Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
; -/
Table of Contents
Lab Scenario Module A: Creating tanduc.local domain Exercise 1: Installing DNS Exercise 2: Configuring DNS Exercise 3: Create Reverse Lookup for 192.168.1 Zones Exercise 4: Create Reverse Lookup for 172.168.1 Zones Exercise 5: Promote Win2003DC to Domain Controller Exercise 6: Create 3 Domain Users Module B: Implementing ISA 2006 Back-end Server Exercise 1: Installing and Configuring the ISA Server 2006 Software Exercise 2: Configuring the ISA Firewall Back-end Server Exercise 3: Configuring the ISA Firewall Back-end Server (Detailed Steps) Module C: Implementing ISA 2006 Front:end Server Exercise 1: Installing the ISA Server 2006 Software Exercise 2: Configuring the ISA Firewall Front-end Server Exercise 3: Configuring the ISA Firewall Front-end Server (Detailed Steps) Module D: Installing MS Exchange 2007 Hub TransportlMailbox Access Role Module E: Implementing the Edge Transport Server Role
~ ~'9
t"
I
User/Client
Exercise 1:Installing MS Exchange 2007 Edge Transport Role Exercise 2: Review tl).edefault Edge Transport server configuration Exercise 3: Run the SCW to secure the Edge Transport Server Exercise 4: Configure EdgeSync Module F: Implementing MS Forefront for Exchange Server
Exercise I: Installing MS Forefront for Exchange 2007 Edge Transport Role Exercise2: Installing MS Forefront for Exchange 2007 Hub Transport Role Exercise 3: Using MS Forefront for Exchange Server to protect Exchange from Viruses (Lab 1) Exercise 3.1: Scanning Messages for Viruses Exercise 3.2: Using File Filtering to Block Attachment
Module G: Installing & Configuring MS Forefront Client Security on Client Computers Exercise I: Installing Forefront Client Security Server Installing lIS and ASP.NET Install SQL Server 2005 with SP2 or SPI. Install GPMC with SPI. (Run gpmc.msi from C:\FCS folder) Install 'wsus 2.0 with SPI on the Client Security server. Configure and synchronize WSUS. Add the reporting server site to the Local intranet zone in Internet Explorer. Installing Client Security on a one-server topology Configuring Client Security on a one-server topology Verifying the installation of Client Security on a one-server topology Exercise 2: Deploying Forefront Client Security on Client Computers. Approving the client components in WSUS Configuring Automatic Updates Deploying manually to each client computer Approving clients through the MOM server Verifying your Client Security deployment
Module H: Using Forefront Client Security Server (FCS) to monitor and protect client computers (Lab2) Exercise I: Using Forefront Client Security (FCS) to Protect Client Computers
Exercise 2: Updating Signature Files Exercise 3: Using Policies to Manage Clients Exercise 4: Alerting, Reporting and Monitoring Appendix A: Detailed Steps for Lab 1: Using MS Forefront Security for Exchange to protect Exchange Server from Viruses
(~I.;
Appendix B:. Detailed Steps for Lab 2: Using Forefront Client Security(FCS) to monitor and protect client computers
-~.
l-
'
:~
Y"
\...-
,,~
v....
c
In the Zone Name page, enter tanduc.local in the Zone Name text box In the Dynamic Update page, select Allow only secure dynamic updates (recommended Active Directory) and click Next Click Finish in the Completing the New Zone Wizard for
+ f
Page 1
...
In the Active Directory Zone Replication Scope page, select Next In the Reverse Lookup Zone Name page, under Network ID, type 192.168.1 then click Next In the Dynamic Update page, select Next Click Finish in the Completing the New Zone Wizard
~."
,~
",:-
f -.
In the Welcome to the Active Directory Installation Wizard page, select Next In the Domain Controller Type page, select Domain controller for a new domain and click Next In the Create New Domain page, select Domain in a new forest and click Next
Page 2
In the New Domain Name page, under Full DNS name for a new domain text box, enter fanduc.local and press Enter In the NetBIOS Domain Name page, leave it as default and click Next In the Database and Log Folders page, leave it as default and click Next In the Shared System Volume page, select Next In the DNS Registration Diagnostics page, select Next Click Next in the Permission page
In the Directory Services Restore Mode Administrator Restore Mode Password: P@sswOrd Confirm password: P@sswOrd
In the Summary page, select Next to begin the installation process. The process takes about 5-10 minutes to complete. Restart the computer after the installation finishes.
Expand tanduc.local node, right-click Users, select New, then click User In the New Object-User page, enter the following:
First Name: userO I Last Name: empty User logon name: userOl Password: P@sswOrd Confirm password: P@sswOrd
Uncheck User must change password at next logon Click Next and then click Finish
Page 3
Page 4
IP address.
IP: 172.16.1.5 SM: 255.255.255.0 DG: 172.16.1.3 DNS Server: Empty 5. Click OK twice .
1:'.
'~:
....
~.
,w.
Page 5
~-
--
."
Page 6
.I
Page 7
-a
b. c. d.
I
e. f.
g. h. a.
2.
b.
Internal network
Network Rule c. In the Welcome to the New Network Rule Wizard page, enter DMZ-Internal in the Network rule name
text box d. Click Add in the Network Traffic Sources, expand Networks entry and then select DMZ Network e. Click Close and then click Next f. In the Network Traffic Destinations page, click Add g. Expand Networks entry, and select Internal. Click
Add
h. Click Close and click Next In the Network Relationship page, select Route l. option J. Click Next and then click Finish. a. In the ISA Server console, in the left pane, select
Firewall Policy
i
communication between DMZ hosts and the Domain Controller behind the
ISA Back-end server
b.
In the right pane~ select the first rule to indicate \vhere the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access
~
!;
Rule
d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Intradomain DMZInternal, and then click Next On the Rule Action page, select Allow, and then click
Name: Intradomain
DMZ-Internal Action: Allow e. f.
Next
On the Protocols page, select Selected protocols in the drop down list, and then click Add g. Expand All Protocols entry in the Add Protocols
Protocols:
Microsoft CI FS
Page 8
-------~--------_::c,',,:-::.~,~.,;~
'>\
--1 ,: '1':_~
.. \~,. ----------~-----
(TCP) Microsoft CIFS (UDP) Kerberos-Adm (UDP) Kerberos-Sec (TCP) Kerberos-Sec (UDP) LDAP LDAP(UDP) LDAP GC (Global Catalog) RPC (all interfaces)
NTP (UDP)
dialog box h. Following protocols need to be selected: Microsoft CIFS(TCP), Microsoft CIFS (UDP), Kerberos-Adm(UDP), Kerberos-Sec(TCP), Kerberos-Sec (UDP), LDAP, LDAP(UDP), LDAP GC (Global Catalog), RPC (all interfaces),
NTP (UDP),
Ping \.
J.
k. l. m.
n.
o. 4. Create an Access Rule that allows traffic replicating from Exchange Hub Transport Role to Exchange Edge Transport Role via port 50636 Name: EdgeSync Action: Allow Protocols: EdgeSync
Ping. On the Access Rule Sources page, click Add. Expand Networks entry, select DMZ network, click Add and click Close. Click Next From the Access Rule Destinations page, click Add Click New and select Computer to create a new network entity In the New Computer Rule Element dialog box, enter the following: ' Name: Domain Controller/Exchange Hub Transport Computer IP Address: 192.168.1.2 Click OK Back to Add Network Entities page, expand Computers and select Domain Controller/Exchange Hub Transport. Click Add and Close Click Next two times and then Finish
a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, enter EdgeSync, and then click Next e. On the Rule Action page, Allow, and then click Next f. On the Protocols page, select Selected protocols in the drop down list and then click Add g. Click New and then Protocol h. In the Welcome to the New Protocol Definition Wizard page, enter EdgeSync I. In the New Protocol Definition Wizard page, click
Page 9
J.
k. I. m. n. o.
p. q. r.
s.
t. 5. Create "All Open" rule to allow Internal hosts to access all sites on the Internet Name: All Open Action: Allow Protocols: All
I
New Enter the following: Protocol Type: TCP Direction: Outbound Port Range: From 50636 to 50636 Click OK and then click Next Select No in the Second Connections page, then click Next and Finish From the Add Protocols page, expand User-Defined entry, select EdgeSync, click Add and Close From the Access Rule Sources page~ click Add Expand Computers entry, select Domain Controller/Exchange Hub Transport. Click Add and Close From Access Rule Destinations page, click Add Click New and select Computer From New Computer Rule Element page, enter the following: Name: Exchange Edge Transport Computer IP Address: 172.16.1.4 Click OK From Add Network Entities page, expand Computers entry and select Exchange Edge Transport. Click Add and Close Click Next two times and Finish
I
a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, enter All Open, and then
I
"4"" .,.,~
e. In the Protocols page, select All outbound traffic entry from the drop down list and then click Next f. In the Access Rule Sources page, click Add g. Expand Networks entry, select Internal. Click Add and Close and Next h. In the Access Rule Destinations page, select Add Expand Networks entry, select External I. Click Add, Close and Next two times J. k. Click Finish a. In the ISA Server console, in the left pane, select Firewall Policy
Page 10
i~
i,
!If!
b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, enter DNS-Intemet, and then click Next e. On the Rule Action page, select Allow option and click Next f. On the Protocols page, select Selected protocols, click
Add
g. In the Add Protocols page, expand Common Protocols node, select DNS entry. Click Add and Close h. In the Access Rule Sources page, select Add l. Expand Computers node, select Domain Controller/Exchange Hub Transport. Click Add and Close J. In the Access Rule Destinations page, click Add k. Expand Networks node, selest External entry. Click Add and Close l. Click Next two times and Finish
7. DNS Server Publishing
Rule Name: Publishing DomainDNS Action: Allow Protocols: DNS Server Listener: DMZ network
~i:
,!..')
7!~
~.<
~"
"#'
a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Publish NonWeb Server Protocols d. In the Welcome to the New Server Publishing Rule Wizard dialog box, in the Server Publishing Rule Name text box, type Publishing Domain DNS, and then click Next e. On the Select Servers page, in the Server IP address text box, type 192.168.1.2 f. On the Select protocol page, in the Selected protocol drop down list, select DNS Server and then click Next g. On the Network Listeners IP Addresses page, put a check mark on the DMZ Network h. Click Finish a. Click Apply to a ly all the settings
Page 11
Page 12
,I
il..-...-JL
IP address.
[P : ] 72. ] 6.1.3 SM: 255.255.255.0 DG: Empty DNS Server: 192. I68. I .2 5. Click OK in the Internet Protocol (TCPIIP) Properties dialog box. 6. Click OK in the internal interface's Properties dialog box.
Add the following line to route traffic from DMZ network to Internal network from the command-prompt: From Start->All Programs->Accessories->Cornmand Prompt. Type: Route add -p ] 92.168.1.0 Mask 255.255.255.0 172. I6. 1.5 metric I
Page 13
2. Creat~ an "All Open" Access Rule allowing Internal Network clients access to all protocols and sites on the Internet 3. Create an Access Rule that allows Internal DNS Server to send requests to ISP's DNS Server to resolve Internet name
Page 14
;"")
....
-'"
~.
2. Create "All Open" Access Rule to allow Internal hosts access all sites on the Internet Name: All Open Action: Allow Protocols: All
p. q. r. s.
~/.
t. u. v. w. x. y. z. aa. 3. Create an Access Rule that allows traffic to move from/to DMZ network to/from ISA Back-end server's internal network Name: Internal-DMZ Action: Allow Protocols: All
.!)
"""
'i~-
a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Internal-DMZ, and then click Next e. On the Rule Action page, select Allow and click Next f. On the Protocols page, select All outbound traffic entry from the drop down list. Click Next g. On the Access Rule Sources page, select Add h. Expand Networks node, select Internal and local host.
Page 15
Page 16
,--------------,,-----------.-----------------,
':>
"!'
Processor
Exchange Server 2007 exists in both 32- and 64-bit versions, but only the 64-bit version is supported in a production environment. This means that the server hardware on which you plan to install Exchange Server 2007 must have one ofthe following 64-bit processor types installed: An x64 architecture-based processor that supports Intel Extended Memory 64 Technology (Intel EM64T) An x64 architecture-based computer with AMD 64-bit processor that supports AMD64 platform
',~i~t;~$tJQg;~r~ya1\I~iit>hp~~
.. -.----.".~-'.,-"
'wesanJntelPentiilln or'com~ble
',. ,_.:,,~"'. '.','""-,,--,,,-"..-.'.": <_.";"./.,. ..,,"":...,., .. ,,.:.. ;.:,., .. , ~.'_"''-;-''. ;~:_~~.~~~",
:.:_~-:;
Memory
The memory requirements for a 64-bit Exchange 2007 server that is to be deployed in a production environment are 2 gigabytes (GB) of RAM per server. However, bear in mind that those are the minimum requirements. The recommend requirements are: 2GB of RAM per server plus approximately 5 megabytes (MB) of RAM per user mailbox located on the respective server A paging file equivalent to the amount of server memory plus 10MB Also be aware that it's recommended to add additional memory if you're planning to use more than four storage groups (approximately 2GB per three storage groups).' -
Disk Space
Disk space requirements are as follows: At least 1.2GB of disk space on the drive on which Exchange Server 2007 is to be installed 200MB or more of disk space on the system drive. When installing the Unified Messaging role on a server, you will also need to allocate an additional 500MB for each Unified Messaging language pack that is installed.
".,."
Software Requirements
In addition to the hardware requirements, Exchange Server 2007 has some software requirements that need to be fulfilled before you can begin your install.
Page 17
Operating System
When planning to install Exchange Server 2007, in a production environment, you will need Microsoft Windows Server 2003 64-bit version With Service Pack I or Windows Server 2003 R2 64-bit version.
Software Required
The following software is required for any of the five different Exchange 2007 server roles . Microsoft .NET Framework Version 2.0 Microsoft Management Console (MMC) 3:0 (bear in mind thatMMC 3.0 is installed by default when you use Windows Server 2003 R2) Windows PowerShell V 1.0 HotFix for Windows x64 (KB904639) Per(orm these steps on EXE2007ET to prepare (or installation of Exchange 2007 Edge Transport Role 1. Run C:\Ex2k7 2. Run C:\Ex2k7 Transport Role 3. Run C:\Ex2k7 4. Run C:\Ex2k7 (Note: Make sure
1.
Requirements\dotnetfx.exe tp install .NET framework 2.0 Requirements\ADAMSPI_86_English to install ADAM SPI on the Edge Requirements\PowerShell.ex ..e to install Windows PowerShell Requirements\Hotfix.exe to install Hotfix for .NET Framework. lIS Windows component is installed in the system)
I
The first step is to prepare your Active Directory schema with new Exchange 2007 attributes by extending it using the Setup /PrepareSchema command-line switch. Exchange Server: 2007
Page 18
adds many new attributes and classes to the Active Directory schema (even more than Exchange Server 2003 did!) and makes additional modifications to the existing classes and attributes. Also we need to prepare the current domain, configure global Exchange objects in Active Directory, and create the Exchange Universal Security Groups (USGs) in the root domain by using Setup
Page 19
Expand Exchange Management Console, expan'd Organization Transport node .. Select Accepted Domains Tab in the middle pane From the Actions pane, select New Accepted Domain In the new Accepted Domain page, enter the following Name: Tanduc Accepted Domain: tanduc.com Then click New In the Completion page, click Finish.
Configuration,
select Hub
Select E-mail Address Policies tab, double-click Default Policy In the Introduction page, click Next ' In the Conditions page, click Next In the Email-Addresses page, select Add " From the SMTP E-mail Addresses page, in the!Email address domain text box, select tanduc.com from the drop down list. Click OKand then click Next From the Email Addressespage.rename%(a)tanduc.comto@tanduc.com Select @tanduc.com, then select Set as Reply button then click Next From the Schedule page, leave it as default then click Next In the Edit Email Address Policy page, select Edit In the Completion page, select Finish .,
Page 20
~--
'!
Page 21
I.
Exercise 1: Installing Microsoft Exchange 2007 Edge Transport Role on EXE2007ET machine .
I
Hardware Requirements
The hardware requirements for a production Ex~hange 2007 server are described in the following sections.
Processor
Exchange Server 2007 exists in both 32- and 64-bit versions, but only the 64-bit version is supported in a production environment. This means that the server hardware on which you plan to install Exchange Server 2007 must havei'one ofthe following 64..:bitptocessor type~ installed: An x64 architecture-based processor that supports Intel Extended Memory 64 Technology (Intel EM64T) An x64 architecture-based computer with AMD 64-bit processor that supports AMD64 platform
Memory.
The memory requirements for a 64-bit Exchange 2007 server that is to be deployed in a "'....production environment are 2 gigabytes (GD) of RAM per server. However, bear in mind -~ that those are the minimum requirements. The recommend requirements are: 2GB of RAM per server plus approximately 5 megabytes (MB) of RAM per user mailbox located on the respective server A paging file equivalent to the amount of server memory plus 10MB Also be aware that it's recommended to add additional memory if you're planning to use more than four storage groups (approximately 2GB per three storage groups).
Disk Space
Disk space requirements are as follows: At least 1.2GB of disk space on the drive on which Exchange Server 2007 is to be installed 200MB or more of disk space on the ~ystem drive. When installing the Unified Messaging role on a server, you will also need to allocate an additional 500MB for each Unified Messaging language pack that is installed.
Software Requirements
In addition to the hardware requirements, Exchange Server 2007 has some software requirements that need to be fulfilled before you can begin YOlJr install.
Operating System
When planning to install Exchange Server 2007 .ina production environment, you will need Microsoft Windows Server 2003 64-bit version with Service Pack 1 or Windows Server
PaQe 22
Jl.
Software Required
The following software is required for any of the five different Exchange 2007 server roles . Microsoft .NET Framework Version 2.0 Windows PowerShell V 1.0 HotFix for Windows x64 (KB904639)
The fo!Jowing components are required for the Edge Transport server: ADAM Like the Hub Transport role, SMTP and NNTP must not be installed
Perform these steps on EXE2007ET to prepare (or installation orExchange 2007 Edge Transport Role
I. Run C:\Ex2k7 2. Run C:\Ex2k7 Transport Role 3. Run C:\Ex2k7 4. Run C:\Ex2k7 Requirements\dotnetfx.exe to install .NET framework 2.0 Requirements\ADAMSPl_86_English to install ADAM SPlon Requirements\PowerShell.exe to install Windows PowerShell Requirements\Hotfix.exe to install Hotfix for .NET Framework.
the Edge
Page 23
,~
Thefollowing steps demonstrate how to perform instaliation of Exchange 2007 Edge Transport Role on EXE2007 ET: I.Run Setup.exe from C:\Exchange 2007 2. When the dialog box comes up, click step4: Install Microsoft Exchange 3. From Exchange Server 2007 Setup page, click Next 4. Select "Accept the terms in the license agre~ment" and click Next 5. Select No and click Next 6. From the Installation Type page, choose Cu~tom Exchange Server Installation and click Next 7. Select No if you don't have Outlook 2003 cli~nts running in your network. In this case, select No and click Next 8. Put a check mark on Edge Transport Role a9d click Next 8. When it finishes, click Finish to end the installation process.
..
Page 24
rI
l1"".
'l/
.Page 25
21. On the Network Security page, click Next. 22. On the Open Ports and Approve Applications page, review the ports that will be opened. Take note of the approved application entries that specific Exchange related processes and services will use. 23. On the Open Ports and Approve Applications page, click Next. 24. On the Confirm Port Configuration page, click Next. . 25. On the Registry Settings page, select the Skip this section check box, and then click Next. 26. On the Audit Policy page, select the Skip this section check box, and then click Ne~.!: 27. On the Save Security Policy page, click Next. 28. On the Security Policy File Name page, type C:\windows\security\msscw\ policies\EXE2007ET.xml as the policy file name. Click Next. 29. In the Security Configuration Warning dialog box, click OK. Module 2: Configuring Edge Transport Servers 2-21 30. On the Apply Security Policy page, click Apply now, and then click Next. 31. After the policy is applied, click Next. 32. Click Finish to complete the Security Configuration Wizard. 33. Click Start, point to Control Panel, and then click Windows Firewall. 34. Confirm that the firewall is enabled. On the Exceptions tab, confirm that the Exchange-related processes are listed. Click OK. 35. Restart'the EXE2007ET server. After the server restarts, log on as Administrator with the password of Pa$$wOrd.
Page 26
From Start-Programs-Administrative Tools->DNS Expand DNS node, then expand Forward Lookup Zones Right click tanduc.local node, click New Host(A) In the New Ho~t page, enter the foHowing: Name: EXE2007ET IPaddress: 172.16.104 Put a check mark next to Create associated pointer (PTR) record Click Add Host Close the DNS management console. 1. On EXE2007ET, open the Exchange Management Shell, and at the prompt type New-EdgeSubscription and then press ENTER. 2. At the FileName prompt, type C:\Edgelsubscription.xml and then press ENTER. 3. Read the information displayed in the Exchange Management Shell, and then press ENTER. 4. Close the Exchange Management Shell. 5. Open Windows Explorer, and then browse to drive C. Right-click Edgelsubscription.xml, and then click Copy. 6. On the Start menu, click Run. In the Open text box, type \\WIN2003DC\c$ and then press ENTER. 7. Right-click the \\WIN2003DC\c$ folder, and then click Paste. Close both instances of Windows Explorer. 8. On WIN2003DC, open the Exchange Management Console, expand Organization Configuration, and then click Hub Transport. 9. Click New Edge Subscription to start the New Edge Subscription wizard. 10. On the New Edge Subscription page, click Browse. 11. In the Select the Subscription File dialog box, browse to drive C. Click Edge1subscription.xml, and then click Open. 12. On the New Edge Subscription page, click New, and then click Finish. 13. Close the Exchange Management Console. Note: It may take a minute for the container to appear. If the container does not appear in that time, open the Exchange Management Shell on WIN2003DC, type Start-EdgeSynchronization and then pr~ss ENTER.
Page 27
Role'
"'"
Microsoft"
Forefront'~
Client Security
Perform ihses exercises on EXE2007ET, WIN2003DC andclientl machine
Page 28
Exercise 1: Installing Microsoft Forefront Security for Exchange SPI on the Edge Transport
Perform these steps on EXE2007 ET machine
2. On the Microsoft Forefront Security for Exchange Server Setup page, click next 3. Click Next to accept the Licensing Agreement. 4. Enter TDT in the User Name text box and Tan Due in the Company Name, click Next 5. Choose Local Installation option. Click Next. 6. On the Installation type page, choose full installation and then click Next. 7. On the Quarantine Security Settings page, choose Secure Mode option, and then click Next .. 8. On the next page, choose I don't want to use Microsoft Update option. Click Next 9. On the Engines page, either accept the default or choose up to five different AV engines and then click Next to go to the next page. 10. On Engine Updates Required page, click Next. 11. On the Proxy Server (Optional Settings) page, leave the Use Proxy Settings unchecked, click Next. 12. On Choose Destination Location page, accept the default path and then Next. 13. Leave default on Select Program Folder and then Next. 14. Click Next to Start Copying Files. 15. Click Next to restart MS Exchange Transport Service. 16. On the Recycling Exchange Transport Service page, click Next. 17. Click Finish to finish the installation process.
/
"
~..
Page 29
Exercise 2: Installing Microsoft Forefront Security for Exchange SPI on the Hub Transport
Perform these steps on WIN2003DC machine I.Click Setup.exe to start the installation process from C:\Forefront
2. Qn the Microsoft Forefront Security for Ex:change Server Setup page, click next 3. Click Next to accept the Licensing Agreement. 4. Enter TDT in the User Name text box and T~ Duc in the Company Name, click Next 5. Choose Local Installation option. Click Next. 6. On the Installation type page, choose full in~tallation and then click Next. 7. On the next page, choose I don't want to use Microsoft Update option. Click Next. 8. On the Quarantine Security Settings page, choose Secure Mode option, and then click Next. 9. On the Engines page, either accept the default or choose up to five different AV engines and then click Next to go to the next page. 10. On EngIne Updates Required page, click Next. 11. On the P.roxy Server (Optional Settings) p~ge, leave the Use Proxy Settings unchecked,
i
ll<i.
"
click Next. 12. On Choose Destination Location page, accept the default path and then Next.
,;,..
..
13. Leave d~fault on Select Program Folder and then Next. 14. Click Next to Start Copying Files. 15. Click Next to restart MS Exchange Transport Service. 16. On the Recycling Exchange Transport Service page, click Next. 17. Click Finish to finish the installation process.
Page 30
~~!~~~:
2. Configure the Transport scan job - Bias: Favor Performance (Scan each message with up to at least 50% of the selected engines (2 or 3 engines) and Quarantine files 3. Configure the Real time Scan Job - Bias: Favor Performance and Quarantine 4.~"~!~: files.
5. Send an email toAdminwithanattachmentVirus-A.com Examine the attachment of the new message in the Inbox, and in Sent Items
6.~~it3~:
6.a. For the Transport scan job, change the deletion text by adding a line: TransportScanned by Keyword (in this case Keyword=% VirusEngines %) 6.b. Use the Incidents in the Report section to determine which scan engines detected the Virus-A.com 7. Configure the Quarantine area to maintain removed attachments for a maximum of30 days by purging them 8. Archive all the messages after they are scanned 9.
~1JJj!!:
9a. Send another email to Admin with a Virus-A.com attachment. 9b. Examine the attachment with a new message in the Inbox. 9c.
message.
10.~i~.~1:
lOa: Send an email to Admin with a Cool Game.zip attachment lOb. Examine the attachment of the new message in the Inbox.
Page 31
1Oc.~~~3QP:
lla. Send an email to Admin with a Cool Game2.zip attachment (Cool Game2.zip is an encrypted zipped file attachment) lIb. Examine the attachment of the new message in the Inbox. 12. ~~ 13. milif'. ~'_' ...,.<_,,~,.':"'~,," __' ..
V_".'_
Ila. Send an email to Admin with a Cool Game2.zip attachment lIb. Examine the attachment of the new message in the Inbox. 14.
~Itl~.
Game2.zip with Bias: Max Certainty, Action: Delete: remove infection, Mailbox: Administrator.) 15. Run the Manual Scan 16.
~j!.~: Verify that Forefront Security has removed the Cool Game2.zip
attachment from
the previous message in Administrator Mailbox. 17.~~: 17a. Configure a Background Scan Job to rescan messages that are received in the last 3 days. 17b. Schedule and enable Background Scan Job to run daily at 3:00AM.
Page 32
a. Delete all attachment files named i1oveyou.vbs b. Delete files with the .exe extension c. Delete all bmp-files that are larger than 3MB in size d. Delete all mp3-files from inbound messages only.
attachment
5. Send an email message to Admin with testl.jpg attachment 6. Examine the attachment of the new message in the Inbox Save testl.jpg as testl.exe and run the application. 7. ~i,ijfji"Q~. Change the file filter * .exe /All types to * /EXE file type 8. r;::~!il!~. Send an email message to Admin with two attachments: testl.jpg and picl.jpg 9. Examine the attachment ofthe new message in the Inbox
The detailed steps can be found on Appendix A: Detailed Steps for Lab 1: Using MS Forefront Security for Exchange to protect Exchange Server from Viruses
Page 33
Module G:lmplementing Forefront Client Security (FCS)Server and Deploying FCS on Client Computers
Lab Exercises:
Exercise 1: Installing Forefront Client Security Server Installing IIS and ASP.NET Install SQL Server 2005 with SP2 or SPl:Install GPMC with SPI. (Run gpmc.msi from C:\FCS folder) Install WSUS 2.0 with SPI on the Client Security server. Configure and synchronizeWSUS. Add the reporting server site to the Local intranet zone in Internet Explorer. Installing Client Security on a one-server topology Configuring Client Security on a one-server topology VerifYing the installation of Client,security on a one-server topology
Microsoft~
Forefront'"
Client Security
Approving the client components in WSUS Configuring Automatic Updates Deploying manually to each client computer Approving clients through the MOM server
Page 34
2. In the Manage Your Server window, click Add or Remove a Role. 3. In the Configure Your Server wizard, click Next. 4. On the next page, click Application Server (lIS, ASP.NET), and then click Next.
.~.
5. On the next page, select the ASP.NET check box, and then complete the wizard .
..s;
.~.
Page 35
,~
In the Collation Settings page, select leave it as default (Dictionary order, case-insensitive, for use with 1252 Character Set) From Report Server Installation Options page, select Install the default configuration and click Next
Page 36
Click Next to go to Ready to Install. Click Install to begin the installation process
From the Welcome screen, click Next Click I accept the agreement and click Next Click Next on the Feature Selection page On the Authentication page, select Windows Authentication Click Next on Error and Usage Reporting Settings page Click Next on Running Processes page From Ready to Install page, click Install to begin and click Next
Put a check mark on Store updates locally from Select Update Source page, click Next From the Database options, select Use an existing database server on this computer with Default is selected, and then click Next From Connecting to SQL Server Instance, click Next From Web Site Selection page, select Create a Microsoft Windows Server Update Services Web site and click Next
Page 37
,.
3. In Add/Remove Classifications, select the Updates check box, and then click OK. 4. In the Products, select Windows 2003 family only then click OK 5. Scroll down to the very bottom, under Update Files and Languages section, click Advanced button. Click OK when the dialog box comes up on the screen 6. From the Advanced Synchronization Options page, make sure Store update files locally on this server is selected and Download update files to this server only when updates are approved checkbox is checked. In the Languages pane, select Download updates only in the selected languages. Click OK when the dialog box comes up. Select English as a language option. Then click OK. Click Save settings. To start synchronizing, on the Synchronization Options page, click Synchronize Now.
it
Page 38
Server, Collection Server, Collection Database, Reporting Server and Reporting Databse, and Distribution Server, click Next
From Collection Server page, enter the following as DAS ac~ount
Page 39
On the Completing Setup page, verify that you've successfully then click Close.
Add the reporting server site to the Local intranet zone in Internet Explorer.
For SQL Server Reporting Services to function correctly, you must add the reporting server site to the Local intra net zone on the Client Security server. I. In Internet Explorer, on the Tools menu, click Internet Options. 2. Click the S!curit)l tab, and then click the Local intranet zone .. 3. Click the Sites button. 4. Click the Advanced button. 5. In the Add this website to the zone box, type http://forefront 6. Click Add.
1. Open the Client Security console. (Click Start, point to All Programs, point to Microsoft Forefront, point to Client Security, and then click Microsoft Forefront
Client Security Console.) 2. On the wizard's Before You Begin page, click Next. 3. On the Collection Server and Database page, click Next 4. On the Reporting Database page, enter the username and password for the reporting account: Username: tanduc\administrator; Password: P@sswOrd, then click Next.
5. On the Reporting Server page, click Next 6. On the Verifying Settings and Requirements and then click Next. page, verify your system requirements,
7. On the Completing the Configuration Wizard page, verify that you have successfully configured Client Security, and then click Close.
c'
Page 40
Before deploying Client Security, you must approve its client components in WSUS. You should also verify that you have configured WSUS so it is synchronizing Updates (in addition to Definition Updates). I. Open the WSUS console. 2. In the console, click Options, and then dick Synchmnization Options. 3. On the Synchronization Options page, under Update Classifications, make sure Updates is listed. 4. Click Updates. 5. Select the most recent Client Update for Microsoft Forefront Client Security, 6. From Update Tasks box on the top left, click Change approval link 7. In the Approve Updates-Web Page Dialog page, from the Approval drop down list, select Install option, then click OK 6. In the Approve Updates dialog box, click OK. 7. In the End User License Agreement dialog box, click I Accept.
Configuring Automatic Updates Before your client computers can download updates from your distribution server, they must be configured so that Automatic Updates on the client computer points to the WSUS server. To make this configuration, you can use Group Policy. Configure Automatic Updates You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update or Microsoft Update.
'.
i,
I. In the Group Policy Object Editor dialog box, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 2. In the Setting list, double-click Configure Automatic Updates. 3. In the Configure Automatic Updates dialog box, click Enabled, and then click OK. 4. In the Setting list, double-click Specify intranet Microsoft update service location. 5. In the Specify intra net Microsoft update service location dialog box, click Enabled, enter the client configuration URL in both the Set the intranet update service box and the Set the intranet statistics server box. In this case type http://forefront both boxes,
Page 41
and then click OK. 6. In the Setting list, double-click Allow Automatic Updates immediate installation. 7. In the Allow Automatic Updates immediate installation Properties dialog box, click Enabled, and then click OK.
~.
3. When the tool finishes running, close the Command Prompt window. 4. Open C:\FCS_log to see the log files 4. Restart Clientl Approving clients through the MOM server Perform these steps on WIN2003DC machine After being deployed, the clients are usually automatically approved within an hour. If you want them to begin reporting data sooner than that, you can approve them manually. ~ To approve clients manually through the MOM server I. On the Client Security management server, click Start, click All Programs, click Microsoft Operations Manager, and then click Administrator Console. 2. In the MOM 2005 Administrator Console, ll..'1der Console Root, expand Administration, expand Computers, and then click Pending Action. 3. Right-click the client computer (MCPClient) in the Pending Action list, and then click Approve Manual Agent Installation Now. If you do not see the client in the Pending Action list, wait a few minutes, and then click Refresh on the Action menu. 4. In the Microsoft Operations Manager dialog box, click Yes to confirm approval. The client computer will disappear from the Pending Action list.
Page 42
Module H: Using Forefront Client Server (FCS) to monitor and protect client ~omputers
Lab Exercises: \'-
Exercise 1: Using Forefront Client Security (FCS) to Protect Client Computers Exercise 2: Updating Signature Files Exercise 3: Using Policies to Manage Clients Exercise 4: Alerting, Reporting and Monitoring
Microsoft*
Forefront'.
Client Security
Page 43
Exercise 1: Using Forefront C~ient Security (FCS) to Protect Client Computers "
Scenario: In this exercise, you will examine how Forefront Client Security (FCS) detects malware (viruses and spyware) on client computers We will perform the following procedures (all the sample files are located in C:\EICAR-2): 1.
~1::
,7
2. Perform a Custom Scan of the C:\EICAR-2 folder. Close the dialog box after finishing scanning wih no action is required. (The folder contains the EICAR antivirus test file) 3. Examine the Scan Schedule, Scan Interval and real-time protection settings 4. Use Notepad to open C:\EICAR-2\Sample-A.txt can run file Sample-B.com in this case 5. Remove EICAR_Test_File with Action: Always allow. Check if you
8. Examine the FCS history listing 9. Examine the FCS events in the System event log (Event ID: 3005)
- ,." .-':.~
~.
..
~",..
-~
Page 44
II
,.t-
1.~U~~:J):Exa~jpe the current scanning engine and malware definition version nwpbers
Ci.
.
3. ~9~f~~~: Examine the WSUS products and update classification 4. Examine the WSUS update frequency and the FCS update assistant service -::~'( , '" ,/ 5. In WSUS, approve the most recent definition updates (the definition updates contain the antivirus' si.glla:tu~e definitions and the antispyware definitions. In~ase if it's been approved, approve thafagaihffOl::this demo only) "', ;00.
, -1' .
;...."
',.
-.
..
,
~.
/
.
''j'
.~
Page 45
2.1:~;:
3. Create a new FCS policy Name: FCS Central Policy Spyware protection: User controlled Scheduled scan: Every day - 3:00AM Check for Updates: Every 2 hours Failover to Microsoft Update: yes Client options: Full user interface 4. Deploy the FCS Central Policy to the Client Computers 5. Use GPMC to examine the FCS Central Policy settings
.
..
au
12. Attempt to open the FCS window 13. Attempt to run C:\EICAR-2\Sample-D.com
Page 46
Thefollowing tasks will help you deploy a FCS policy to afile, and then apply thefile to the Forefront computer
Page 47
itli,tijioh, computer
B. Examine FCS Reports I. Examine the Computer Summary 2. Examine the Security Summary, Deployment Summary and Connectivity Summary 3. Examine the Malware Summary report
Page 48
Appendix A: Using Forefront Security for Exchange to protect Exchange from Viruses
t;
Lab Exercises:
Exercise 1: Scanning Messages for Viruses
Microsoftc,
Forefront ..
Client Security
Page 49
Note: This lab exercise uses the following computers: WIN2003DC - Clientl Perform the following steps on the WIN2003DC computer. 1. On the WfN2003DC computer, use Forefront Security Administrator to connect to WIN2003DC. a. On the WIN2003DC computer, on the Start menu, click All Programs, click Microsoft Forefront Server Security, click Exchange Server, and then click Forefront Server Security Administrator. b. In the Connect to Server dialog box, in the server dropdown list box, select WIN2003DC, and then click OK. ~ Forefront Security Administrator connects to Forefront Security for Exchange that is running on the WIN2003DC server. The user interface of Forefront Security Administrator is divided in the so-called Shuttle Navigator on the left, and Work Panels on the right. ~ The Shuttle Navigator consists offour areas with icons: Settings - This area contains icons to configure most of the antivirus settings, scanner updates and General Options . Filtering - This area contains icons to corifigure filtering based on keywords in message content and file names of attachments. Operate - This area contains icons to start, stop and schedule antivirus scan jobs. Report - This area contains icons to view and corifigure notifications, detected incidents, and the quarantine area.
~
~
;;"c
#It
oJ
e.
a. On the left, in the Settings area, click Scan Job. b. On the right, in the top work panel, select Transport Scan Job. ~ Forefront Security for Exchange uses four different
Page 50
,~
ways to scanfor viruses in messages. Three of those are listed in the Scan Job work panel. The Transport Scan Job runs on the Exchange 2007 Hub Transport or Edge Transport roles. All other scan jobs run on the Exchange 2007 Mailbox role. ~ The scan jobs are: Transport Scan Job - Forefront Security scans all e-mail messages that are inbound, or outbound of sent internally within an organization, and pass through the Exchange 2007 Transport stack. II Realtime Scan Job - This scan job provides immediate scanning of e-mail that is sent or received by the mailboxes and Public Folders resident on the server. Manual Scan Job - This allows you to start ajob at a particular time to scan messages that are already in specific mailboxes. Scheduled Background Scanning - Forefront Security can periodically scan messages received within a specific period. For example, all messages in the i~formation storefrom the last 2 days. This scan job is configured in General Options.
3. Configure the
a. In the top work panel, select Transport Scan Job. b. In the Transport Messages work panel, ensure that Internal is enabled. Bias: Favor c. The Transport scan job scans messages that originate Performance from an external server (Inbound), that leave your Action: Quarantine Exchange site or organization (Outbound), and that are Files routedfrom one location in your domain to another location in your domain (Internal). d. On the left, in the Settings area, click General Options. ~ The General Options work panel contains many ~ ~ .. '. ~~ . . - ...~ system level settings. e. In the work panel, in the Scanning section, scroll to the last settings in the section. Transport scan job. ~ The Internal Address setting determines whether messages are considered Inbound (from elsewhere to tanduc.local), Outbound (from tanduc.local to elsewhere), or Internal (from tanduc.local to tanduc.local) .
You can enter multiple domain names, separated by semicolons. f. On the left, in the Settings area, click Antivirus. ~ Fore.front Security contains 9 different scan engines
Page 51
from well-known antivirus vendors. g. In the File Scanners list box, select Kaspersky Antivirus Technology. ~ A warning message box appears which indicates that you can only select a maximum of 5 scan engines at the same time. h. Click OK to close the message box. i. In the Bias drop-down list box, select Favor Performance .
2S
. The Bias setting controls how many of the selected. . . scan engines are used to provide certainty that a single message does not contain a virus. ~ The settings are (for 5 selected scan engines): Maximum Certainty - Scan each message with all selected engines (is 5 engines). Favor Certainty- Scan each message with all selected engines except the engines that are currently unavailable (due to being updated, etc). Neutral- Scan each message with at least 50% of the seleded engines (is 3 engines). Favor Performance - Scan each message with up to at least 50% of the selected engines (is 1, 2 or 3 engines). Maximum Performance - Scan each message with one engine. ~ Note: When multiple scan engines are used, and even a single scan engine reports a message as infected, Forefront Security considers the message infected. j. Ensure that Quarantine Files is selected. k. Click Save to save the changed configuration. a. In the top work panel, select Realtime Scan Job. b. On the left, in the Settings area, ensure that Antivirus is selected. ~ Notice that Forefront Security maintains separate antivirus settings per scan job. The Bias settingfor the Realtime Scan Job is still set to Favor Certainty. c. In the Bias drop-down list box, select Favor Performance. ~ Forefront Security will use 1 to 3 scan engines for the Realtime Scan Job. d. Ensure that Quarantine Files is selected. e. Click Save to save the change configuration.
4. Configure the
Realtime scan job. Bias: Favor Performance Action: Quarantine Files
I
Page 52
Perform the following steps on the Client! computer. 5. On the Clientl . computer, send an email to
Administrator
to
a. On the Client I computer, on the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007. 2S In this module, you will send e-mail messages from the Administrator mailbox to the Administrator mailbox to demonstrate the Forefront Security for Exchange functionality.
b. In Outlook, on the toolbar, click New. c. In the new message window, complete the following information:
? To: Administrator ? Subject: Test mail to self - 1 ? (Message): Message to Administrator and then click Send.
2S
After afew seconds, the message will disappear from the Outbox and show up in the Inbox. This result verifies that Outlook is correctly connected to the Exchange server on WIN2003DC. Note: After the Exchange server has just started up. the first message is delivered slower, because Forefront needs to start the scanning engines.
2S
I
I
a. In Outlook, on the toolbar, click New. b. In the new message window, complete the following information:
C:\EICAR-l \VirusA.com
c. In the e-mail window, on the Insert menu, click File. d. In the Insert File dialog box, browse to C:\EICAR-l, select Virus-A.com, and then click Insert.
j ..
Virus-A.com is a copy of the industry standard eicar.com antivirus test file. All antivirus products detect the file. It does not replicate by itself, and only displays a single line of text when run in a command prompt window. e. Click Send.
2S
f. [n the Microsoft Office Outlook message box, click Yes to confirm that you want to send the message with the potentially unsafe attachment.
2S
Page 53
attachment as a virus. It always displays this message boxfor any attachment that is an executable file, such as .exe, .com, .bat, and. vbs.
2S
7. Examine the
attachment of the new message in the Inbox, and in Sent Items.
a. In the Inbox, select the Include file - 2 message. 2S Notice that Forefront Security replaced the Virus-A.com attachment by a new text file (VirusA.txt). b. In the Reading pane, right-click Virus-A.txt, and then click Open. Forefront Security reports that Virus-A.com was found to be infected by the EICAR test virus. It removed the attachment before the message arrived in the Administrator Inbox. 2S Note: The Transport scan job (running on the Exchange 2007 Hub Transport role or Edge Transport role) detected and removed the virus. c. Close Notepad. d. In the Sent Items folder, select the Include file - 2 message.
2S 2S
2S
Forefront Security removed the Virus-A.com attachment from both the Inbox folder and the Sent Items folder. Note: The message in the Sent Itemsfolder was not sent through the Hub Tramport or Edge Transport role, but stayed on the Mailbox role. The Realtime scanjob (on-access scanning) detected and removed the virus in the message in the Sent Items folder .
,I
Perform the following steps on the WIN2003DC computer. 8. On the WIN2003DC computer, for the Transport scaI1job, change the deletion text: Add a line: Transport - Scanned by % VirusEngines% a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click Scan Job. b. In the top work panel, select Transport Scan Job. c. In the bottom work panel, click Deletion Text. 2S The dialog box displays the text that Forefront Security uses in the replacement file when a virus is detected by the Transport scan job. d. In the deletion text area, under the existing lines of text, type: Transport - Scanned by, followed by a space character. e. After the word "by", right-click and then click Paste Keyword. 2S Forefront Security provides a list of keywords that
Page 54
RS
can be used to display iriformation about the message and the scanning process. Note: The keywords starting with IS, ES, IR, ER represent the Internal/External Sender/Recipient names and addresses.
f. On the keyword menu, click Virus Engines. g. Click OK to close the deletion text dialog box. h. Click Save to save the changed configuration. 9. Use the Incidents work panel to determine which scan engines detected the Virus-A.com file. a. In the Shuttle Navigator, Incidents.
RS
in the Report
area, click
The Incidents work panel shows that afile named Virus-A. com was removedfrom the message with subject Include file - 2.
b. In the work panel, change the width of the Name column and the Folder column to display all the text in this column.
RS
Notice that the Transport Scan Job detected the virus in an Internal message, and that the Realtime Scan Job detected the virus in the Sent Items folder of the Administration mailbox.
column to display all
The Incident column lists which scan engines (one or more) detected the virus. Forefront Security maintains a complete copy of the detected virus files in a quarantine area. When Quarantine Purge is enabled, Forefront Security removes all files that are in quarantine longer than the indicated number of days. By default that is 30 days. . .
10.Configure the quarantine area to maintain removed attachments for a maximum of 30 days.
c. Click Save to save the changed configuration . Note: The Transport Scan Job scans all messages in transit (on the Hub Transport role or Edge Transport role), and the Realtime Scan Job performs on-access scanning of all messages when they are accessed in the mailbox (on the Mailbox role). To avoid that the same message is needlessly scanned multiple times, the Transport Scan Job adds a so-called antivirus stamp header to the message. The next .scan job examines the antivirus stamp header to determine that the message is already scanned. To avoid spoofing by fake antivirus stamp headers, the Transport Scan Job first removes any antivirus stamp headers from an incoming message. 11.Configure the a. In the Shuttle Navigator, in the Settings area, click
Page 55
General Options. b. In the work panel,scrolJ to the Scanning section. 115 The Optimize for Performance by Not Rescanning Messages Already Virus Scanned - Transport is the setting that controls whether the Transport Scan Job adds the antivirus stamp header after scanning the message. c. Scroll to the top of the work panel. d. In the Diagnostics section, in the Archive Transport Mail drop-down list box, select Archive After Scan. 115 The Archive Transport Mail setting option a copy of each message in an Archive folder on the hard disk. This is a diagnostic setting to help diagnose and isolate problems. However, it also allows us to see the antivirus stamp header. e. Click Save to save the changed configuration.
.~.
..
.~ .
. Perform the following steps on the Clientl computer. 12.0n the Client I computer, send an email to Administrator. Attach the file: C:\EICAR-l\VirusA.com a. On the Client I computer, in Outlook, on the toolbar, click New. b. In the new message window, complete the following information: ? To: Administrator ? Subject: Include file - 3 ? (Message): Please see attachment Do NOT send the message yet. c. In the e-mail window, on the Insert menu, click File. d. In the Insert File dialog box, browse to C:\EICAR-l, select Virus-A.com, and then click Insert. e. Click Send. f. In the Microsoft Office Outlook message box, click Yes to confirm that you want to send the message with the potentially unsafe attachment. 115 After afew seconds, the message arrives in the Inbox. a. In the Inbox, select the Include file - 3 message. b. In the Reading pane, right-click Virus-A.txt, and then click Open. 115 The replacement text includes the added line: Transport - Scanned by % VirusEngines%, where the text ~ VirusEngines% is replaced by the actual engine names.
~
I I
Page 56
i,
',l.,
c. Close Notepad . Perform the following steps on the WIN2003DC 14.0n the WIN2003DC computer, examine the existence of the antivirus stamp header in a scanned message.
a. On the WIN2003DC computer, use Windows Explorer (or My Computer) to open the C:\Program Files\Microsoft Forefront Security\ Exchange Server\Data\Archive folder.
P!S
The Archive Transport lv/ail option saves a copy of each message in the Archivefolder. Thefile name consists of the year, month, day, time, a 3-digit random number, and the eml file extension.
b. Right-click the archived eml-file, click Open With, and then click Notepad.
~ Notepad opens the eml-jile. ~ The header section contains the header X-MSExchange-Organization-A VStamp-Mailbox: MSFTFF; 1 ;0;0 0 O. This is the antivirus stamp header added by the Transport scan job, after the message was scanned
~ Note: When the message is written to the information store database, the antivirus stamp header is replaced by an custom MAPI property on the message.
c. Close Notepad. d. Close the Windows Explorer window . Note: In the following tasks, you will examine how Forefront Security can detect viruses inside compressed and encrypted compressed files . Perform the following steps on the Clientl 15.0n the Clientl.. --- computer, examine the contents of the C:\EICAR-l \Cool Gamel.zip file.
~.
computer.
a. On the Clientl computer, use Windows Explorer (or My Computer) to open the C:\EICAR-l folder. b. In the Tools folder, right-click Cool Gamel.zip, then click Open. and
~ Cool GameJ.zip is a zip-jile that contains e;car.com, which is another copy of the eicar.comantivirus test file.
c. Close the Windows Explorer window. a. In Outlook, on the toolbar, click New. b. In the new message window, complete the following information: ? To: Administrator
Page 57
? Subject: Cool game - 4 ? (Message): Enjoy! Do NOT send the message yet.
c. In the e-man window, on the Insert menu, click File. d. In the Insert;File dialog box, browse to C:\EICAR-l, select Cool Gamel.zip, and then click Insert. 2S Cool Game 1.zip is the attachment of the e-mail. e. Click Send.
2S
a. In the Inbox, select the Cool game - 4 message. 2S The e-mail still has an attachment named Cool Game 1.zip. b. In the Reading pane, right-click Cool Gamel.zip, and then click Open. c. In the Opening Mail Attachment message box, click Open.
2S
Windows Explorer displays the content of the Cool Game I.zip attachment.
... ....
d. In the Cool Game 1.zip folder, right-click Cool Gamel.zip, and then click Open. e. In the File Download message box, click Open. f. In the next Explorer window, right-click eicar.txt, and then click Open . 2S Forefront Security has detected the virus inside the zip-jiles, and replaced thefile by a replacement text.
2S
By default, Forefront Security checks compressed files to a maximum of 5 levels deep, and deletes attachments that exceed that maximum.
g. Cluse Notepad.
l\Cool Game2.zip
file. Password: password
a. Use WindGvvs t:xpIGn;~r(or My Computer) to open the C:\EICAR.l folder. b. In the Tools folder, right-click Cool Game2.zip, and then click Open. 2S The content of the Cool Game2.zip file is protected by a password. c. In the Cool Game2.zip folder, right-click eicar.zip, and then click Open. d. In the Password needed dialog box, in the Password text box, type password, and then click OK. 2S eicar.zip contains a copy of the eicar.com antivirus
I
.:..:
.. .
Page 58
testfile, but is protected by a password. e. Close the Windows Explorer window. 19.5end an e-mail to Administrator. Attach the file: C:\EICAR-l\Cool Game2.zip a. In Outlook, on the toolbar, click New. b. In the new message window, complete the following information: ? To: Administrator ? Subject: Cool game - 5 ? (Message): Enjoy! Do NOT send the message yet. i Co In the e-mail window, on the Insert menu, click File.
I
d. In the Insert File dialog box, browse to C:\EICAR-l, select Cool Game2.zip, andthen click Insert. s Cool Game2.zip is the attachment of the e-mail. e. Click Send.
Page 59
Compressed enable
Files:
Compressed
Files.
c. Scroll the work panel until you see the end of the
~ Forefront Security uses the Max Container File Size, . Max Nested Compressed Files, and Max Container Scan Time settings to protect against so-called "Zipof-Death" attacks where specially crafted zip-jiles are used to attack the resources of antivirus engines.
d . Click Save to save the changed configuration.
Perform the following steps on the Clientl 22.0n the Client} computer, send an email to Administrator. Attach the file: C:\EICAR-l \Cool Game2.zip
computer.
a. On the Client} computer, in Outlook, on the toolbar, cli.ck New. b. In the new message window, complete the following information: ? To: Administrator ? Subject: Cool game - 6 ? (Message): Enjoy! Do NOT send the message yet.
e. Click Send.
~ Forefront Security has removed the encrypted zip-jile I as atlllchmenf with this e-mail.
c. Close Notepad.
Note: In the following tasks, you will configure the Manual Scan Job to remove the password-protected Cool Game2.zip attachment from the Cool game - 5 message in the mailbox of Administrator. Perform the following steps on the WIN2003DC 24.0n the WIN2003DC computer, configure the manual scan job: computer.
-~
....
'"
a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click Antivirus. b. In the top work panel, select Manual
~
Scan Job.
Page 60
that are already in the mailboxes and Public Folders. The scan job is disabled (Stopped) by default. c. In the lower work panel, in the Bias drop-down list box, select Max Certainty. ~ Because the Manual scan job works on messages that are already in the users' mailboxes, and does not influence the performance of message delivery, you may want to consider using the highest number of scan engines for Manual scan jobs. d. In the Action drop-dowTIlist box, select Delete: remove infection. ~ The default action for the Manual scan job is Skip: detect only.
e. Click Save to save the changed configuration. f. In the Settings area, click Scan Job. g. In the top work panel, ensure that Manual Scan Jobis selected. h. In the lower work panel, under Mailboxes, select Selected, and then click the little mailbox icon ( & ). ~ To optimize the Manual scan job, you can limit the scanning to certain mail boxes. In the lab environment, there is only a single mail box. i. In the Mailboxes work panel, select Administrator. j. Click Save to save the changed configuration. 25.Run the manual scan job. a. In the Operate area, click Schedule Job. ~ You can schedule the Manual scanjob to run periodically. If enabled, Forefront Security uses the Windows Task Scheduler service to run the Manual scan job at the designated times. b. In the Operate area, click Run Job. c. In the top work panel, ensure that Manual Scan Job is selected;' and then click Start. ~ Forefront Security runs the Manual scan job, scanning all the content of the Administrator mail box on the Exchange server. ~ Note: Unlike the Realtime scanjob (on-access scanning), a Manual scanjob ignores the antivirus stamp, and rescans the Cool game - 5 message in the Administrator mailbox.
RS
t '!'
,~,
<,.\:
After afew seconds, the lower work panel indicates that Forefront Security has removed the encrypted compressediile Cool Game2.zip irom the
Page 61
Cool game - 5 message in the Administrator Inbox folder. d. In the Operate area, click Quick Scan. ~ Instead of configuring and starting a Manual scan job, you can run a Quick scan job. This is equivalent to the configured Manual scan job. Perform the following steps on the Client! computer. 26.0n the Client1 computer, verify that Forefront Security has removed the Cool Game2.zip attachment from the Cool game - 5 message . e. On the Client 1 computer, in Outlook, in the Inbox of Administrat~r, select the Cool game - 5 message .. .~ "Inthe Reading iane, notice that Forefront Security has removed the Cool Game2.zip attachment, even though the zip-jile was already delivered to the Administrator inbox earlier. f. Close Outlook
"'/
. Note: In the following tasks, you will configure a Background Scan Job to rescan message that are received in the last 3 days . Perform the following steps on the WIN2003DC computer. 27.0n the W1N2003DC computer, configure the Background Scan Job. Message age: 3 days Ignore antivirus stamp: Yes a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click Scan Job. ~ Forefront Security Administrator lists three different types of scan jobs: Transport Scan Job, Realtime Scan Job and Manual Scan Job. However you can configure afourth type of scan job as well: Background Scan Job. ~ A background scan job is used to periodically scan a selected set of messages in the information store with the latest engine updates. b. In the Settings area, click General Options. c. In the work panel, scroll to the Background Scanning section, at the cnd of the work panel. In the Background Scanning section, you only configure the background scan job settings. You schedule and start the background scan job in the Operate area. d. In the Background Scanning section, in the Scan Messages Received Within the Last drop-down list box, select 3 days. e. Ensure that the Scan Only Unscanned Message check box is disabled.
~
Page 62
with the latest engine updates, the background scan job must ignore the antivirus stamp on those messages. This means that you must leave the Scan Only Unscanned Messages setting disabled.
f. Click Save to save the changed configuration. 28.Schedule and enable the Background Scan Job. Start time: 3:10 AM Frequency: Daily a. In the Operate
2S
Unlike a manual scan job, you cannot run a background scan job directly. You can only schedule a background scan job to run periodically.
b. Click Schedule Job, and then in the top work panel, select Background Scan Job. c. In the lower work panel, complete the following information: ? Time: 3:10:00 AM ? Frequency: Daily and then click Save. d. In the top work panel, click Enable.
2S
2S
Every day at 3:10 AM, the background scan job will use the latest engine updates to rescan message in the information store that are received in the last 3 days. Note: The background scan job uses the scan engine selection and bias settings from the realtime scan job.
i',-~
.i
Page 63
Note: This lab exercise uses the following computers: WIN2003DC - Client! Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.
..
a. On the WIN2003DC computer, in Forefront Security Administrator, in the Filtering area, click File. b. In the top work panel, select Transport Scan Job . Forefronl Security File Filtering can be used to scan for attachments with specific names, extensions, or file types. Thefile filtering also works inside zip-files, and other container files, such as Word documents. c. In the File Names work panel, click Add. d. In the new text box, type iloveyou.vbs, and then press Enter.
2S 2S
I
I
r..-
- *.mp3 (inbound)
File filtering will delete all attachment files named iloveyou. vbs.
Filefiltering will delete files with the exe extension. 2S To specify thefile names, you can use wildcards, such as * and ? g. Click Add again.
2S
h. In the new text box, type *.bmp>3MB, and then press Enter. 2S File filtering will delete all bmp-files that are larger than J ME in size. i. In the new text box, type <in>* .mp3, and then press Enter. 2S Filefiltering will delete all mpJ-filesfrom inbound , messages only.
Page 64
,
j
'V.
1,,'
'T.'
'.'
To specify filtering on outbound messages only, use the <out> prefix. j . Click Save to save the changed configuration. Perform the following steps on the Clientl computer. 2. On the Clientl computer, send an email to Administrator.
I
a. On the Clientl computer, on the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007.
~
b. In Outlook, on the toolbar, click New. c. In the new message window, complete the following information: ? To: Administrator ? Subject: test - 1 ? (Message): Run the attachment Do NOT send the message yet. d. In the e-mail window, on the Insert menu, click File. e. In the Insert File dialog box, browse to C:\EICAR-1, select testl.exe, and then click Insert. f. Click Send. g. In the Microsoft Office Outlook message box, click Yes to confirm that you want to send the message with the potentially unsafe attachment. ~ After afew seconds, the message arrives in the Inbox.
a. In the Inbox, select the test -1 message. ~ Forefront Security file filtering replaced the test1.exe attachment by a new text file (testJ.txt). b. In the Reading pane, right-click test 1.txt, and then click Open. ~ Forefront Security reports that *. exe file filter matched the original testJ.exe attachment. c. Close Notepad.
a. Use Windows Explorer (or My Computer) to open the C:\EICAR-1 folder. b. In the Tools folder,.right-click testl.exe, and then click Copy. c. Right-click the empty area in the Tools folder, and then click Paste. ~ Test1.exe is copied to Copy ~f test 1.exe. d.. Right-click Copy oftestl.exe, and then click Rename.
Page 65
9. Examine the
attachment of the new message in the Inbox.
3.
In the Inbox, select the test - 3 message. ~ Forefront Security/ile filtering replaced the testl.exe attachment by a new text file (testJ.txt). The picJ jpg file is still attached
b. In the Reading pane, right-click test1.txt, and then click Open. ~ Forefront Security reports that *file filter matched the original testJ jpg attachment. c. Close Notepad. ~ The/ile/ilter successfully detected the renamed testJ jpgfile as an executable file, and removed the attachment. The picJ jpgfile matched the file name criteria (*), but did not match the file type (EXE file type). Therefore Forefront Security did not remove the Forefrontjpg attachment.
I
to.Close Outlook.
3.
Close Outlook.
Page 68
Appendix B: Using Forefront Client Security(FCS) to monitor and protect client computers
Lab Exercises:
Exercise 1: Using Forefront Client Security to Protect Client Computers { Exercise 2: Updating Signature Files Exercise 3: Using Policies to Manage Client Computers Exercise 4: Alerting, Reporting and Monitoring
Microsoft
--l
~.
Forefront
Client Security
.-
Tasks
Detailed steps
a. On the Client! computer, on the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security.
.:.
The Microsoft Forefront Client Security window opens. This is the FCS client configuration window that is available on client computers and file servers when FCS is installed.
b. In the FCS window, click the down arrow ( ..) next to the Scan button, and then click Quick Scan.
.:.
FCS performs a Quick Scan of the computer . Depending on the speed of your computer, this will take 2 or 3 minutes. A quick scan checks for viruses and spyware at the following locations: in the processes that are loaded in memory, in afew targetedfolders (user profile, desktop, systemfolders and Program Filesfolder), at common malware extensibility points (auto start registry entries, etc).
.:.
c. Click Stop Scan to end the running quick scan. 2. Perform a Custom Scan of the C:\EICAR-2 folder. The folder contains the EICAR antivirus test file. Action: Ignore a. In the FCS window, click the down arrow ( ..) next to the Scan button, and then click Custom Scan.
.:.
Note: Do not run a full system scan in the lab environment. The hard disk contains several sample ''potentially unwanted" files that FCS should not remove yet.
b. On the Select scan options page, click Select. :. With a Custom Scan, you can scan specific locations .
.:. Note: FCS does not scan removable disks and network disks. c. In the Microsoft Forefront Client Security dialog box, expand C:\, and then select the check box for Sample . :. Ensure that you do not fully select other folders. d. Click OK to close the Microsoft Forefront Client Security dialog box. e. On the Select scan options page, click Scan Now. .:. Note: With a custom scan, FCS checks for viruses and spyware at all the quick scan locations, followed
--0--------'-'-'
.---_._--_._._- _.-
__ ._...__ ._---_._.
__
.._._-.-
.:. .:.
After the scan is completed, the Scan Results page opens, indicating that FCS detected one item: Virus:DOS/EICAR -Test -File.
.' . ..
The EICARfile is not really malicious software. It is the industry standard antivirus test file. All antivirus products detect this test file in order to simulate an infected file. f. On the Scan Results page, scroll down the information area, and then click View more information about this item online.
.:.
If you want more information about a particular detected virus or piece of spyware, you can access the Malicious Software Encyclopedia at Microsoft's Web site.
a. In the FCS window, click Tools. b. On the Tools and Settings page, click Options.
.:.
On the Options page, in the Automatic scanning section, you can configure FCS to automatically scan your computer periodically. You can also specify an interval to run a Quick Scan multiple times per day. Periodically running a Quick Scan is a good practice to detect malware that appeared on the computer when the signatures were not up-to-date yet, but is now detected by updated signature definitions. and then
.:.
4. Use Notepad to
attempt to open C:\EICAR-2\ Sample-A.txt Action: Always allow.
a. Open a Command Prompt window. b. At the command prompt, type cd C:\EICAR-2, press Enter.
c. Type dir, and then press Enter. :. The C: IFiles folder contains multiple copies of the EICAR antivirus test file. d. Type notepad.exe sample-A.txt, and the press Enter .
.:. FCS displays a balloon near the system tray to notify you that it detected potentially harmful software . .:. There are two options:
Click the balloon to take the default action, or Right-click the FCS system tray icon to review or configure a custom action. For the EICAR test file, the default action is to Ignore the file. e. In the Notepad dialog box, click OK to acknowledge that access is denied.
The FCS detects the file as malware and suspends access to the file. Notepad displays an Access is denied error .
_.:--
..
_~- ._---~--~-
.'--'._-"._'--"--'."-_._'_._'---"'~,-""_., .. ._-----'-,
,,.,
f: Close Notepad.
--------------
g. Right-click the FCS system tray icon, and then click' Review detected items . :. FCS displays the detected items. The status of the file is suspended There are two options: Click Smart Clean to take the default action, or Click R~v;ew to configure a custom action. h. In the Microsoft Forefront Client Security Warning window, click Review. i. On the Apply actions to detected items page, in the Action column, select Always allow , and then click Apply Actions . .:. The FCS real-time protection will allow access to the file. j. Close the FCS window. k. At the command prompt, type notepad.exe A.txt, and then press Enter . sample;( j
k"
.~
:. Notepad opens the file. The EICAR antivirus test file consists of 68 printable characters. l. Close Notepad. m. At the command prompt, type sample-B.com, and then press Enter .. :. FCS now allows access to all files it detects as the EICAR antivirus test file. Thefile is executed, and displays a message. .5. Remove EICAR Test File from the list of allowed items. a. On the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security. b. In the FCS window, click Tools. c. On the Tools and Settings page, click Allows items . :. FCS displays the list of allowed items. d. On the Allowed items page, select the check box for Virus:DOSIEICAR_Test_File, and then click . Remove From List. e. Close the FCS window. 6. Attempt to run C:\EICAR-2\ Sample-B.com Action: Quarantine a. In the Command Prompt window, type sample-B.com, and then press ,Enter. .:. FCS real-time protection blocks access to the . sample-B. com file. b. Right-click the FCS system tray icon, and then click Open. c. In the FCS window, click Review items detected by real-time protection. d. On the Apply actions to detected items page, in the Action column, select Quarantine, and then click Apply Actions.
-----------
..-----.
the Sample-B.comjile,
and moves it to
------_._------_.-
the quarantine area . :. Note: Quarantined files are stored as encrypted files e. At the command prompt, type dir, and then press Enter. :. The Sample-B.comfile is not present .
7. Restore
EICAR _Test_File from the quarantine area.
a. In the FCS window, click Tools. b. On the Tools and Settings page, click Quarantined items. .:. FCS displays the list of quarantined items. c. On the Quarantined items page, select the check box for . Virus:DOSIEICAR_Test_File, and then click Restore. d. In the Microsoft Forefront Client Security message box, click Yes to confirm that you want to restore this item. e. In the Command Prompt window, type dir, and then press Enter .
.:.
a. In the FCS window, click History. .:. On the History page, you can review all FCS activities. b. Close the FCS window. a. On the Start menu, click Administrative then click Event Viewer. Tools, and
.:.
b. Maximize the Event Viewer console, if that is not done already. c. In the Event Viewer console, in the left pane, expand Windows Logs, and then select System . :. FCS reports configuration changes, and malware detections in the System event log. d. In the right pane, right-click a FCSAM event with Event ID 3005, and then click Event Properties .
.:.
The event indicates that FCS real-time protection has taken action after detecting a piece of malware .
standfor Forefront Client Security Antimalware. Antimalware is the combined term for Antivirus and Antispyware.
e. Click Close to close the Event Properties dialog box. f. Close the Event Viewer console.
1. On the Client! computer, examine the current scanning engine and malware definition version numbers.
a. On the Clientl computer, on the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security.
.:.
.:. .:.
The FCS window opens. In the Status section, you can see the version numbers of the currently loaded antivirus signature definition, and antispyware signature definition. When the current definitions are more than 14 days old, FCS displays an orange warning indicating that you should check for updated signature definitions. This is also the reason that FCS displays an orange icon in the system tray area.
c. Click the down arrow ( .) next to the round blue Help button, and then click About Microsoft Forefront Client Security. In the system information section, you can see the version numbers of the client software, the scanning engine, the antivirus definitions and the antispyware definitions. .:. The engine and the definitions may be updated regularly. d. Click OK to close the Microsoft Forefront Client Security dialog box.
.:.
FCS window main page, click for Updates Now (or click the down arrow ( .) the round blue Help button, and click for Updates).
Note: If the current definitions are less than 14 days old, the FCS window does not display the Check for Updates Now button. FCS connects to WSUS on Forefront, and checks for new definitions or updates. Currently, WSUS does not have new definitions available. After a few moments, the balloon indicates that no new definitions and engine updates are available.
.. ._--------_ ..------ ,-,-,,-'-".- .._ ........... __ ...... ~ PerfOIm the following steps on the Forefront
-
~--------_._ ..
..
3. On the Forefront
computer, examine the WSUS products and update classifications.
a. On the Forefront computer, on the Start menu, click Administrative Tools, and then click Microsoft Windows Server Update Services.
.:.
b. In the WSUS console, click Options. c. On the Options page, click Synchronization d. On the Synchronization Options pages, in the Products and Classifications section, under Products, click Change . :. Forefront Client Security is a separate product for which Microsoft Updates provides updates.
.'
e. Click Cancel to close the Add/Remove Products dialog box. f. Under Update Classifications, click Change. .:. Definition Updates is a separate classification of updates, available through Microsoft Update. g. Click Cancel to close the Add/Remove Classifications dialog box. 4. Examine the WSUS update frequency, and the FCS update assistant service. a. In the WSUS console, scroll the Synchronization Options page, so that you can see the Update Source section. .:. WSUS obtains definition updates for FCS from Microsoft Update. b. Scroll back to the top of the options page, so that you can see the Schedule section. .:. Note: The default WSUS 2.0 configuration is to synchronize with Microsoft Update once per day, at a particular time. c. On the Start menu, click Administrative Tools, and then click Services .
.:.
d. In the Services console, select the Microsoft Client Security Update Assistant service .
.:. Because
WSUS only connects to Microsoft Update once per day, FCS installs a special service that automatically connects WSUS "manually" to Microsoft Update once per hour. This ensures that WSUS obtains available definition updates within an hour after they are released. The service also automatically approves these updates for distribution and installation.
.:.
Note: The new WSUS 3.0 version allows you to specifY a synchronization schedule more often than once per day. The update assistant service is no longer used when you use WSUS 3. O.
. 5. In WSUS, approve
the most recent definition updates.
_-_.
--
.:.
Currently, WSUS lists several dejinition updates. Note: The definition updates contain both the antivirus signature dejinitions and the antispyware definitions.
b. In the list of definition updates, select the most recent (top) definition update, and then in the Update Tasks section, click Change approval c. In the Approve Updates dialog box, ensure that the Approval drop-down list box is set to Install, and then click OK.
.:.
The new dejinition update is now available for installation by FCS client computers. Note: To ensure that WSUS has saved all its changes, wait a few seconds before performing the next task.
6. On the Client!
computer, update the signature definitions manually.
Client! computer, in the FCS window, click for Updates Now (or click the down arrow (.) the round blue Help button, and click for Updates).
.:. .:.
FCS connects to WSUS on Forefront, and checks for new dejinitions. While the new definitions are being downloaded, FCS continues to use the existing dejinitions. After the dejinitions are downloaded, FCS switches to use the new dejinitions.
b. Wait until the notification balloon near the system tray notifies you that the definitions are up to date. c. Close the notification balloon near the system tray. d. Click Home . :. In the Status section, you can see the updated version numbers of the dejinition signature jiles. e. Close the FCS window.
~ Perform the following steps on the Forefront
computer.
7. On the Forefront
computer, in WSUS, examine the updates report.
a. On the Forefront computer, in the WSUS console, click Reports b. On the Reports page, click Status of Updates. c. On the Status of Updates page, in the left pane, complete the following information: Computer group: All Computers (is default) Installed: enabled Other check boxes: disabled (is default) and then click Apply. d. In the right pane, expand the Definition Update entry for Forefront Client Security with the highest version number, and then expand All Computers.
____
._,~'
--.
- '- ,"-,----... ..
-
____
~ __
~M~
_.
"C-,.'
----,.---~,.----
011
e. In the Computer Name section, click Clientl.tanduc.local. f. In the Computer Properties dialog box, select the Status tab . :. WSUS maintains the installation history for each computer. g. Click Close to close the Computer Properties dialog box.
i'
i\-
Tasks
Detailed steps
~ Perform the following steps on the Client! computer. 1. On the Client1 computer, examine the available options in the FCS window. a. On the Clientl computer, on the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security. .:. The FCS client window opens. b. In the FCS window, click Tools. c. On the Tools and Settings page, click Options . :. Currently the FCS client on Client] is not managed centrally. The user is able to change the option settings, and when malware is detected, the user is offered the option to take a custom action. d. Close the FCS window. ~ Perform the following steps on the Forefront computer. 2. On the Forefront computer, use Active Directory Users and Computers to examine the Client Computers organizational unit. a. On the Forefront computer, on the Start menu, click Administrative Tools, and then click Active Directory Users and Computers. .:. The Active Directory Users and Computers console opens. b. In the Active Directory Users and Computers console, expand contoso.com, and then select Client Computers . :. In the lab environment, all client computers (Client]) is placed in a an organizational unit (OU) called Client Computers. c. Close the Active Directory Users and Computers console. 3. Create a new FCS policy. Name: FCS Central Policy ~ __ a. On the Start menu, click All Programs, click Microsoft Forefront, click Client Security, and then click Microsoft Forefront Client Security Console. .:. The FCS management console opens. .~. . ._. .... __ .__... _" __
~------_.---
Spyware protection: User controlled Scheduled scan: Every day - 3:00 AM Check for updates: Every 2 hours Failover to Microsoft Update: yes Client options: Full user interface
2.
:. The FCS policy specifies that the FCS client must checkfor updates (connect to WSUS) every 2 hours. i. In the Malware definition updates section, enable the Check for updates on Microsoft Update when WSUS is unavailable option. j. In the Microsoft Forefront Client Security dialog box, enable the Check for updates on Microsoft Update when client computers cannot connect to the WSUS server option, and then click OK. .:. This option configures the FCS client computer to failover to Microsoft Update on the Internet, when the WSUS server is unavailable. This is especially important/or mobile computers, which are very often not connected to the network that contains the WSUS server. k. In the Client Options section, select User can view all Client Security agent settings and messages . :. The FCS policy specifies whether the user can view settings, and respond to prompt, or whether the user has a limited user interface. I. Select the Overrides tab . :. In the FCS policy, you can define the action that should be taken, instead of the signature-defined actio.!!:....!.his c!!n_':-e... based on the categf?!J'.0/ malware
._
'--
... _.L
,j
._--_._.
.__ .__ .. __
._._---_._,----
.... -
(email flooder, password steale~, etc), or even per individual malware signature in the definition database. m. Click the lower Add button. n. In Classification column, click the down-arrow button, and then select Category. o. In the Type column, click the down-arrow button, and then select Browser Modifier. p. In the Override Response column, click the down-arrow button, and then select Ignore .
.:.
.:.
.:.
4. Deploy the FCS Central Policy to the Client Computers QU.
A new FCS policy named FCS Central Policy is created. The policy is not deployed yet . Notice that the icon (cio)) for the policy looks like the paper icon from the Edit button. This indicates that the policy is not yet deployed to client computers.
a. In the FCS management console, on the Policy Management tab, right-click FCS Central Policy, and then click Deploy.
.:.
You can deploy a FCS policy by usingfour different methods: Organizational unit (OU) - The policy applies to all computers in the OU Security group - The policy applies to all computers in the security group. Group Policy Object (GPO) - The policy applies to all computers in the organizational unit that the GPO is linked to. File (*.reg) - The policy applies to all computers on which you manually deploy the *.reg policy file.
ou.
c. In the Active Directory dialog box, expand the tanduc domain, select the Client Computers au, and then click OK. d. In the Deploy dialog box, click Deploy.
.:.
.:.
FCS deploys the policy to the Client Computers OU Notice that the icon (lliS)for the policy looks like the icon for the Deploy button. FCS uses the Group Policy Management Console (GPMC) API to create a new group policy object (GPO), and link it to the Client Computers OU The new GPO contains all the settings specified in the FCSpolicy. Tools, and
s.
Use GPMC to
..--
.....
...
__
...... _ ..
_- .....
.:.
b. In the Group Policy Management console, expand Forest: tanduc.local, expand Domains, expand the tanduc.local domain, and then select the
.:.
In the right pane, notice that FCS has created a new GPO that contains the same name as the FCS policy (FCS Central Policy). The new GPO is linked to the Client Computers Ou.
c. In the left pane, expand the Client Computers OU, and then select the FCS-FCS Central Policy-{ ... }-n GPO. d. In the right pane, select the Settings tab. e. At the end of the Extra Registry Settings line, click show.
.:.
GPMC displays the list of HKLM registry settings that the FCS Central Policy GPO applies to computers in the Client Computers au.
Clientl computer.
6. On the Client 1
computer, force group policy processing.
a. On the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security .
.:.
.:.
Notice that most options are grayed out. Because a central FCS policy applies to Client], you can no longer configure the Options settings through the user interface. As an example, the FCS Central Policy allows users to control the spyware protection setting. The option is not grayed out.
.:.
--
8. Attempt to run
C:\EICAR-2\ Sample-C.com Action: Quarantine
a. Open a Command Prompt window. b. At the command prompt, type cd \Sample, and then press Enter .
.:.
c. Type Sample-C.com, and the press Enter. .:. FCS suspends access to the file. d. Right-click the FCS system tray icon, and then click Open. e. In the FCS window, click Review items detected by real-time protection. f. On the Apply actions to detected items page, in the Action column, select Quarantine, and then click Apply Actions.
.:. .:.
The user has indicated that Sample-C.com is moved to the quarantine area. Notice that the current central FCS policy limits access to the FCS configuration options, but can still allow the user to respond to action prompts. computer.
9. Edit the FCS Central Policy. Client options: Limited user interface
a. Oil the Forefront computer, in the FCS management console, on the Policy Management tab, right-click FCS Central Policy, and then click Edit. b. In the Edit Policy dialog box, select the Advanced tab. c. On the Advanced tab, in the Client options section, select User can only view system tray icon and status messages.
.:. .:.
The FCS policy is updated so that the user can no longer respond to action prompts. The FCS Central Policy content is changed However, the updated settings are not yet deployed to the GPO linked to the Client Computers OU Notice that the icon (~) jor the policy looks like the icon for the Edit button, combined with a yellow Deploy arrow.
a. Right-click FCS Central Policy, and then click Deploy. b. In the Deploy dialog box, click Deploy . :. FCS redeploys the changed policy settings to the GPO linked to the Client Computers OU
a. On the Clientl computer, in the Command Prompt window, type gpupdate.exe /force, and then press
._-----_._--
i -----E-nter~---
..--.-
..--.-------------.-----
".__
.- .-1
policy processing. .:. The updated FCS Central Policy GPO is applied. b. Wait a few moments for the policy processing to complete.
a. In the system tray, double click the FCS icon. .:. A balloon appears, notifying you that a system administrator manages FCS. You can no longer use the FCS client window. b. Close the notification balloon. a. In the Command Prompt window, at the command . prompt, type cd \Sample, and then press Enter. b. Type Sample-D.com, and the press Enter . :. FCS suspends access to the file. c. Right-click the FCS system tray icon, and then click Review detected items . :. You can only review the detected items. You cannot change the signature-defined (or policy-defined) action for the detected piece of malware. d. In the Microsoft Forefront Client Security Warning dialog box, click Smart Clean . :. FCS performs the configured action (remove) on the detected file . :. Note: If the user does not review the detected items, and click Smart Clean, then FCS will perform the configured action automatically after 10 minutes. e. Close the Command Prompt window.
~ Note: In the next tasks, you will deploy a FCS policy to a file, and then manually apply the file to the Forefront computer. This exercise is used to apply policies to those computers that are not usually connected to the network, for example laptop computers. We use forefront machine just this example only. ~ Perform these tasks on forefront machine 14.Deploy the FCS File Server Poli cy to a file named C:\FCS Server Policy .reg a. In the FCS management console, on the Policy Management tab, right-click FCS Central Policy, and then click Copy. b. In the New Policy dialog box, type FCS Server Policy, then click OK . c. Right-click the FCS Server Policy, click Deploy d. In the Deploy dialog box, click Add File. e. In the Save As dialog box, browse to the C:\ folder, and then click Save.
f. In the Deploy dialog box, click Deploy .
:. The FCSpolicy is saved as C:\FCS Server Policy. reg . :. You can browse to C:I to see FCS Server Policy. reg file. Do not open this file .:. Notice that the iconfor the policy indicates that the
---"
FCS policy has been deployed. However, you still" need to copy the file to the intended computers, and manually apply the file. g. Close the FCS management console. a. Open a Command Prompt window. b. At the commarid prompt, type cd \, and then press Enter. c. Type type *.reg, press Tab to expand the file name, and then press Enter .
"
IS.Use the C:\FCS\ FCSLocalPolicyTool .exe to apply the C:\FCS File Server Policy .reg file "
.:.
The C:IFCS Server Policy. reg file is a normal Registry export file, containing a list of registry settings.
--'
d. At the command prompt, type cd c:\fcs then press Enter. e. Type dir, and then press Enter. f. Type FCSLocalPolicyTool.exe, and then press Enter.
.:.
The C: IFCS contains a copy of the local policy tool from the FCS product CDRGM You use this tool to import a FCS policy file (*.reg) on the local machine.
g. Type FCSLocalPolicyTool.exe II C:\*.reg, press Tab to expand the file name, and then press Enter.
.:. .:.
The local policy tool imports the FCS policy settings into the local group policy, and then starts group policy processing. Note: When the client computer processes group policies, the local group policy (containing t~e policy file settings) is overwritten by domain or GU-based GPOs. Therefore, you can use the FCSLocalPolicyTool.exe only to apply a policy file to computers that do not have a FCS policy applied through a domain or GU-based GPo.
a.' On the Start menu, click All Programs, click Microsoft Forefront, click Client Security, and then click Microsoft Forefront Client Security Console.
console opens .
FCS uses MOM 2005 to collect events and data from all FCS client computers. MOM uses SQL Reporting Services to provide administrators with an overview of the issues and vulnerabilities that FCS detected. Some events or event levels are presented as notifications or alerts to the administrators.
b. In the FCS management console, ensure that the Dashboard tab is selected. .:. The Dashboard page provide a quick overview of the reported issues over the last 24 hours. .:. The 14-Day History chart displays the trend of computers reporting issues over the last 14 days.
.:.
2. Examine the Alerts View in the MOM Operator console.
The bottom section of the dashboard contains a summary of the active alerts in MOM
a. On the Dashboard tab, in the Notifications section, click the top alert notification. .:. FCS opens the MOM Operator console. b. In the left pane, select the Alerts section, and then under Alert Views, expand Microsoft Forefront Security, and then select Alerts. :. This selection limits the view to just FCS alerts .
c. In the top part of the Detail pane, select an alert. .:. In the bottom part, you can see information about this alert. d. Close the MOM Operator console. 3.Create a new FCS policy with the highest alert level. Name: FCS. Executive Policy Alert level: 5 a. In the FCS management console, select the Policy Management tab. .:. In order to reduce the number of alefts, you can configure FCS to only generate certain alerts, based on a so-called alert levels. assigned to each client computer. You specify the alert level in an FCS policy. b. On the Policy Management tab, click New.
._-
._--'---~._.-.-_._ .
c. In the New Policy dialog box, on the General tab, in the Name text box, type FCS Executive Policy. d. In the Comments text box, type FCS policy for computers of executives.
.:.
You want to deploy a FCS policy that applies to computers of executives or management in the organization. Those computers require high availability and may contain crucial data.
e. On the Reporting tab, in the Alert level section, move the slider to High (Alert Level 5).
.:.
The assigned alert level on a client computer specify which alerts are generated For example, if FCS detects malware and successfully removes itfrom the client computer, then only at level 4 and 5 will this event be issued as an alert. A new FCS policy named FCS Executive Policy is created Note: In this lab exercise, you will not deploy this new FCS policy to any computers.
.:. .:.
4.Examine the definition of the Reinfected Computer alert for alert level 3.
a. On the Start menu, click All Programs, click Microsoft Operations Manager 2005, and then click Administrator Console.
.:.
b. In the MOM Administrator console, in the left pane, expand Microsoft Operations Manager (FOREFRONT), expand Management Packs, expand Rule Groups, expand Microsoft Forefront Client Security, and then expand Host Alerts.
.:.
The FCS management pack defines parameters for specific alerts per alert level.
c. Under Host Alerts, expand Alert Level 3, and then select Event Rules. d. In the Detail pane, right-click Reinfected Computer Parameters then click Properties. - Alert Level 3, and
e. In the Event Rule Properties dialog box, on the Responses tab, select the response line, and then click Edit . By default, MOM issues a ReinJected Computer alert, if a client computer is infected 3 times with the same malware within a 72 hour (3 days) period f. Click Cancel to close the Launch a Script dialog box. g. Click Cancel to close the Event Rule Properties dialog box. h. Close the MOM Administrator console.
.:.
a. In the FCS management console, select the Dashboard tab. .:. The dashboard is the central place to start exploring FCS reports . :. Each column-chart icon (1d1iJ on the Dashboard page represents a link to an available report. b. Click the Reporting Critical Issues icon . :. FCS opens the Computer Summary report. c.. In the Computer Summary report, scroll doWn the report, until you see the list of computer names in the table of computers that reported issues. d. In the computer name table, click the first computer name in the list. .:. You can get a detalled report on each FCS client computer. e. In the Computer Detail By ID report, scroll down the report to examine its contents. f. Close the Computer Detail By ID report.
C"
lJ
~-~~
6. Examine the Security SUJPmary and Deployment Summary and Connectivity Summary 'reports.
a. In the FCS management console, select the Dashboard tab. .:. On the right side of the Dashboard page, there is a list of six Summary Reports: Alerts Summary ~ Computers Summary Deployment Summary Malware Summary Security State Assessment Summary ~~ Security Summary b. On the right side, in the Summary Reports section, click the. Security Summary link . :. The Security Summary contains an overview of all the other five summary reports. Each report has links to drill down into other reports, and see more details . :. The top part of each report allows you to filter the data, so that the report only applies to a subset of the FCS client computers, or to a relevant time span. c. In the Security Summary report, scroll down the report, so that you can see the Policy Deployment Status pie chart. d. Above the Policy Deployment Status pie chart, click the Deployment Summary link . :. The Deployment Summary report opens . :. The report displays the signature deployment status and FCS policy deployment status for all FCS client computers.
.. :::.
,.;
')
----------........----------------------------------~.
.--_._--_._-----_.-_._--------_
7.Examine the Malware Summary report.
..
.J
_-_.----_ .._-------,
tab,
e. Close the Deployment Summary report. a. In the FCS management console, on the Dashboard in the Summary Reports section, click the Malware Summary link. .:. The Malware Summary report opens . :. The report displays all the detected pieces of rnalware, 'grouped by action taken. b. In the Malware Summary report, scroll down the report, so that you can see the Malware Instances Details listing. c. In the Malware Instances Details section, expand Remove. d. IfEICAR_Test_File is in the list, then click that, else click the first malware in the list. .:. You can get a detailed occurrence report for each detected rnalware. e. In the Malware Detail report, scroll to the Malware Information section. f. If you clicked EICAR_Test_File, then right-click EICAR_Test_File Encyclopedia Information, and then click Open in New Window . :. You can access the Malicious Software Encyclopedia at the Microsoft Web site, directly from the Malware report . :. Note: In the lab environment, oniy the EICAR antivirus test file. portion of the Microsoft Web Site is _ available. . g. Close the Malicious Software Encyclopedia window. h. Close the Malware Detail report. i. Close the FCS management console.
7' .
- .
'~I
J~.
'> ~ -
:"~.c
~'
,
.~
"