Tamper Protection in Forefront Client Security

9 בינואר 2009

Every Anti-Virus has a mechanism called tamper protection that helps administrator keep users from mishandling there antivirus settings and services. Forefront Client Security only offers basic control over what the user can or cannot do with the FCS Client Console on his client machine. What the FCS System doesn’t provide is a built-in mechanism to protect FCS services from being stopped or prevent FCS from being removed by the user.


It’s true that some of these are possible to prevent by not giving administrative privileges on the client workstation, but some of us don’t have that luxury.


Windows Group Policy has built-in settings that allow you both protect your services and disable removal by unauthorized users. This is how it’s done.


Protecting Forefront Client Security Services



  1. Start Active Directory Users and Computers.

  2. Right-click the domain in which you want to add the OU, click New, and then click Organizational Unit.

  3. Give the OU an appropriate name, and then click OK. The new OU is listed below the domain.

  4. Right-click the new OU, and then click Properties.

  5. The OU properties are now displayed. On the Group Policy tab, click New. Give the new Group Policy an appropriate name (for example, the name of the OU for which it is implemented).

  6. After the policy is created, make sure it is highlighted, and then click Edit.

  7. Click Computer Configuration, click Windows Settings, click Security Settings, and then click System Services.

  8. Double-click the Forefront Client Security Anti-Malware service  and specify the security policy setting that you wish to allow for this service. The important thing is not to allow Administrators group to stop the service.

This will take care of the services problem.


How to prevent FCS from being Uninstalled?



  1. Click Start, and then click Run.

  2. In the Open box, type regedt32, and then click OK.

  3. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

  4. Click the Edit menu, and select Find. on the Find what line type: Microsoft Forefront Client Security Antimalware Service” and click find next. This will locate the subkey where FCS uninstall information is located.

  5. Right-Click that subkey and select Permissions.

  6. Set the permissions by which you want users to be able to uninstall FCS. Each user who has read permission for that subkey will be able to uninstall FCS.

image


This setting can also be introduced via Group policy:



  1. Start Active Directory Users and Computers.

  2. Right-click the domain in which you want to add the OU, click New, and then click Organizational Unit.

  3. Give the OU an appropriate name, and then click OK. The new OU is listed below the domain.

  4. Right-click the new OU, and then click Properties.

  5. The OU properties are now displayed. On the Group Policy tab, click New. Give the new Group Policy an appropriate name (for example, the name of the OU for which it is implemented).

  6. After the policy is created, make sure it is highlighted, and then click Edit.

  7. Click Computer Configuration, Click Windows Settings, Click Security Settings, Click Registry.

  8. Right click the Registry and select Add Key.

  9. Locate the Registry key you found earlier, select it and Click OK.

  10. Configure the appropriate permissions and Click OK.

  11. Make the appropriate selection from the Add Object dialog box and Click OK.

The credit for this one deserves to a couple of colleagues of mine (Thanks Naor and Gal) who are in charge of administrating one of the largest FCS deployments in the world.

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. (*) שדות חובה מסומנים

4 תגובות

  1. steve2 באפריל 2009 ב 18:33

    What permissions do you suggest for FCS services that will allow for the service to start/stop yet not allow unathorized malware to start/stop?

    להגיב
  2. PiterKokoniz8 באפריל 2009 ב 3:00

    Hello !!!! ^_^
    My name is Piter Kokoniz. oOnly want to tell, that I like your blog very much!
    And want to ask you: what was the reasson for you to start this blog?
    Sorry for my bad english:)
    Thank you:)
    Piter.

    להגיב
  3. Fred Tealey1 במרץ 2010 ב 22:51

    How do you deal with updates to the FCS client that have the need to start/stop the service while installing?

    להגיב