

73 1. Run Administrator Console from Start > Programs > Microsoft Operations Manager Type the name of the Collection server and click OK. 3. Run Operator Console from Start > Programs > Microsoft Operations Manager Click OK to clear the error dialog box displaying Error connecting to server: localhost. 5. Type the name of the Collection server in the MOM Management Server field and click OK. Table 28: Configuring the MOM Administrator and Operator Consoles Page 69

74 6.2.5 Installing the Distribution Server Table 29 shows the steps required to install the Distribution server component of FCS. The healthcare IT Administrator should follow these steps on the WSUS server in both a small/medium or large topology deployment. 1. Run Splash.hta from the autorun directory of the FCS installation source. Click Run the Setup wizard. 2. Complete the Your name and Organization fields and click Next. Page 70

75 3. Read the license agreement. If applicable, select I accept the terms in the licensing agreement and click Next. 4. Ensure only the Distribution server check box is selected and click Next. 5. Modify the install location to D:\Program Files and click Next. Page 71

76 6. Review and verify the summary information and click Next. 7. Click Close. Table 29: Installing the Distribution Server 6.3 Forefront Client Security Client Installation Before installing the FCS client, the healthcare IT Administrator should deploy FCS policies either manually or using group policy. Working with FCS policies is discussed in more detail in the Forefront Client Security Operations Guide {R1} Installing the Forefront Client Security Client Using WSUS The FCS client can be distributed and installed on client machines using WSUS. The healthcare IT Administrator must ensure that the following steps have been taken in order for the FCS client to be installed automatically using the Windows Update Agent (WUA): Clients configured to use WSUS as their update source Update Classification of Updates is enabled in the Products and Classifications dialog box of the WSUS Administrator Console Update Product of Forefront Client Security is enabled in the Products and Classifications dialog box of the WSUS Administrator Console Page 72

77 A synchronisation has occurred since the Products and Classifications settings were modified The Client Update for Microsoft Forefront Client Security update has been approved and the license agreement has been accepted For more information on how to carry out these procedures, see the Windows Server Update Services 3.0 Operations Guide {R3} Installing the Forefront Client Security Client Manually The client can be installed manually or using an ESD solution such as Microsoft Systems Management Server (SMS) or Novell ZENworks. The preferred method of client deployment is to use WSUS, but if the healthcare IT Administrator needs to perform a manual or ESD installation, it is important to understand the command line switches that should be used when deploying the client, using the ClientSetup.exe. Table 30 contains the available command line switches for ClientSetup.exe. Command Line Switch Description Usage /MS Collection server name Required if deploying the client manually and the client is part of the same Active Directory forest as the FCS servers /CG Configuration Group name Required if the /MS switch is used. By default, the Configuration Group name will be ForefrontClientSecurity unless this option is changed during FCS setup /I Installation Directory This switch is optional and can be used to change the default Program Files installation directory /L Log Directory This switch is optional and can be used to specify a different folder for FCS setup to place the installation log files /R Force Reinstall This switch will force the setup routine to reinstall all components of the FCS client by running all MSI files /NOMOM Install without including the MOM Agent This switch must be used if the client is being installed to a workgroup machine or a machine in a different (untrusted) Active Directory forest to the FCS servers Table 30: Command Line Switches for ClientSetup.exe Example command line for installing the FCS client to a machine in the same Active Directory forest as the FCS server: ClientSetup.exe /MS CONTOSO-FCS-TEST /CG ForefronClientSecurity Example command line for installing the FCS client to a workgroup client or client in an untrusted domain: ClientSetup.exe /NOMOM Important When installing the FCS client to a 32-bit machine, run the version of ClientSetup.exe in the Client folder on the installation CD. When installing the FCS client on a 64-bit machine, run the version of ClientSetup.exe located in the Client\x64 folder on the installation CD. 6.4 Verifying the Forefront Client Security Installation Once the FCS server roles have been installed and configured, client policies deployed and the FCS client has been installed, the healthcare IT Administrator should verify that the FCS installation is operating as expected. More information on verifying and testing the deployment is available in section 5. Page 73

78 7 OPERATE During the Operate phase, the deployed solution components are proactively managed to ensure they provide the required levels of solution reliability, availability, supportability, and manageability. Figure 9 acts as a high-level checklist, illustrating the critical components for which an IT professional is responsible, for ensuring a managed and operational Forefront Client Security deployment. Figure 9: Sequence for Operating Forefront Client Security The healthcare IT Administrator should ensure that the FCS deployment is maintained and monitored regularly in order to ensure continued operation. It is recommended that to correctly maintain each of the FCS servers, a maintenance plan is developed inclusive of all the tasks required. Table 31 contains a list of the operational tasks required to ensure continued operation of the FCS deployment. These should be developed and adapted to suit the needs of the healthcare organisation. Note This section describes how to carry out the tasks that are specific to ensuring the FCS deployment is operating normally. They should not be considered a complete list of tasks. Frequency Task Description Further Information Daily Check General Forefront Client Security State Section Daily Check Windows Event Logs Section Daily Ensure Data Transformation Services Job Success Section Daily/Weekly Ensure Backup Job Success Section Weekly Run Disk Defragmentation Tools Section Ad Hoc Using the Forefront Client Security Best Practice Analyzer Section Ad Hoc Restoring Backup into the Test Environment Section Table 31: Forefront Client Security Operational Tasks Page 74