The Security Wizard

Updating Forefront Client Security Definitions using SMS2003 or SCCM2007

For the first time, you can deploy FCS definitions in an automated process using SMS 2003. with this procedure you can download the definitions from the security portal and distribute them using SMS in an automatic way without any human intervention.

Notice that this procedure can be used in a similar way in SCCM2007 (or any other distribution method) as well.

If you have any questions, feel free to call :-)

Part 1: Creating a scheduled job for definitions download.

1. Download DefinitionsDownload.zip from my blog and extract the zip file to C:\FCSDef
Note: This is suggested as the default but it is possible to extract to a different folder. Notice that if you do so, you will need to change the some operators inside the scripts).

2. Open Folder you've extracted the files to and Right-Click the Definitions Folder -> Sharing. Share the folder with default permissions.

3. Go to Control Panel and Open Scheduled Tasks.

4. Click Add Scheduled task and on the schedule task wizard page, click next.

5. On the choose program page, click browse and browse to the location where you extracted the zip file. Click on the DownloadDefinitions.vbs script and Click Open.

6. On the schedule page, choose daily for now. We will go back and change it later on.

7. On the time and day, just click next. We will configure this later on.

8. On the user page, type the username and password for the user you wish this task will run under. Notice that this user does not have to be administrator on the computer, but it does need to have the ability to run scripts and appropriate permissions on the definitions folder.

9. On the summery page, check the open advanced properties check-box and click finish.

10. On the advanced properties window, go to the schedule tab and click advanced.

11. On the advanced scheduling options, set your schedule for checking and downloading new definitions. Notice that the Microsoft Anti-Malware Team updates the definitions on the security portal EVERY 2 HOURS!
On the until check boxes, click Duration and choose 2 hours and 30 minutes.
make sure that "if the task is still running, stop it…" checkbox is cleared

12. Click ok and go to the settings page. Change the "stop the task if…" setting to 30 minutes and click ok.

Now the first part is completed, your FCS server will contact the security portal every scheduled hour and download the new definitions and delete the old ones.

Part 2: Creating the Definitions Deployment Package

1. Open the SMS 2003 Administrator Console and go to Site Database -> right click Packages -> New -> Package.

2. Right-Click Packages -> New -> Package and type all the required information.

3. On the Data source tab, check the package contains source files and click the Set button. Select the network path and type the path for the shared folder where the downloaded definitions are located (if you went through the default of this guide, this should be "\\fcservername\defintions")

4. Now set the schedule for updating the distribution point with new version of the package. Set this schedule by the schedule you've set earlier for the definitions download and click ok.

5. Expand the package you’ve just created and right-click distribution points -> new -> distribution points.

6. On the new distribution point wizard, select all of your distribution points where you wish to distribute client definitions updates from.

7. Now Right click programs -> new -> program

8. Fill all the program details and on the command line, click browse and select the DeployDefinitions.vbs from the directory. Then change the run type to hidden and click ok.

9. The Next phase is to create an advertisement and assign it to the appropriate collection. It is recommended to create a separate collection in SMS for Forefront Definitions Deployment distribution (filter it by whatever criteria you want, but create a separate one). In this case, we've created a collection called forefront for that purpose.
In order to create the advertisement, right click advertisements -> new -> advertisements.

10. On the general tab fill the advertisement name, and select the package and program to run. Then select the collection where you wish to advertise the package.

11. On the schedule tab, create new mandatory assignments with the button.

The first assignment should be as soon as possible. The second assignment should be an interval by your choice (recommended once a day).
Leave the rest of the tabs on default settings and Click OK.

That is it. You now have an automatic mechanism to update forefront client security definitions using SMS 2003.

Important Note: This Guide explains how to download and distributes the full version of the definitions update (about 20MB). You should take this under consideration when scheduling your downloads, DP updates and client deployment.
The Anti-Malware team should update the security portal, sometime soon, with a way to download delta definition updates. When they do, I'll post an update to this guide explaining how to utilize this new option.

Server 2008 is only 3 days away...

we are now only 3 days away from the first virtual launch ever of Windows Server 2008 and the excitement just keeps on going up.

As a security consultant I just can't sit down quietly while the next level of security comes out officially into the air of the IT world.

This Virtual event will include live broadcasts of the keynote and will give you the ability to really "walk around" the floor of the convention center in LA watching all the stands and the exhibitions on the spot.

I am going to be there. are you?

Deploying Forefront Client Security - One install on two platforms

One of the issues with FCS Client installation is that you have two separate versions of the FCS client agent (32/64Bit) and you need to deploy each one of them to the appropriate computers. that means that if you want to deploy FCS client agent using anything different then WSUS, you need to create two different installation packages/script.

Here is a script for installation of FCS Client, that checks for operating system version (32/64Bit) and installs the appropriate version accordingly.

You can use this script as a logon script, start-up script or for activating the installation on a SMS/SCCM distribution.

Download the installation script here.

Enjoy!

Deploying Forefront Client Security Using SCCM2007 - Video Guide

This is Video guide that Explains how to deploy Forefront Client Security Client Agent using System Center Configuration Manager 2007. the video details all the stages of creating a package from the client source files, creating a task sequence that includes old AV removal script and package deployment and advertising the task sequence to the appropriate collection.

hope you'll like it. good luck!

I am very excited since it is my first ever video guide. I know I sound a bit funny on the recording but I hope the message is clear and it helps you understand what it is that this video is trying to say.

I'd like to receive any complaints, remarks (or maybe even complements) about this so I can learn and improve my work in the future.

Deploying Forefront Client Security Using SCCM 2007 - Step-By-Step

This is a Step-By-Step guide for using SCCM2007 to Deploy Forefront Client Security Client Agents.

Pre-Requisites:

1. Installed and configured FCS management server.

2. FCS Policy configured and deployed on client machines.

3. Windows Update policy Configured and deployed on client machines.

4. Client Installation Files (the Client directory on the installation CD) on a shared directory on the FCS server (only read permissions needed).

Creating the Installation Package

1. Open SCCM 2007 Console and then go to Computer Management -> Software Distribution -> and right click Packages -> New -> Package.

2. Configure all package details and click next.

3. On the Data Source tab, configure the data source as the file share you've created with the client setup files on the installation server. On the scheduling part, you can choose to leave it by default, or configure a schedule for updating the client package.
After finished with all the settings, click finish.
I've chosen 6 hours since I'm downloading the new definitions every days using a script and updating the installation package everyday to be installed with the newest definitions.

4. Now go back and expand the newly created package. The first thing we need to do is to configure a distribution point for the package. For that, right click the distribution points -> New Distribution points.

5. On the distribution points wizard, walk through the welcome screen and on to the Copy package window. Then select the specified distribution point you wish to distribute your package from (the default choice should be the SCCM server itself). Then click next and close.

6. The next phase is creating the program to run the clientsetup.exe. in order to that, go back to the SCCM console and expand the FCS package. Right click programs ->New -> Program.

7. On the general page, type a program name and comment and then configure the command line you need to run the clientsetup.exe with. It should be something like:
clientsetup.exe /CG ForefrontClientSecurity /MS fcsserver.domain.com.
On the Run selection, I recommend using hidden in order not to disturb your users while deploying FCS.
Then click next.

8. On the requirements page, enter a 350MB disk space limit (the limitation by FCS pre-requisites). Then limit the platforms this program can run upon: since we are currently building a package using the x86 client agent version, we need to select only x86 platforms. In addition, we cannot select all x86 2000 and XP since the FCS client is limited to 2000SP4 and XPSP2, so pay attention and check only the proper platforms.
Then click next.

9. On the Environment page, choose that program can run whether or not the user is logged on (which automatically checks the "Run with administrative rights" option.
Note: you should have configured by the administrative account used to install programs. If not, you can find more information about configuring SCCM accounts on: http://technet.microsoft.com/en-us/library/bb680323.aspx .
Then Click next.

10. Go through the Adavanced, Windows Installer ,MOM Maintenance and summery pages and click close.
Note: you configure things you want under advanced or mom maintenance if you wish, but this is not necessary.

Note: The package with just created is used for installing the x86 client agent. In case you have x64 platforms in your domain you need to repeat the process and create a x64 package. Just pay attention when choose the running platforms, only select the x64 systems.

Creating a Task Sequence to Removing existing AV solution and Deploy FCS Package

1. Open SCCM 2007 Console and then go to Computer Management -> Operating System and right click Task Sequence -> New -> Task Sequence.

2. On the create new task sequence page, select "Create a new custom task sequence" and click next.

3. On the task sequence informatino page, type the task sequence name choose the x86 boot image (or x64 – depends on your client agent deployment). Then click next and close.

4. Now go back to the console and on the task sequence window, right click the newly created task sequence and select edit.

5. Now we create the task sequence that will run on the client.
Click Add-> General run command line.

6. Fill in the proper details and on the command line, write the full path to the removal script.

Note: Some AV solutions require a reboot and won't let anything else get installed on the system after removing them before your reboot the system.
If your case is one of those, then after adding the remove XXX task, click Add -> General Restart Computer.

7. Now we need to add the FCS deployment package. Click add -> General -> Install software

8. Now feel the name and description of the Installation task and select install single application, click browse and select the FCS package your created earlier.

9. This phase is optional, although I recommend working through it since this is one of the greatest added values of deploying FCS using SCCM.
After configuring the SCCM WSUS Distribution Point settings and syncing with Microsoft Update, you need to be able to see Forefront Updates (hotfixes) in the Software Update Deployment part of the SCCM console.
Go to Computer Management -> Software Updates -> Update Repository -> Updates -> Microsoft -> Forefront Client Security.

10. Select the Updates that relate to FCS and right click -> Deploy Software Updates. Make sure you choose only updates named "Update for Microsoft Forefront Client Security" and not the "Client Update for Microsoft Forefront Client Security".

11. On the Software updates general page, type a name for the software update deployment and click next.

12. On the deployment template, click create new (unless you already have a deployment template you wish to use – then you can skip this step).

13. On the collection page, choose the collection where you wish to deploy forefront and click next.

14. On the Display/Time Settings, choose Suppress display notifications on client, client local time and set the deadline to 1 hour. Then click next.

15. On the Restart settings page, check the suppress restart on servers and workstation and click next.

16. Go through the Event Generation and Download Settings (leaving them in default settings) and on the create template, give a new name to the template and click next.

17. On the deployment Package page, name the newly created package and fill out the package source UNC (Specifies the location of the software update source files. When the deployment is generated, the source files are compressed and copied to the distribution points that are associated with the deployment package).
Note: The shared folder for the deployment package source files must be manually created before proceeding to the next page.

18. On the distribution points page, click browse and add your default Distribution point. Then click next.

19. On the download location page, choose from the internet and click next.

20. On the language selection page, select the relevant languages and click next.

21. Move thorugh the schedule, Nap evaluation and summery pages, and click close.

22. Now what we want to do is to add all the updates to the installation package and by that, making sure our clients are installed from the beginning with the most up-to-date version of all the client engines.
Go back to the task sequence you've created earlier and edit it. Click add -> General -> Install Software Updates.

23. Type the name for this task, choose mandatory software updates and click ok.

Note: another optional way of adding the updates to the package is downloading the update directly from Microsoft update catalog (http://catalog.update.microsoft.com/v7/site/Search.aspx?q=forefront), packaging them and adding them is an install software task in the task sequence.

Advertising the Task sequence

1. Go back to the SCCM console and right click the task sequence you created and choose advertise.

2. Fill the name and comment for the advertisement and choose the collection where you wish to distribute FCS. Then click next.

3. On the schedule page, select your preferred schedule for deployment. I usually work with "as soon as possible. Then click next.

4. On the distribution point page, select the Access content directly option and click next.

5. Go through the Interaction, Security and summery pages leaving everything in default settings and click close.

That’s it! You've deployed FCS using SCCM2007. Congratulations!

Deploying Forefront Client Security Using SMS 2003 - Step-By-Step

This is a Step-By-Step guide for using SMS 2003 to Deploy Forefront Client Security Client Agents.

you can also find here a script to run that will kick in another script to remove the current AV solution and only then deploy FCS client agent on the target computer.

Open SMS 2003 Administrator Console (Start->All Programs->Systems Management Server 2003->SMS Administrator Console.

Right-Click Packages -> New -> Package

On the general tab, Update Package details.

On the Data source tab, check the package contains source files and click the Set button.

Choose the location where your FCS Client setup is located (network path \\fcswsus\fcsclient)

and click ok.

Leave the Always obtain files from source directory checked.

Leave the rest of the tabs on default settings click ok.

Expand the package you’ve just created and right-click distribution points -> new -> distribution points.

Check the distribution points where you wish the package will be, and click finish.

Right click programs -> new -> program.

On the General tab, type the package name and command line for installation. It is recommended to use a script that runs the full command line and removes the current AV installation.

Here is a sample for an installation script that also runs a removal scripts and then installs FCS:

Change the run type to hidden.

The Next phase is to create an advertisement and assign it to the appropriate collection. It is recommended to create a separate collection in SMS for Forefront distribution (filter it by whatever criteria you want, but create a separate one).

In this case, we've created a collection called forefront for that purpose.

In order to create the advertisement, right click advertisements -> new -> advertisements.

On the general tab fill the advertisement name, and select the package and program to run. Then select the collection where you wish to advertise the package.

On the schedule tab, create new mandatory assignments with the button.

1. The first assignment should be as soon as possible.
2. The second assignment should be an interval by your choice (recommended once a day).

Leave the rest of the tabs on default settings and Click OK.

Who wants to be a Microsoft Forefront Client and Server Technology Specialist ?

brand new exam... fresh from the oven.

I've taken 70-557 exam today and passed. 

indeed, not a 1000 score, but I think they had a mistake in one of the questions...

who the hell uses a script to distrbute scanjob templates? thats why FSSMC exists.... oh well. this will have to do :-)

BTW, a little preview for those of you who will have the pleasure of being in my lectures at Tech-ED... I have an Exam Voucher for the 70-557 that I'm planning to give away as one of the prizes in one of the lectures...

if you have any questions regarding the exam, feel free to ask :-)

Configuration Changes in Antigen/Forefront Due CA Engine Consolidation

Molly Gilmore (a program manager on the Forefront Rapid Response Engineering team) has published a reminder on the new behavior expcted from antigen/forefront now that CA has consolidated their two AV engines.

First, I would like to mention that there is a KB Article was created that outlined the change and the associated product benefits communicated by CA http://support.microsoft.com/kb/931373).

after the consolidation was made, the FFRRE team has recommended to disable the CA InoculateIT engine (and by that Forefront Security Server Customers gain the option of selecting another AV Engine for additional protection).

In case you didn't read the message and/or didn't do any change in your config, the FFRRE team has re-packaged the CA Vet engine as the CA InoculateIT engine so it would be loaded by FSS/Antigen as CA InoculateIT but updated with CA Vet signatures. As a result, Customers who have both CA InoculateIT and CA Vet enabled for scanning, are scanning with two instances of the same engine, CA Vet.

The best way to "get-rid-of" this engine is to upgrade to the most recent service packs available for each of our products; Antigen 9.0 SP1 for Antigen for Exchange Customers, FSSE SP1 for Forefront Security for Exchange Server Customers and FSSSP SP1 for Forefront Security for SharePoint Customers. These product versions are shipped without the CA InoculateIT engine and will remove the CA InoculateIT scanner update scheduled jobs during the installation process.

if you still wish to manualy disable the engine and not to update it, here are the Steps to do it:

1. Open The Forefront/Antigen Administrator Client.
2. Under Settings, Click On “Antivirus”.
3. Deselect The CA InoculateIT Engine Under “File Scanners” For Each Scan Job.
4. Click the Save button.

Remove Scanner Update Scheduled Jobs for CA InoculateIT

1. Open The Forefront/Antigen Administrator Client.
2. Under Settings, Select Scanner Updates.
3. Select CA InoculateIT and click the Disable button on the right-hand side to disable scheduled updates for this engine.

Important NOTE: In several months, Microsoft will discontinue signature update support for the CA InoculateIT engine so it is advised that Customers upgrade to the most recent service packs available for each product version.

Microsoft Forefront Client Security Evaluation Upgrade Tool

During my daily routine for checking about news on Forefront, I've discovered this nice utility that is used to upgrade an evaluation version of Microsoft Forefront Client Security to a full retail version of Microsoft Forefront Client Security.

This utility is freely available for download from download.com and can assist those of you who wish to upgrade their evaluation deployment into production.

Enjoy!

FCS Evaluation Upgrade Tool

Configure E-Mail notifications for Forefront Client Security - Step-By-Step Guide

I can only guess how many of you searched where can they find the e-mail notifications for FCS... So... It's there, you just need to know where to look.

to Configure E-Mail notifications, you first have to open MOM Administrator Console (Start -> Programs -> Microsoft Operations Manager 2005 -> Administrator Console

The Next step is opening the Administration container and clicking the Global settings tab.

now click on E-Mail Server and configure your e-mail server properties (server name, return address, Charset for alert mail and Mail server port):

After configuring those properties, click OK and go back to the administrator console. now go to Management Packs -> Notifications and right click "Operators" and choose "Create Operator" from the drop-down list.

Configure Operator Properties (Name, SMTP Address, Pager address and external command related to that operator - can be used for external SMS programs)

now click finish and open the Management Packs -> Notifications -> Notification groups container and right click the Client Security Notification Group and click properties.

on the following window add all the operators you wish to be notified by FCS alerts and click OK.

Thats it. we are done! :-)

10 dumb things users do that can mess up their computers

"We all do dumb things now and then, and computer users are no exception. Inadvertently pressing the wrong key combination or innocently clicking OK in the wrong dialog box can change important settings that alter a computer’s behavior or even crash the system.

Nervous newbies are often fearful that one wrong move might break the computer forever. Luckily, short of taking a sledge hammer to the box, the consequences aren’t usually quite that dire. Even so, users often do create problems for their computers and for your network. Here’s a description of common missteps you can share with your users to help them steer clear of preventable problems."

the 10 things blog posted another great post about 10 dumb things users do that can mess up their computers and how to deal with it.

between those stupid things you can find: Plug into the wall without surge protection, Surf the Internet without a firewall, Install and uninstall lots of programs (especially betas), Keep disks full and fragmented, Open all attachments, Click on everything, Pick the wrong passwords or Ignore the need for a backup and recovery plan.

Read the full article

Windows 2008/vista service hardening

From the cold winter of Seattle, i've managed to gather a small bunch of guides that explain the new features and guidelines of service hardening in vista and Server 2008.

Windows Service Hardening:
http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx

Services isolation in Session 0 of Windows Vista and Longhorn Server:
http://blogs.technet.com/voy/archive/2007/02/23/services-isolation-in-session-0-of-windows-vista-and-longhorn-server.aspx

Least privilege for services:
http://blogs.technet.com/voy/archive/2007/03/21/least-privilege-for-services.aspx

Per-service SID:
http://blogs.technet.com/voy/archive/2007/03/22/per-service-sid.aspx

Write-restricted token:
http://blogs.technet.com/voy/archive/2007/04/01/write-restricted-token.aspx

Network restrictions for service hardening:
http://blogs.technet.com/voy/archive/2007/04/02/network-restrictions-for-service-hardening.aspx

Services Hardening in Windows Vista:
http://www.microsoft.com/technet/technetmag/issues/2007/01/SecurityWatch

enjoy (although I don't think that is the proper word for service hardening... :-))