Microsoft Forefront Client Security

Transcription

1 Microsoft Forefront Client Security Operations Guide Prepared by Microsoft Thursday, 2 October 2008 First published 13 February 2008

2 Copyright This document and/or software ( this Content ) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content. Readers are referred to for further information on the NHS CUI Programme. All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft Corporation and Crown Copyright 2008 Disclaimer At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in time, these links may become invalid. Microsoft is not responsible for the content of external Internet sites. The example companies, organisations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, address, logo, person, places, or events is intended or should be inferred. Page ii

3 TABLE OF CONTENTS 1 Executive Summary Introduction Value Proposition Knowledge Prerequisites Skills and Knowledge Training and Assessment Infrastructure Prerequisites Audience Assumptions Using This Document Document Structure Deploy Configuring User Roles Access Collection Database Access Microsoft Operations Manager Operator or Microsoft Operations Manager Administrator Console View Reports Work with Group Policy Objects Creating and Deploying Forefront Client Security Policies Creating Policies Deploying Policies Configuring Forefront Client Security for Notification Configuring the Microsoft Operations Manager Server for Creating Operators Operate Using Forefront Client Security Administration Consoles Using the Forefront Client Security Management Console Using the Microsoft Operations Manager Administrator Console Using the Microsoft Operations Manager Operators Console Using Reports Using SQL Server Reporting Services Using Windows Server Update Services Reports for Unmanaged Computers Responding to Malware Disaster Recovery Backing Up Forefront Client Security Components Restoring Forefront Client Security Components Ad Hoc Tasks Page iii

4 5.5.1 Removing Computers from Forefront Client Security Changing Service Account Passwords APPENDIX A Skills and Training Resources PART I Forefront Client Security Training and Skills Assessment Resources PART II Microsoft Operations Manager Training and Skills Assessment Resources PART III Supplemental Training Resources APPENDIX B Document Information PART I Terms and Abbreviations PART II References Page iv

5 1 EXECUTIVE SUMMARY This guide is the second document that makes up the guidance for Microsoft Forefront Client Security (FCS). The document covers the common tasks required to operate FCS in a healthcare organisation. This document should be read in conjuction with the Forefront Client Security Deployment Guide 1. The aim of this guidance is to assist healthcare IT professionals in the tasks and processes required to use and maintain the FCS infrastructure in order to provide anti-malware protection for the healthcare organisation. The guidance takes into consideration the varied network infrastructure that healthcare organisations need to support. The guidance also provides information on using the product on a day-to-day basis, and the actions required for responding to malware outbreaks within the healthcare organisation. This document pulls together the wealth of information available for FCS into a concise and easy-to-follow operations guide. Links to supporting information are also provided together with training references. 1 Forefront Client Security Deployment Guide {R1}: Page 1

6 2 INTRODUCTION This document is the second in a set of documents that make up the Forefront Client Security guidance. The documents that comprise the FCS guidance are listed below: Forefront Client Security Deployment Guide {R1} Forefront Client Security Operations Guide (this document) The Forefront Client Security guidance has been created to reduce the amount of time the healthcare IT Administrator requires to implement FCS and ensure that the product is implemented according to current best practice. 2.1 Value Proposition This guide contains step-by-step procedures covering the most common tasks required to use and maintain the FCS infrastructure. By using this guidance, the healthcare organisation can be confident that the FCS deployment will be managed and configured according to current best practices. The guidance brings many of the common tasks relating to FCS into a single location, reducing the amount of research required by the healthcare IT Administrator responsible for maintaining the FCS infrastructure. 2.2 Knowledge Prerequisites To implement the recommendations made throughout this document effectively, a number of knowledge-based and environmental infrastructure prerequisites should be in place. This section outlines the knowledge and skills required to use the Forefront Client Security Operations guidance, while section 2.3 details the necessary infrastructure prerequisites. Section details the prerequisite skills and knowledge, and section details the information and suggested training resources or skill assessment Skills and Knowledge The technical knowledge and minimum skills required to use this guidance are discussed in the following sections: Forefront Client Security Overview Windows Server Update Services Overview Forefront Client Security Overview FCS provides anti-malware protection for desktops, laptops, and server operating systems and helps guard against emerging threats such as spyware and rootkits, as well as traditional threats such as viruses, worms, and Trojan horses. There are two parts to the FCS solution. The first is the security agent which is installed on desktops, laptops, and server operating systems. This client agent provides real-time protection and removal of threats such as spyware, viruses, and rootkits along with scheduled scanning for such threats. The second is the central management server, which enables healthcare IT Administrators to easily manage and update malware protection agents, and to generate reports and alerts about the security status of their environment. For a fully managed deployment of FCS, a number of Microsoft technologies are required including Microsoft Operations Manager (MOM) 2005, Microsoft SQL Server 2005 and Windows Server Update Services (WSUS). Page 2

7 Figure 1 shows how the FCS components interact with each other and Table 1 discusses the process for each stage in more detail: Figure 1: Forefront Client Security Product Overview Number Description 1. Policies are created in the Management Console, which runs on the Management server, to control the way the client is configured. These settings include the frequency at which the client scans, configuration of real-time protection, how much information is sent back to the healthcare IT Administrators as well as other client configuration settings. The Management Console creates Group Policies that are associated with Microsoft Active Directory objects such as Organisational Units (OU) or Groups, which are then delivered to clients on policy refresh. The Management Console can also export the policies as files so healthcare IT Administrators can apply them to machines manually if Active Directory cannot be used. 2. A fully managed FCS client includes a MOM agent which sends event and alert data back to the Collection server. This data includes information about the client health and any malware related incidents that have occurred, such as a virus outbreak or definition update failure. The healthcare IT Administrator can configure how much detail is returned to the Management Console. For example, a client can be configured to alert a healthcare IT Administrator if a virus is detected and quarantined or only alert the healthcare IT Administrator if the quarantine failed or if the client becomes re-infected. 3. All of the data that is returned by the MOM agent on the FCS client is stored in the Reporting database. The Management Console uses this data to provide the healthcare IT Administrator with a detailed view of the general health of the whole FCS deployment. The Management Console includes links to predefined reports that give granular detail of the status of all clients in the FCS deployment, thereby allowing the healthcare IT Administrator to drill into specific problem areas and make informed decisions on how to proceed. 4. Definition updates can be delivered to the FCS client using WSUS. WSUS 3.0 allows for automatic approvals for definition updates and the FCS deployment server component allows the WSUS server to synchronise definition updates every hour. This allows the FCS clients to always have the very latest anti-malware and security state assessment definitions from Microsoft. The client can also be configured to receive the definition updates directly from Microsoft Update (MU) if they are unable to contact the WSUS server. Table 1: Forefront Client Security Product Process Page 3

8 Windows Server Update Services Overview WSUS enables healthcare IT Administrators to deploy the latest Microsoft product updates to computers running Windows Vista, Microsoft Windows XP with Service Pack (SP) 2, Windows 2000 with SP4 and Windows Server 2003 operating systems. By using WSUS, healthcare IT Administrators can fully manage the distribution of updates that are released through Microsoft Update, to computers in their network. Definition updates for the FCS client can be delivered using an existing WSUS infrastructure with no changes to the existing architecture. WSUS can also be used to distribute and install the FCS client to servers and workstations. More information on WSUS can be found in the following documentation: Windows Server Update Services 3.0 Design Guide 2 Windows Server Update Services 3.0 Operations Guide Deployed Infrastructure This document describes the tasks and procedures required to manage and operate an FCS infrastructure, deployed using the guidance contained in Forefront Client Security Deployment Guide {R1}. This document will refer to two different types of FCS infrastructures: Large Deployment Small/Medium Deployment A large deployment is an FCS infrastructure that will support up to 10,000 clients using four separate servers to host the various FCS roles. A small/medium deployment is an FCS infrastructure that will support up to 2,500 clients using a single server to host the various FCS roles. For more information on the two topologies, refer to Forefront Client Security Deployment Guide {R1} Training and Assessment Guidelines on the basic skill sets that are required in order to make best use of this guidance are detailed in APPENDIX A. These represent the training courses and other resources available. However, all courses mentioned are optional and can be provided by a variety of certified training partners. 2.3 Infrastructure Prerequisites The following are prerequisites for implementing FCS: FCS server requirements: Windows Server 2003 SP1 or later Microsoft Windows Active Directory (for managed deployments) SQL Server 2005 SP2 Protected machines: Windows 2000 Professional SP4 Update Rollup 1 or later Windows XP SP2 or later Windows Vista 2 Windows Server Update Services 3.0 Design Guide {R2}: 3 Windows Server Update Services 3.0 Operations Guide {R3}: Page 4

9 Note x64 versions of the operating system are supported only for the FCS client. No server components can run on 64 bit versions of Windows Server Audience The guidance contained in this document is targeted at a variety of roles within the healthcare IT organisations. Table 2 provides a reading guide for this document, illustrating the roles and the sections of the document that are likely to be of most interest. The structure of the sections referred to is described in section 3.1. Role IT Manager IT Architect IT Professional/ Administrator Table 2: Document Audience Document Usage Review of the entire document to understand the justification and drivers, and to develop an understanding of the implementation requirements Review the relevant areas within the document against local architecture strategy and implementation plans Detailed review and implementation of the guidance to meet local requirements Executive Summary Deploy Operate 2.5 Assumptions The guidance provided in this document assumes that healthcare organisations that want to share services and resources between sites, already have suitable IP Addressing schemes in place to enable successful site-to-site communication, that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap. It also assumes that all necessary software licences will be purchased by the healthcare organisation prior to deployment. Page 5

10 3 USING THIS DOCUMENT This document is intended for use by healthcare organisations and healthcare IT Administrators who wish to manage and operate an FCS infrastructure. The document should be used as a reference guide for the most common tasks involved with its use. 3.1 Document Structure This document contains two sections that deal with the project lifecycle, as illustrated in Figure 2. Deploy Operate Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more detail in Microsoft Solutions Framework Core Whitepapers 4 and MOF Executive Overview 5. The MSF Process Model and MOF describe a high-level sequence of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects. This document is the second of two documents describing the design, installation and operation of FCS and should be used in conjunction with Forefront Client Security Deployment Guide {R1}. Figure 2: MSF Process Model Phases and Document Structure 4 MSF Process Model White Paper {R4}: 5 MOF Executive Overview {R5}: Page 6

11 4 DEPLOY During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is then transitioned to operations and support. Figure 3 acts as a high-level checklist, illustrating the critical components which an IT Professional responsible for deploying Forefront Client Security needs to determine. Figure 3: Sequence for Deploying Forefront Client Security 4.1 Configuring User Roles The permissions required for performing the various tasks in FCS can be broken down into distinct user roles. An FCS user is any healthcare IT Administrator or staff member that requires access to any of the functions provided by the FCS Management Console. The healthcare IT Administrator should grant FCS users permissions within FCS using the principle of least privilege. Only when an FCS user specifically requires the permissions to perform an FCS task, should that permission be granted. Table 3 maps the FCS roles to the associated permissions. Role Description Permissions Required Procedure Section FCS Administrator The FCS Administrator role allows users access to all aspects of FCS except for policy deployment. Access Collection database Section Access MOM Operator Console Section Access MOM Administrator Console Section Policy Author Policy Deployer The Policy Author role allows users to create, edit and delete policies in the FCS Management Console, but does not require that the user has rights to create, modify or delete existing Group Policies. The Policy Deployer role allows users to deploy policies into Active Directory. View Reports Section Access Collection database Section View Reports Section Access Collection database Section View Reports Section Work with Group Policy Objects Section Page 7

12 Role Description Permissions Required Procedure Section Alerts Manager Reports Viewer The Alerts Manager role allows users to access alerts in the MOM Operator Console and resolve them. The Reports Viewer role allows users to access the Web-based FCS reports. This role is appropriate for users who have an interest in the security state of the healthcare organisation, but who do not need to perform any other FCS tasks. Access MOM Operator Console Section View Reports Section View Reports Section Table 3: User Roles for Forefront Client Security Access Collection Database Table 4 shows the steps required to grant a user or group permissions to access the Collection database. The healthcare IT Administrator should always grant the permission to a user group and then add the users to that group rather than individually granting each user account, permissions in Microsoft SQL Server. 1. Using an account that has local Administrator privileges, log on to the Database server in a large topology or to the FCS server in a small/medium topology. 2. Run SQL Server Management Studio from Programs > Microsoft SQL Server Under Security, right-click Logins and select New Login. Page 8

13 4. To set a login name, perform one of the following actions: Click Search Type the name of the user or group in the domain\username format, in the Login name field and proceed to step If entering a group, click Object Types. If entering a user, proceed to step Ensure Groups is selected and click OK. Page 9

14 7. Click Locations. 8. Specify the location within the directory, where the user or group exists and click OK. 9. Type the name of the user or group and click Check Names. Once the user or group name is underlined, click OK. Page 10

15 10. The user or group requires the db_owner role on the OnePoint database. Select the OnePoint check box in the Users mapped to this login section. In the Database role membership for: OnePoint panel, select the db_owner and public check boxes and click OK. Table 4: Procedure for Granting Access to the Collection Database Access Microsoft Operations Manager Operator or Microsoft Operations Manager Administrator Console Table 5 shows the steps required to grant a user or group permissions to access the MOM Operator or MOM Administrator Consoles. If the healthcare organisation has a large number of IT Administrators or users requiring this permission, it is recommended to grant the permission to a domain user group and then add the users to that group. This is preferable to adding each user individually to the local group on the Collection server in a large topology, or to the FCS server in a small/medium topology. 1. Using an account that has local Administrator privileges, log on to the Collection server in a large topology or to the FCS server in a small/medium topology. 2. Open Computer Management from Start > Programs > Administrative Tools. Page 11

16 3. In the left pane, expand the Local Users and Groups folder and select Groups. If adding the access MOM Operator Console permission, in the right pane, double-click MOM Users. If adding the access MOM Administrator Console permission, in the right pane, double-click MOM Administrators. 4. In the Properties dialog box, click Add. 5. Type the name of the user or group that requires access to the MOM Operator Console and click Check Names to verify the user or group exists. Once the user or group name is underlined, click OK and then click OK again. Table 5: Procedure for Granting Access to the MOM Operator Console Page 12

17 4.1.3 View Reports Table 6 shows the steps required to grant a user or group permission to view the Web-based reports provided by the Report Manager on the Reporting server. If the healthcare organisation has a large number of IT Administrators or users requiring this permission, it is recommended to grant the permission to a domain user group and then add the users to that group. This is preferable to adding each user individually to the Browser role on the Reporting server. 1. Using an account that has local Administrator privileges, log on to the Reporting server in a large topology or to the FCS server in a small/medium topology. 2. Open Internet Explorer and type the following URL in the Address bar: where ReportingServer is the name of the server. Click the Properties tab. 3. Click New Role Assignment. Page 13

18 4. Type the user or group name in the Group or user name field. Select the check box for the Browser role and click OK. Table 6: Procedure for Granting Access to View Reports Work with Group Policy Objects Securing and granting permissions within the healthcare organisation s Active Directory environment should be as restrictive as possible. The following articles contain information on delegating permissions to users or groups of users, to allow them to create and link Group Policy Objects (GPOs) on specific domains, OUs or sites: Delegate policy-related permissions on a domain, OU, or site using GPMC 6 Delegate creation of Group Policy objects using GPMC 7 Additional information on Group Policy and Active Directory is available in the following guidance: Group Policy for Healthcare Desktop Management 8 Active Directory Design Guide 9 Active Directory Migration Guide 10 6 Delegate policy-related permissions on a domain, OU, or site using GPMC {R6}: 7 Delegate creation of Group Policy objects using GPMC {R7}: 8 Group Policy for Healthcare Desktop Management {R8}: 9 Active Directory Design Guide {R9}: 10 Active Directory Migration Guide {R10}: Page 14

19 4.2 Creating and Deploying Forefront Client Security Policies FCS uses group policies or registry files to configure the FCS client agent settings. The Management Console contains a Policy Management tab that healthcare IT Administrators should use for creating and deploying all FCS policies. It is recommended that the FCS Management Console is the only console used to modify or deploy these policies, as modifying the policies in other group policy management tools can cause inconsistencies between the data in the directory and the data in the FCS Management Console. Figure 4 shows the Policy Management tab of the FCS Management Console. Figure 4: Forefront Client Security Management Console Policy Management Tab Page 15

20 Table 7 describes the available actions in the Policy Management tab of the FCS Management Console. Actions Description Usage This action creates a new policy object and allows the healthcare IT Administrator to configure all available client options to be included in the policy. This action allows the healthcare IT Administrator to edit existing policy options. Once a modification is made, the policy must be deployed again in order for the changes to take effect. This action copies all settings from an existing policy and allows the healthcare IT Administrator to rename the policy. This action allows the healthcare IT Administrator to target the policy object at OUs, security groups, existing GPOs or to export the settings to a registry file. This action is used to create new policy objects. Section contains more detail on creating the FCS policy. This action is used when an existing policy requires modification and no changes need to be made to the targeting of the policy. This option can save time when building large numbers of client policies that are similar, except for a small number of settings such as exclusions. This action should be performed once a new policy has been created or after an existing policy has been changed. Section contains more detail on deploying FCS policies. This action allows the healthcare IT Administrator to remove any links to the policy in Active Directory and to remove the policy object from Active Directory. The FCS policy object will remain in the FCS Management Console Policy Management tab. This action should be performed if the healthcare IT Administrator needs to stop the policy being applied to clients temporarily, but may need to deploy the policy again in the future. This action allows the healthcare IT Administrator to completely remove all links from Active Directory and to remove the policy object from Active Directory. It also deleted the FCS policy object in the FCS Management Console. This action launches the Deployment Summary report which gives the healthcare IT Administrator a consolidated view of the deployment status of policy, agent and definitions across the whole healthcare organisation. This action should be performed if the policy will no longer be required in the healthcare organisation. This action can be used to check the status of deployment across the whole deployment. Table 7: Forefront Client Security Management Console Policy Management Tab Functions Page 16

21 4.2.1 Creating Policies FCS policies control all client settings of the FCS client agent. These policies allow healthcare IT Administrators to create specific configurations for groups of clients and easily deploy them using group policy. Detailed information on FCS policies can be found in the following articles: Planning your policies 11 Working with policies 12 Table 8 shows the steps required to create an FCS policy. 1. Using an account that has the Policy Author permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Microsoft Forefront Client Security Console from Start > Programs > Microsoft Forefront > Client Security. 3. On the Policy Management tab, click New. 4. On the General tab, type a name for the policy in the Name field. Add a comment describing the purpose and intended target of the policy in the Comments field. 11 Planning your policies {R11}: 12 Working with policies {R12}: Page 17

22 5. On the Protection tab, specify the settings as required. 6. On the Advanced tab, specify the settings as required. Section contains more detail on settings for Exclusions from malware scans. Page 18

23 7. On the Overrides tab, specify the settings as required. Section contains more detail on settings for Overrides based on malware threat and Overrides based on category and severity. 8. On the Reporting tab, specify the settings as required. Section contains more detail on selecting the appropriate Alert level. Click OK. Table 8: Creating Forefront Client Security Policy Specifying Exclusions In some cases, it may be advantageous to exclude specific files, folders or file types from being scanned. This can be down to incompatibility between some software and anti-malware programs or down to performance reasons. The healthcare IT Administrator should be sure that excluding files or folders from being scanned is absolutely necessary, before configuring the exclusion. Any exclusion could lead to the anti-malware engine not being able to detect a piece of malware. The healthcare IT Administrator should contact the software supplier for guidance on any recommended exclusions. A list of recommended exclusions for Microsoft software is contained in the article entitled Recommended Forefront Client Security file and folder exclusions for Microsoft products Recommended Forefront Client Security file and folder exclusions for Microsoft products {R13}: Page 19

24 Table 9 shows the steps required for adding file, folder and file extension exclusions. 1. On the Advanced tab, under File and folder paths in the Exclusions from malware scans panel, click Add. 2. To add a file or folder exclusion, type the full path to the file or folder in the Path field and click OK. Tip If using the Browse function, only the directory path is listed, therefore any file names need to be added to the path if exclusion is for a specific file. 3. To add an exclusion for every file with a specific file extension, type the file extension in the Extension field and click OK. Important Headers are not scanned when determining the file extension so a renamed exe with an extension of.xyz would be excluded from scanning in this example. Table 9: Adding Exclusions Page 20

25 Specifying Overrides Some healthcare organisations may legitimately use software that is considered to be malware by FCS or need to override the default actions for particular categories or severities of malware. Some remote control tools that are commonly used within healthcare organisations can be flagged as malware by FCS as their presence could be considered a risk. Overrides can be set for specific malware threats which allow the healthcare IT Administrator to ensure the malware agent does not remove or quarantine software that it considers malware. Overrides can also be set to modify the default response for any malware of a particular severity or category. Table 10 shows the steps required for specifying an override based on a specific malware threat. 1. On the Overrides tab, in the Overrides based on malware threat panel, click Add. 2. From the Malware Name drop-down list, select the malware threat that should be overridden. Page 21

26 3. From the Override Response drop-down list, select the required override response. 4. Repeat steps 1-3 to specify additional threat-based overrides and click OK. Table 10: Adding Overrides Tip During deployment testing, any malware threats that are identified should be recorded and researched using the Microsoft Malware Protection Centre 14. If these threats are not considered malware by the healthcare organisation, they should be recorded to be included as overrides. When configuring overrides, a policy should be defined so the override applies to the smallest set of machines that require the override. It is not recommended to define overrides globally unless absolutely necessary. Section contains more detail on deploying policies. 14 Microsoft Malware Protection Center {R14}: Page 22

27 Alert Levels The alert level policy setting allows healthcare IT Administrators to define how much information is sent to the FCS Management Console and when clients raise a Very Infected Computer or Re-Infected Computer alert. The Very Infected Computer alert is raised if the count of the number of infections on a particular client machine, reaches five during a period of 24 hours. The Re-Infected Computer alert is raised if a computer is re-infected three times by the same piece of malware in a 72-hour period. Table 11 lists the severities of malware that are counted towards these thresholds for each alert level, as well as a description of the alert-level behaviours. Alert Level Description 1 Lowest Alerts issued only for global outbreaks (malware outbreaks and flooding). Alerts not issued for most conditions, including infected computers, scan failures, out-of-date definitions and failed responses to malware on the computer or network. 2 Low Alerts issued for malware outbreaks, flooding, very infected and re-infected computers and a failed response to malware on the network. Alerts not issued for most conditions, including scan failures, definition and a failed response to malware on the computer. 3 Medium Alerts issued for all FCS conditions except a successful response to malware on the computer or the network. 4 High Alerts issued for all FCS conditions except a successful response to malware on the network. Severity No alerts are generated for very infected or re-infected computers at this alert level Severe Severe, High Severe, High, Elevated 5 Highest Alerts issued for all FCS conditions. Severe, High, Elevated, Moderate, and Low Table 11: Alert Levels Note It is possible to modify the behaviour of FCS alerts by changing the configuration of the alert parameters in MOM. For information on changing these parameters, see Configuring alert parameters Configuring alert parameters {R15}: Page 23

28 4.2.2 Deploying Policies FCS policy deployment allows healthcare IT Administrators to target specific computers with policies that have been created. This can be particularly useful when specific clinical or other applications require particular files, folders or file types to be excluded from the malware scans. When deploying FCS policies, the healthcare IT Administrator needs to decide what the target of the policy will be in order to apply the policy to the intended machines. The options available are shown in Table 12. Deploy to Option Description Usage Add OU Add Group Add GPO Add File Deploying the policy to an OU allows the healthcare IT Administrator to apply policies to large numbers of machines in the healthcare organisation. Deploying the policy to a security group allows the healthcare IT Administrator to target specific machines by adding the machine to a security group manually. Deploying the policy to an existing GPO allows the healthcare IT Administrator to merge the policy settings into an existing GPO. Deploying the policy to a file allows the healthcare IT Administrator to use Fcslocalpolicytool.exe to apply FCS policies to machines that are not part of an Active Directory. Applying policy to OUs should be used where the policy applies to the majority of machines in the OU. This is the easiest target for policy but the least specific. Applying policy using security group membership should be used when a subset of machines in an OU require a different policy to be applied than has been applied to all other machines in the OU. This requires the healthcare IT Administrator to manually add the machines to the security group. This option can be used to dynamically apply policies to machines that meet certain conditions by using Windows Management Instrumentation (WMI) filtering on the existing policy. This allows the healthcare IT Administrator to configure a policy that will only be applied if a WMI query returns true. An example could be to only apply the policy if a certain software application is installed. For more information on WMI filters, see WMI filtering using GPMC 16. Applying policy using a file should only be used when applying policies to unmanaged clients that are not part of the healthcare organisation s Active Directory domain. Table 12: Policy Deployment Targets Figure 5 shows the order in which FCS policies are applied to the client and Table 13 discusses the process for each stage in more detail. Figure 5: Order of Forefront Client Security Policy Application 16 WMI filtering using GPMC {R16}: Page 24

29 1. Application of policy using a registry file and Fcslocalpolicytool.exe has the lowest priority and is overwritten by the application of any group policy. This policy application method should only be used on computers that are outside of the domain. If a machine was previously outside of the domain and joins the domain, any settings will be overwritten once the new policy is applied. 2. Application of FCS policies that are deployed to either an OU or an existing GPO, have the next highest priority and will overwrite any previously applied policy. The priority of these policies will depend on where the existing GPO is linked. Group policies are applied first at the site level, then at the domain level and then at the OU level. The policy which is closest to the computer will be applied. For more information on group policy processing, see Group Policy for Healthcare Desktop Management {R8}. 3. Application of policy using a security group has the highest priority and will overwrite any previously applied policy. These policies are linked at the domain level and use the enforced feature of group policy. It is possible that these policies could not be applied to a computer if an existing GPO is targeted at the same computer and also has the enforced option set. For more information on group policy processing, see Group Policy for Healthcare Desktop Management {R8}. Table 13: Forefront Client Security Policy Application Process Table 14 shows the steps required for deploying a FCS policy using an Active Directory target. 1. Using an account that has the Policy Deployer permissions, log on to the Management server in a large topology, or to the FCS server in a small/medium topology. 2. Open Microsoft Forefront Client Security Console from Start > Programs > Microsoft Forefront > Client Security. 3. On the Policy Management tab, select the policy to be deployed and click Deploy. 4. Click the required target. If deploying the policy to: An OU, proceed to step 5. A security group, proceed to step 6. An existing GPO, proceed to step 7. A file, proceed to step 9. Page 25

30 5. Select the required OU and click OK. Proceed to step Type the name of the required security group and click Check Names. When the group name appears underlined, click OK. Proceed to step Select the required GPO and click OK. Proceed to step 9. Page 26

31 8. Select the name for the file and location to which it will be saved and click Save. 9. If the policy is to be deployed to multiple OUs, security groups or existing group policies, repeat steps 3-6 as necessary. Once all required targets are listed, click Deploy. Tip To remove a deployment target, select the target and click Remove. Once deployed, the policy is sent to the Active Directory. The clients will receive this policy on their next polling cycle. Table 14: Deploying Policies Using Active Directory Group Policy Important If changes are made to FCS policies, the policy must be re-deployed to all targets before the computers will receive any changes Deploying Policies to Unmanaged Clients Computers that are not part of a trusted Active Directory domain can still receive FCS policy but this policy must be deployed using the Fcslocalpolicytool.exe program and a registry file created using the Client Security Management Console. The healthcare organisation can use their preferred deployment method to deploy the program and file to clients. Important Administrative rights are required to apply policies using the Fcslocalpolicytool.exe program. Deploying the.reg file created in the Client Security Management Console without using the Fcslocalpolicytool.exe program can lead to inconsistencies in the policy being applied. For this reason, it is not supported. Page 27

32 Table 15 shows the command line options available when using the Fcslocalpolicytool.exe program. Command Line Option Description /F Using the /F option will disable the user prompt to confirm removal of any existing policy. This option should always be used if no user interaction is required. /I Use /I to import the policy file defined in [filename]. Importing a new policy will remove any previously applied policies. If the /F switch is not used, the user will be prompted to confirm this action. /D Use /D to delete the previously imported policy file. [Filename] Specify the path to the filename. Table 15: Fcslocalpolicytool.exe Command Line Switches Example Usage: Fcslocalpolicytool.exe /F /I C:\FCS Test Policy.reg Fcslocalpolicytool.exe /D 4.3 Configuring Forefront Client Security for Notification Using MOM 2005 Notification Groups, the healthcare IT Administrator is able to configure FCS to send alerts to specific healthcare IT staff in the event of a malware outbreak in the healthcare organisation. Figure 6 shows how the notification process works within FCS and Table 16 discusses the process for each stage in more detail. Figure 6: Notification Group Workflow Page 28

33 1. A malware outbreak is detected at the client and an alert is sent to the FCS Collection server. This alert is displayed in both the FCS Management Console and the MOM Operator Console. 2. The MOM server checks the alert responses to see if a notification should be sent when the alert is received. 3. If a notification is to be sent, MOM checks the operators that are configured in the notification group to see if they are configured to receive alerts. Options available are , page or external command. The page functionality requires third-party paging software that will accept Simple Mail Transfer Protocol (SMTP) messages and forward them to pager recipients. The external command notification can be used in conjunction with third-party SMS text software, and so on. 4. If an operator is configured to receive at the time the alert was raised, the containing the details of the alert and the computer that raised the alert, is sent. Table 16: Notification Group Process More information on notifications in MOM 2005 can be found in the articles entitled Sending Notification 17 and How to configure notifications in Microsoft Operations Manager (MOM) Configuring the Microsoft Operations Manager Server for Table 17 shows the steps for configuring the MOM Server for Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager From the Administration node, navigate to Global Settings. In the right pane, double-click Server. 17 Sending Notification {R17}: 18 How to configure notifications in Microsoft Operations Manager (MOM) 2005 {R18}: Page 29

34 4. Type the name of an SMTP server, such as Microsoft Exchange, in the Server name field. Type the address of an -enabled account from which notifications will be sent, in the Return address field and click OK. Table 17: Configuring the MOM Server for Creating Operators Creating Operators allows the healthcare IT Administrator to configure different schedules for FCS Administrators to receive , page or other notifications at particular times of the day or week, to reflect working hours or on-call patterns. For example, an operator can be created to receive notifications from 09:00 until 17:30 so that the operator is notified during the normal working day. Another operator can be configured to send a pager notification to an on-call pager that is shared amongst a number of staff over weekends and during weekdays from 17:30 to 09:00. More information on notifications in MOM 2005 can be found in the articles entitled Sending Notification {R17} and How to configure notifications in Microsoft Operations Manager (MOM) 2005 {R18}. Table 18 shows the steps required to create an operator for notification. 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager Page 30

35 3. Right-click the Operators node and select Create Operator. 4. Type the operator name in the Name field. Page 31

36 5. If the operator is to be ed, select the this operator check box and type the address of the operator in the address field. Select the this operator at specified times option to configure the time period during which the operator should receive notifications. Tip If multiple healthcare IT Administrators should receive notifications on the same schedule, the address specified could be a distribution list that includes all the required healthcare IT Administrators addresses. 6. If the operator is to be paged, select the Page the operator check box. Type the pager number (or page , dependant on the software being used) in the Page address field. Select the Page this operator at specified times option to configure the time period during which the operator should receive pager notifications. Page 32

37 7. If the operator is to be notified by external command, select the Notify this operator by external command check box. Type the Operator ID in the Operator ID field. (This is the first parameter passed into the external application. In the example of SMS texting software, it is usually the operator mobile phone number). Select the Notify this operator by external command at the specified times option to configure the time period during which the operator should receive external command notifications. Click Finish. Repeat steps 3-7 for each additional operator that requires automated notifications from FCS. 8. Double-click the operator that has been created in the console, and on the Notification Groups tab, click Add. Page 33

38 9. Select the Notification Group to which the operator should be added and click OK. 10. Click OK on the Operator Properties dialog box. Note Operators can be removed from Notification Groups by clicking Remove once they have been selected. Table 18: Creating an Operator for Notification Configuring Notification for Data Transformation Services Job Failure One of the most important aspects of maintaining the FCS infrastructure is ensuring that the Data Transformation Services (DTS) job, which transfers data from the Collection database to the Reporting database on a daily basis, is successful. If this job fails, then no data will be groomed from the Collection database and it will eventually fill up causing the FCS infrastructure to stop working. FCS will raise an alert to notify healthcare IT Administrators if this job fails. However, it is recommended that notifications are configured for this rule to ensure that, if the job fails, the relevant healthcare IT Administrators are notified immediately. Table 19 shows the steps required to configure the MOM Reporting DTS Job failed rule for notification. Page 34

39 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager Navigate to Event Rules (Management Packs > Rule Groups > Microsoft Operation Manager > Operations Manager 2005 > Reporting Database Servers > Event Rules). In the right pane, right-click MOM Reporting DTS Job failed to complete successfully and select Properties. 4. In the Responses tab, click Add and select Send a notification to a Notification Group from the list. Page 35

40 5. Select the required notification group from the Notification group drop-down list, click OK and click OK again. 6. In the left pane, right-click Management Packs and select Commit Configuration Change. Table 19: Configuring Notification for DTS Job Failure Page 36

41 5 OPERATE During the Operate phase, the deployed solution components are proactively managed to ensure they provide the required levels of solution reliability, availability, supportability, and manageability. Figure 7 acts as a high-level checklist, illustrating the critical components an IT professional is responsible for ensuring, in a managed and operational Forefront Client Security infrastructure. Figure 7: Sequence for Operating Forefront Client Security 5.1 Using Forefront Client Security Administration Consoles The healthcare IT Administrator can perform the majority of the tasks required to manage and operate FCS, using three Administration consoles. The tasks associated with each of the FCS Administration consoles are detailed in Table 20. Console FCS Management Console MOM Administrator Console MOM Operators Console Usage Dashboard view of healthcare organisation s security health state and launch pad for FCS reports and alert views. Central console for policy creation and deployment. This console allows the healthcare IT Administrator to modify rules such as script parameters, create new tasks, configure MOM server settings and manually approve FCS clients. This console shows all alert and performance data collected by the FCS client agent and allows the healthcare IT Administrator to resolve or assign open alerts. It also displays any product knowledge associated with a specific alert. Table 20: Forefront Client Security Administration Consoles and Usage Page 37

42 5.1.1 Using the Forefront Client Security Management Console The Client Security Management Console is the starting point for performing many client security tasks. It provides useful high-level information about the security state of the healthcare organisation and allows the healthcare IT Administrator quick access to more detailed information such as reports or alerts. The Scan now feature allows the healthcare IT Administrator to trigger a full anti-malware scan of all machines in the healthcare organisation with a single click of a button. Tip Configuring FCS policies to ensure definitions are downloaded before a scan is run, allows the healthcare IT Administrator to use the Scan now feature to ensure all clients have the latest definitions and to perform a full scan. This is particularly useful if a previously unknown piece of malware has broken out in the healthcare organisation, and a new definition has been released that detects it. The console can be opened from Start > Programs > Microsoft Forefront > Client Security > Microsoft Forefront Client Security Console. Once opened, the console displays the Dashboard as shown in Figure 8. Figure 8: Forefront Client Security Management Console Dashboard Page 38

43 Table 21 describes the Dashboard components. Console Area Managed Computer Description The managed computer area of the dashboard shows an overview of the number of machines that are managed by the FCS pod and what state the computers are in from a FCS perspective. The available options are Reporting Critical Issues, Reporting No Issues and Not Reporting. The view lists the number and percentage of machines in each state. Computers Per Issue The Computers Per Issue area comprises information on the number of machines in the healthcare organisation that are experiencing specific issues. The issues detailed are Malware detected, Vulnerability detected, Out-of-date policy detected and Alerts detected. Each of these items can be clicked to launch a detailed report that gives the healthcare IT Administrator the names of any computers affected along with additional information that may help resolve the issue(s). 14-Day History Notifications Summary Reports Scan Now The 14-Day History area contains a bar graph that represents the security health state of the healthcare organisation over the last 14 days. This allows the healthcare IT Administrator to quickly see trend data for malware detection and other issues, to ascertain if an issue is occurring within the healthcare organisation s network infrastructure. The Notifications area lists the number of alerts that are either new or active and allows the healthcare IT Administrator to open the alerts view of the MOM Operator Console to view further detail of the source of the alert. The Summary Reports area comprises quick links to the various Client Security Summary Reports. The reports that are available are: Alerts Summary Computers Summary Deployment Summary Malware Summary Security State Assessment Summary Security Summary The Scan Now button allows healthcare IT Administrators to selectively trigger quick or full malware scans on individual machines or to run a quick or full scan on all machines in the FCS infrastructure. The full procedure is described in section Table 21: Forefront Client Security Management Console Dashboard Components Page 39

44 Scanning Managed Computers Table 22 shows the steps required to trigger a full or quick scan using the FCS Management Console. 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Microsoft Forefront Client Security Console from Start > Programs > Microsoft Forefront > Client Security. 3. Click Scan Now. 4. In the Target panel, select to Scan all managed computers or to Scan a specific computer, and type the name of the client machine in the Name field. In the Type panel, select to perform a Quick scan or a Full scan. Click Scan Now to begin the scan. Table 22: Triggering a Quick or Full Scan Using Scan Now on the Dashboard Page 40

45 5.1.2 Using the Microsoft Operations Manager Administrator Console The MOM Administrator Console allows the healthcare IT Administrator to make any required configuration changes to the behaviour of the Forefront Client Security management pack, such as script parameters. It is also the tool used to change configuration settings for the MOM infrastructure. The console can be opened from Start > Programs > Microsoft Operations Manager 2005 > Administrator Console. Once opened, the console displays the console folders, as shown in Figure 9. Figure 9: MOM 2005 Administrator Console Table 23 describes the MOM Administrator Console components. Console Nodes Microsoft Operations Manager Information Center Operations Management Packs Administration Description The Microsoft Operations Manager node shows a view of all tasks that can be performed in the Administrator Console and links to each area of the console. The Information Center node provides links to additional information for MOM 2005, such as documentation and community Web sites. The Operations node provides links to launch the Operators Console and Reporting Console. The Management Packs node contains all the rules and knowledge that allow the FCS client computer to report information to the FCS server. This node allows the healthcare IT Administrator to modify the configuration of the management pack and to change settings such as script parameters. The Administration node allows the healthcare IT Administrator to make changes to the configuration of MOM and to approve or remove machines from the FCS infrastructure. Table 23: MOM Administrator Console Components Page 41

46 Configuring Automatic Alert Resolution FCS will automatically resolve Error and Warning alerts after a number of days, to prevent the Collection database from becoming too large. It is recommended that the healthcare IT Administrator configures these setting to ensure that FCS will only automatically resolve these alerts after 14 days. Table 24 shows the steps to configuring automatic alert resolution to 14 days. 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager From the Administration node, navigate to Global Settings. In the right pane, double-click Database Grooming. 4. From the Database Grooming tab, select Auto resolve error Alerts and click Edit. Page 42

47 5. Type 14 into the days field and click OK. 6. From the Database Grooming tab, select Auto resolve warning Alerts and click Edit. Page 43

48 7. Type 14 into the days field, click OK and then click OK again. Table 24: Configuring Automatic Alert Resolution Manually Approving Agent Installations Once the FCS agent has been deployed, the computer may not show up in the Client Security Management Console as a managed computer for up to an hour. This is because the client needs to be approved as a MOM agent before data is passed to the dashboard. If the healthcare IT Administrator needs to speed up this process, it is possible to manually approve the agent installations using the MOM Administrator Console. The steps to manually approve the installation are shown in Table Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager From the Administration node, navigate to Pending Actions. In the right pane, right-click the computer to be manually approved, and select Approve Manual Agent Installation Now. Table 25: Manually Approving Agents Using the MOM Administrator Console Page 44

49 Note Steps to remove clients from FCS are provided in section Using the Microsoft Operations Manager Operators Console The MOM Operator Console provides healthcare IT Administrators with detailed information on any alerts that have been raised by the FCS clients. It provides a consolidated view of all alerts and events and contains detailed product knowledge that can help the healthcare IT Administrator respond to malware outbreaks. The console can be opened from Start > Programs > Microsoft Operations Manager 2005 > Operators Console. Once opened, the console displays the alert and task details, as shown in Figure 10. Figure 10: MOM Operator Console Table 26 describes the MOM Operators Console components. Console Area Alert Views Navigation Buttons Alerts State Description The Alert Views pane allows the healthcare IT Administrator to refine the scope of the alerts shown in the Alerts area. The alerts can be viewed by management pack, or custom alert views can be created. The Navigation Buttons allow the healthcare IT Administrator to switch between the various console spaces in order to view the different information provided by the FCS clients. The Alerts space contains details on all alerts that have been raised in the FCS environment, allowing the healthcare IT Administrator to drill down to lower levels of detail in order to understand the cause of any alerts. The State space shows the healthcare IT Administrator an overview of the health of client machines and allows quick identification of any machines with errors. Page 45

50 Console Area Alerts Events Performance Computers and Groups Diagram Alert Details Tasks My Views Public Views Description The Events space shows all events that have been forwarded by client machines and allows the healthcare IT Administrator to create an events view in order to query for events from a particular event source, or to query events with a particular description. The Performance space allows the healthcare IT Administrator to view performance data collected from computers. These can be rendered graphically to give the healthcare IT Administrator a view of the performance over time. The Computers and Groups space allows the healthcare IT Administrator to view the computers by computer group or as a list of computers. The objects show the highest severity alert that is recorded against the computer or computer group. The Diagram view lets the healthcare IT Administrator view the highest severity of alerts associated with a server role and draws a diagram of the infrastructure. The My Views space allows the healthcare IT Administrator to create custom views. This allows the Operator to have one location in the console to view all the information that is relevant to their job role. This can be useful if the healthcare IT Administrator is only responsible for a subset of FCS clients. These views are only available to the healthcare IT Administrator that created them. The Public Views space is similar to the My Views space but all healthcare IT Administrators using the MOM Operators Console can see the views created. Displays details of alerts contained in the selected alert view. Information shown includes the severity of the alert and the time the alerts has been in its current state. When the healthcare IT Administrator clicks on a particular alert, details of the alert are displayed in the Alert Details pane. Information includes the Events that originally caused the alert to be raised along with Product Knowledge that can contain detailed troubleshooting steps to help the healthcare IT Administrator resolve the issue. Tasks allow the healthcare IT Administrator to run specific commands on selected computers, to assist with troubleshooting issues. Table 26: MOM Operator Console Components Resolving Alerts When an alert is raised in the MOM Operators Console, the healthcare IT Administrator can modify the resolution state of the alert depending on the action that is required for the alert. Examples of this are changing the resolution state to acknowledged' to let other healthcare IT Administrators know that the alert is receiving attention, or changing the state to resolved if the issue that caused the alert has been rectified. The default resolution states are: New Acknowledged Level 1: Assigned to helpdesk or local support Level 2: Assigned to subject matter expert Level 3: Requires scheduled maintenance Level 4: Assigned to external group or vendor Resolved These resolution states are configurable. More information on configuring the alert resolution states can be found in the article entitled How to Create a Custom Resolution State 19. Table 27 shows the steps required to modify the resolution state of an alert. 19 How to Create a Custom Resolution State {R19}: Page 46

51 1. Using an account that has the Alerts Manager permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Operator Console from Start > Programs > Microsoft Operations Manager In the Alerts pane, right-click the alert, select Set Alert Resolution State and choose the required state from the options available. Table 27: Changing the Alert Resolution State 5.2 Using Reports Using SQL Server Reporting Services The FCS reports are available to any users that have the Reports Viewer permission assigned to them. More detail on granting these permissions is available in section These reports can be accessed by connecting to the following URL: This URL allows the users to run reports against the Reporting database and, in addition, to configure subscriptions to reports so they can be saved to a file share on the server or ed directly to the user on a schedule. To configure SQL Server Reporting Services (SRS) to allow users to receive reports via , some additional configuration steps are required. These steps are detailed in the article entitled How to: Configure a Report Server for Delivery (Reporting Services Configuration) How to: Configure a Report Server for Delivery (Reporting Services Configuration) {R20}: Page 47

52 Table 28 shows the steps required to run or subscribe to an FCS report using SRS. 1. Using an account that has at least Report Viewer permissions, run the URL from a Web browser. Click Microsoft Operations Manager Reporting. 2. Click Microsoft Forefront Client Security. 3. Click the required report link. Page 48

53 4. To view the report, complete the information in the required fields such as Computer Name and Domain and click View Report. Note The information required will be different for each report. 5. To export the report, select the required format from the Select a format drop-down list and click Export. 6. To subscribe to a report, click on the Subscriptions tab and click New Subscription. Page 49

54 7. From the Delivered by drop-down list, select Report Server or Report Server File Share and complete the remaining details as required. Note The Report Server option is only available if the server is configured for . See How to: Configure a Report Server for E- mail Delivery (Reporting Services Configuration) {R20} for more information. Table 28: Running and Subscribing to Forefront Client Security Reports Using Windows Server Update Services Reports for Unmanaged Computers Computers that are not part of the healthcare organisation s central Active Directory domain can still benefit from the anti-malware protection of the FCS client, but they do not send any reporting data back to the FCS Management Console. For these computers, it is strongly recommended that the healthcare organisation s WSUS infrastructure is used to deploy definition updates. This allows the healthcare IT Administrator to use the reporting functionality of WSUS to view any machines that are experiencing issues receiving definition updates. Table 29 shows the steps required to view WSUS reports that show the computers that have not received the latest definitions. 1. Using an account that has at least WSUS Reporters permissions, log on to the Distribution server. 2. Open Microsoft Windows Server Update Services from Start > Programs > Administrative Tools. Note More detail on accessing the WSUS Console is contained in the Windows Server Update Services 3.0 Operations Guide {R3}. Page 50

55 3. Select the Reports node and click Update Detailed Status to run the report. 4. Click Any classification. Page 51

56 5. Clear all check boxes except Definition Updates and click OK. 6. Click Any product. 7. Clear all check boxes except Forefront Client Security and click OK. Page 52

57 8. Click Run Report. Note The report can be further refined by specifying a WSUS computer group if available. The group should include all unmanaged FCS clients. 9. Navigate through each page of the report using the Next Page button to see the detail for any machine that has not installed the latest FCS definition file. Table 29: Using WSUS Reports to Check Definition Status for Non-Managed Computers 5.3 Responding to Malware When an FCS client computer detects malware, it will attempt to take the action that has been configured in the FCS policy. For most malware, this will be the removal and quarantine of the malware. If the computer becomes re-infected, the computer will raise alerts to the Collection server and the healthcare IT Administrator should respond to the alert. Table 30 contains links to information that the healthcare IT Administrator should use to respond to malware outbreaks within the healthcare organisation. Condition Description Resource URL Working with an infected computer Very infected and re-infected computers Addressing Malware On Network alerts Managing Malware Outbreak alerts Responding to detected vulnerabilities Steps to research and resolve a malware infection on a computer. Information on the Very Infected and Re Infected alerts and steps to resolve the cause. Steps to research and resolve a malware infection that has raised the Malware on Network alert. Steps to research and resolve a malware infection that has raised the Malware on Network alert. Information on the vulnerability data returned by the Security State Assessment agent and how to action it Page 53

58 Condition Description Resource URL Sending malware samples to Microsoft Information on sending malware samples to Microsoft. Contacting Microsoft Support Services In any case where it has not been possible for the healthcare IT Administrator to clean an infected machine using the steps provided, or there is reason to believe that the FCS agent is not detecting malware, the healthcare IT Administrator should immediately contact Microsoft. Microsoft provides a free-of-charge support number for security or virus related incidents between 08:00 and 18:00 Monday to Friday. The healthcare IT Administrator should ensure that the incident is covered as a free-of-charge support call when the case is logged, otherwise standard charges may apply. Contact Microsoft ityhome Table 30: List of Tasks Associated with Responding to Malware 5.4 Disaster Recovery As with any critical component of the healthcare organisation s IT infrastructure, the healthcare IT Administrator should ensure that a disaster recovery plan is created and communicated. This can significantly reduce the impact of any system downtime caused by hardware or software failures in an FCS deployment. The hardware design of the servers hosting the FCS infrastructure is a key component to reduce the risk of such downtime. It is good practice to use fault tolerance strategies such as Redundant Array of Inexpensive Disks (RAID) arrays and redundant hardware. A regular backup of all core FCS components should be performed regularly to ensure that the risk of downtime and data loss is minimised. It is not recommended that the healthcare IT Administrator backs up any information that is easily recoverable by re-installing the software. The components that should be regularly backed up are: SQL Server Databases Forefront Client Security Management Pack Group Policy Objects WSUS Data Basic procedures for backing up each of these components are covered in the following sections. If the healthcare organisation has already defined procedures for backing up this data, their existing procedures should be used. Note Performing a complete backup of the computers in the healthcare organisation s FCS deployment is not recommended. In the event of a media failure or disaster involving those computers, re-installing FCS provides a cleaner and more reliable alternative to restoring from a backup. After FCS has been re-installed, the healthcare IT Administrator will be able to restore the SQL Server databases, GPOs, and management packs as described in section Page 54

59 5.4.1 Backing Up Forefront Client Security Components It is important that once the FCS components have been backed up to the local disk on the server, the folder that contains the backups should be backed up using a removable backup device, or should be copied to a different physical server Backing Up SQL Server Data SQL Server 2005 allows maintenance plans to be created in order to schedule regular backups of the databases. Table 31 shows the recommended backup type and frequency the healthcare IT Administrator should follow to configure the databases for backup. Database Backup Type Frequency Collection database (OnePoint) Full Daily Reporting database Full Weekly Reporting database Differential Daily SQL Server Reporting database Full Weekly Master and msdb Full Weekly ReportServerTempDB None This database only stores temporary data so there is no need to back it up. Table 31: Backup Type and Frequency for Forefront Client Security Backups Following this backup strategy will allow the healthcare IT Administrator to recover SQL data up to the time of the last backup. This will result in the data, which was entered into the database between the last backup and the time of failure, being lost. This should not cause an issue in the operation of FCS, but if the healthcare organisation needs to ensure that no data is lost in the case of failure, the Full Recovery Model should be used. Before choosing this option, the healthcare IT Administrator should fully understand the changes between the Simple and Full Recovery models. More information on the Full Recovery model is available in the article entitled Backup Under the Full Recovery Model 21. In order to back up the required databases, a minimum of two maintenance plans must be created in SQL Server 2005: One plan will perform the full backups of all databases, except the Collection database, on a weekly basis, as well as a daily differential backup of the Reporting database The second plan will perform a daily, full backup of the Collection database More information on the SQL Server 2005 Maintenance Plan Wizard is available in the article entitled Maintenance Plan Wizard 22. Table 32 shows the steps required to create these maintenance plans. 1. Using an account that has local Administrator privileges, log on to the Database server in a large topology or to the FCS server in a small/medium topology. 21 Backup Under the Full Recovery Model {R21}: 22 Maintenance Plan Wizard {R22}: Page 55

60 2. Run SQL Server Management Studio from Programs > Microsoft SQL Server Under the Management folder, right-click the Maintenance Plans folder and select Maintenance Plan Wizard. 4. On the introductory page of the wizard, click Next. Page 56

61 5. Type a name for the maintenance plan in the Name field and a description in the Description field. Select the Separate schedules for each task option and click Next. 6. Select the Back Up Database (Full) and Back Up Database (Differential) check boxes and click Next. Page 57

62 7. Select Back Up Database (Full) and click Next. 8. Click the Database(s) drop-down arrow and select the following database check boxes: master msdb ReportServer SystemCenterReporting Click OK. Page 58

63 9. Select the Create a backup file for every database option and the Create a sub-directory for every database check box. Type the location (where the backups will be stored) in the Folder field and select the Verify backup integrity check box. Important The folder location must already exist before the maintenance plan can be saved. Note Backing up to disk, then backing up this info to tape or to another backup device is recommended. The healthcare IT Administrator could also configure the SQL backup to back up straight to tape if required. Click Change. 10. From the Occurs drop-down list in the Frequency section, select a Weekly schedule to perform the full backups and click OK. Note Ensure this schedule does not conflict with any other server maintenance scheduled such as patch installation or server restarts. Click Next. Page 59

64 11. Click the Database(s) drop-down arrow, select the SystemCenterReporting database check box and click OK. Page 60

65 12. Select the Create a backup file for every database option and Create a sub-directory for every database check box. Type the location (where the backups will be stored) in the Folder field and select the Verify backup integrity check box. Important The folder location must already exist before the maintenance plan can be saved. Note Backing up to disk, then backing up this info to tape or to another backup device is recommended. The healthcare IT Administrator could also configure the SQL backup to back up straight to tape if required. Click Change. 13. From the Occurs drop-down list in the Frequency section, select a Weekly schedule to perform the differential backups. In the Recurs every check boxes, select the six days that were not originally selected when configuring the full schedule in step 10. Click OK and then click Next. Page 61

66 14. Specify the folder in the Folder location field, to which the report containing the maintenance plan actions should be written. This report is written each time the maintenance plan executes. Click Next. 15. Click Finish to create the maintenance plan. Page 62

67 16. Click Close. 17. Under the Management folder, right-click the Maintenance Plans folder and select Maintenance Plan Wizard. Page 63

68 18. On the introductory page of the wizard, click Next. 19. Type a name for the maintenance plan in the Name field and a description in the Description field. Select the Single schedule for the entire plan or no schedule option and click Change. Page 64

69 20. From the Occurs drop-down list in the Frequency section, select a Daily schedule to perform the full backups. Select the Occurs once at option and. Select a time that is outside the core working hours of the healthcare organisation, but one that is at least two hours before or after the time specified in the schedule in step 10. Click OK and then click Next. 21. Select the Back Up Database (Full) check box and click Next. Page 65

70 22. On the Select Maintenance Task Order page, click Next 23. Click the Database(s) drop-down arrow, select the OnePoint database check box and click OK. Page 66

71 24. Select the Create a backup file for every database option and the Create a sub-directory for every database check box. Type the location (where the backups will be stored) in the Folder field and select the Verify backup integrity check box. Important The folder location must already exist before the maintenance plan can be saved. Note Backing up to disk then backing up this info to tape or to another backup device is recommended. The healthcare IT Administrator could also configure the SQL backup to backup straight to tape if required. Click Next. 25. Specify the folder, in the Folder location field, to which the report, containing the maintenance plan actions, should be written. This report is written each time the maintenance plan executes. Click Next. Note If SQL Server is configured for , it is also good practice to send the report to a central account or distribution list. Page 67

72 26. Click Finish. 27. Click Close. Table 32: Creating a Backup Schedule Using the SQL 2005 Maintenance Plan Wizard Page 68

73 Backing Up the Forefront Client Security Management Pack It is possible to modify the configuration of certain rules and script parameters of the Forefront Client Security management pack in MOM. If the healthcare organisation has modified any of the configuration settings the management pack should be backed up so any changes can be restored in the case of failure. Table 33 shows the steps required to back up the Forefront Client Security management pack. 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager In the left pane, right-click Management Packs and select Import/Export Management Pack. 4. On the introductory page of the wizard, click Next. Page 69

74 5. Select the Export Management Packs option and click Next. 6. Select the Microsoft Forefront Client Security management pack and click Next. Note If changes have also been made to the Microsoft Operations Manager management pack, repeat this procedure, selecting the Microsoft Operations Manager management pack. Page 70

75 7. Select the Views check box and click Next. 8. Select the Tasks check box and click Next. Page 71

76 9. Specify the path and file name in the location field and click Next. 10. Click Finish. Page 72

77 11. Click Close once the export is complete. Table 33: Backing Up the Forefront Client Security Management Pack Backing Up Windows Server Update Services Data Information on Backup and Restore for WSUS data is contained in the Windows Server Update Services 3.0 Operations Guide {R3} Restoring Forefront Client Security Components If a situation occurs that requires the healthcare IT Administrator to restore the FCS components after a system failure, the basic sequence of events required to make the FCS infrastructure operational again are: 1. Re-install the server that was affected by the failure 2. Restore any lost data from data backups Restoring SQL Server Data In the case of failure, restore the OnePoint, SystemCenterReporting, master and msdb databases. Table 34 shows the steps to restore FCS databases. 1. Using an account that has local Administrator privileges, log on to the Collection server in a large topology or to the FCS server in a small/medium topology. 2. From a command prompt, run the NET STOP MOM command. NET STOP MOM Page 73

78 3. Using an account that has local Administrator privileges, log on to the Database server in a large topology or to the FCS server in a small/medium topology. 4. Run SQL Server Management Studio from Programs > Microsoft SQL Server Under the Databases folder, right-click the database to be restored, for example, OnePoint, and select Tasks > Restore > Database. 6. Select the From device option and click the browse button (circled). Page 74

79 7. Click Add. Note If the backup is on tape, select the appropriate media from the Backup media drop-down list. 8. Select the location of the backup file, click OK and click OK again. Page 75

80 9. Select the backup to restore by selecting the check box in the Restore column, and click OK. Tip Progress of the restore is shown in the Progress section in the left pane. 10. If a restore failed error is encountered, ensure that all services that use the Collection database are stopped and that any connections to the dashboard are disconnected. Click OK and repeat step 9. Table 34: Restoring the Forefront Client Security Databases Restoring the Forefront Client Security Management Pack Table 35 shows the steps required to restore the Forefront Client Security management pack. The healthcare IT Administrator should only perform these steps if the management pack has been unintentionally changed or the rules have been accidentally removed. If the database has been recovered after a system failure, it is only necessary to restore the Forefront Client Security management pack if changes were made to it since the last backup of the Collection database was performed. 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager Page 76

81 3. In the left pane, right-click Management Packs and select Import/Export Management Pack. 4. On the introductory page of the wizard, click Next. Page 77

82 5. Select the Import Management Packs and/or reports option and click Next. 6. Specify the location of the backed-up management pack in the location field, select the Import Management Packs only option and click Next. Page 78

83 7. Select the.akm file that contains the backup to be restored, select Update existing Mangament Pack and clear the Backup existing Management Pack check box and click Next. 8. Click Finish. Page 79

84 9. Click Close once the management pack is restored. Table 35: Restoring the Forefront Client Security Management Pack Restoring Group Policy Objects If an issue occurs with the Active Directory that results in any FCS policies being deleted or removed, the healthcare IT Administrator should re-deploy the affected policies using the procedure detailed in section Restoring Windows Server Update Services Data Information on Backup and Restore for WSUS data is contained in the Windows Server Update Services 3.0 Operations Guide {R3}. Page 80

85 5.5 Ad Hoc Tasks Removing Computers from Forefront Client Security To ensure that the data displayed in the FCS Management Console is accurate, it is important to remove any machines from the FCS database that have already been removed from the healthcare organisation s infrastructure. Removing a computer from the FCS database will remove all current data about the computer from the Collection database, and will leave the records about the computer intact in the Reporting database. This allows the healthcare IT Administrator to view historical data regarding the removed computer until the data is groomed from the Reporting database after 395 days. Table 36 shows the steps required to remove a computer from FCS. 1. Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 2. Open Administrator Console from Start > Programs > Microsoft Operations Manager Under Administration > Computers > Agent-managed Computers, right-click the machine to be removed and select Force to Unmanaged Management Mode. 4. Under Administration > Computers > Computer Discovery Rules, right-click the machine to be removed and select Delete. Page 81

86 5. Under Administration > Computers > Unmanaged Computers, right-click the machine to be removed and select Delete. 6. Click Close once the required computers have been removed. Table 36: Removing Computers from Forefront Client Security Changing Service Account Passwords It is recommended that passwords for each of the accounts used by FCS are changed on a regular basis. This can help prevent unauthorised access to the healthcare organisation's network from applications attempting to use brute force password-cracking utilities. The passwords should be changed as often as all other user account passwords in the healthcare organisation s environment in accordance with any defined policies for password change. When changing the password associated with user accounts being used by FCS, the healthcare IT Administrator must perform additional tasks in order to ensure that FCS continues to operate normally. The accounts used by FCS that need to be changed are: Shared account (small/medium topology) Data Access Server (DAS) account Action account Reporting account DTS account Changing the Shared Account Password The Shared account is used to reduce the administrative overhead in small/medium topologies. Although a single account is used, the healthcare IT Administrator will need to perform each of the steps in sections to on the FCS server to update the account password within FCS. Page 82

87 Changing the Data Access Server Account Password Table 37 shows the steps required to change the password for the Data Access Server (DAS) account. 1. Using an account that has local Administrator permissions, log on to the Collection server in a large topology or to the FCS server in a small/medium topology. 2. Navigate to Com+ Applications (Control Panel > Administrative Tools > Component Services > Computers > My Computer). In the right pane, right-click Microsoft Operations Manager Data Access Server and select Properties. 3. On the Identity tab, type the new password in the Password and Confirm password fields and click OK. Table 37: Changing the DAS Account Password Page 83

88 Changing the Action Account Password Run the following command while logged on to the Collection server: <DRIVE>:\Program Files\Microsoft Forefront\Client Security\Server\Microsoft Operations Manager 2005\SetActionAccount.exe ForefrontClientSecurity set domain username password Where: Important <DRIVE> is the disk partition where FCS was installed domain is the Active Directory domain name of the user account to be changed username is the Active Directory user name of the user account to be changed password is the Active Directory password of the user account to be changed If the management group name was changed during install, then ForefrontClientSecurity should be replaced with the new name. The healthcare IT Administrator must run the SetActionAccount.exe using a user account from the same Active Directory domain, as specified in the domain parameter. SetActionAccount.exe does not support passwords that contain spaces Changing the Reporting Account Password Table 38 shows the steps required to change the password for the Reporting account. 1. Using an account that has local Administrator permissions, log on to the Reporting server in a large topology or to the FCS server in a small/medium topology. 2. Open Reporting Services Configuration from Start > Programs > Microsoft SQL Server 2005 > Configuration Tools. 3. Ensure the correct details are specified in the Machine Name and Instance Name fields and click Connect. Page 84

89 4. In the left pane, click Windows Service Identity, type the new password in the Password field and Click Apply. 5. Click the browse button (circled). 6. Type a name for the key backup file in the File name field and click Save. Tip It is recommended that this file is removed once the procedure is complete, so record the location of the saved file. Page 85

90 7. Type a password in the Password field. Tip This does not need to be the same as the password for the Reporting account. 8. Ensure that all tasks complete successfully and click Exit. Delete the file that was specified in step Using an account that has the FCS Administrator permissions, log on to the Management server in a large topology or to the FCS server in a small/medium topology. 10. Open Microsoft Forefront Client Security Console from Start > Programs > Microsoft Forefront > Client Security. 11. On the Action menu, select Configure. Page 86

91 12. On the Before You Begin page, click Next. 13. Type the Collection server name into the Collection server field. Type the Database server name into the Collection database field and click Next. Note If changing the password in a small/medium FCS deployment, type the name of the FCS server in both fields. If the Management group name was modified during the original installation, type the modified name in the Management group name field. 14. Type Database server name in the Reporting database field. Complete the User name and updated Password for the Reporting account and click Next. Note The User Name must be typed in the DomainName\ AccountName format. If changing the password in a small/medium FCS deployment, type the name of the FCS server in the Reporting database field and the Shared account details and updated password in the User name and Password fields. Page 87

92 15. Type the name of the Reporting server in the Reporting server field and click Next. Note If changing the password in a small/medium FCS deployment, type the name of the FCS server in the Reporting server field. 16. Review and verify the summary information and click Next. 17. Click Close. Table 38: Changing the Reporting Account Password Page 88

93 Changing the Data Transformation Service Account Password The DTS task runs daily to transfer data from the Collection database to the Reporting database. If the password is changed, the healthcare IT Administrator must ensure the password is updated in the DTS task before the next time the job is scheduled to run (01:00 by default). Table 39 shows the steps required to change the password for the DTS account. 1. Using an account that has local Administrator permissions, log on to the Database server in a large topology or to the FCS server in a small/medium topology. 2. Open Control Panel > Scheduled Tasks, right-click SystemCenterDTSPackageTask and select Properties. 3. In the Task tab click Set Password. Page 89

94 4. Type the new password in the Password and Confirm password fields and click OK. 5. To confirm the password has been changed correctly, right-click SystemCenterDTSPackageTask and click Run. Important The healthcare IT Administrator should ensure that this test is performed outside the healthcare organisation s peak operational hours. 6. Once the job is complete, ensure the Last Result column displays 0x0. This means the job has completed successfully. Table 39: Changing the DTS Account Password Tip These steps can be useful if troubleshooting the DTS job. The Last Result code can provide valuable information on the reason for a DTS job failure along with any events raised in the event logs. Page 90