Planning your policies
Applies To: Forefront Client Security
To plan policies for your organization, you should understand the settings included in a policy.
Default policy settings
All of the following options are available in the New Policy and Edit Policy dialog boxes in the Client Security console. For more information about these settings and why you might want to enable or disable them, see the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkID=88221). Additional options are available only as registry keys. For more information about the registry key settings, see the Client Security Technical Reference Guide (https://go.microsoft.com/fwlink/?LinkID=86991).
General tab default settings
| Option | Default setting | Note |
|---|---|---|
Name |
|
Identifies the policy. Requires a unique name. |
Comments |
|
Optional. It is recommended that you use this option to summarize the:
Comments can include approximately 32,000 characters. |
Protection tab default settings
| Area | Default setting | Note |
|---|---|---|
Malware protection |
|
When these settings are not enabled, Client Security will not scan for viruses or spyware, or identify them using real-time protection (shown as RTP on the Protection tab). |
Malware scanning |
|
Full scans provide a backup defense to real-time protection. A full scan can detect unknown malware that is not detected by real-time protection after you have an updated definition file that identifies the malware. Full scans search the entire computer, except for files, folders, or file extensions that you exclude. |
Security state assessment |
|
Scanning for vulnerabilities is a preventive measure that helps you identify computers potentially at risk of malware infection. |
Advanced tab default settings
| Area | Default setting | Note |
|---|---|---|
Malware definition updates |
|
Client Security relies on up-to-date definitions to effectively identify new instances of malware. By enabling client computers to check Microsoft Update when WSUS is unavailable, your remote users keep their definitions up to date even when disconnected from your internal network. Until you save a policy that enables checking for updates on Microsoft Update when WSUS is unavailable, this option is disabled by default. |
Malware scan options |
|
By including archive files, you ensure that these files are scanned for malware. Heuristic scans help protect against malware that has not yet been identified in a definition file. Turning this off leaves client computers more vulnerable to new malware. By not deleting quarantined files, you can restore files that you did not want quarantined. |
Exclusions from malware scans |
|
Optional settings that you can use to exclude specific files, folders, and file extensions from malware scans. |
Client options |
|
By locking down the user interface on the client computer, you can ensure that no changes are made to the settings. |
Overrides tab default settings
| Area | Default setting | Note |
|---|---|---|
Overrides based on malware threat |
|
Optional settings that you can use to change how Client Security reacts upon detecting specific malware or falsely detecting an application you trust. |
Overrides based on category or severity |
|
Optional settings that you can use to change how Client Security reacts upon detecting malware of a specific category or severity. |
Reporting tab default settings
| Area | Default setting | Note |
|---|---|---|
Alert level |
|
Alert levels determine whether a specific event or set of events (such as responding successfully to a malware infection) generates an alert. |
Logging |
|
None. |
SpyNet |
|
None. |
Customizing your policy settings
You can customize all of the settings described in the preceding tables for your policies. When customizing your policy settings, consider the following issues for the computers to which the policy is being applied:
How important is the security of these computers? For example, an executive computer might require additional security measures, yet a rarely used computer without Internet access might need fewer security measures.
How important is it that you are notified of a potential security issue? Mail server and database servers likely require a higher alert level than standard computers.
Do malware scans impact the performance of client computers too severely? There are several settings you can modify to reduce the impact of Client Security on client computer performance.
How frequently should computers check for definition updates and should they fall back to Microsoft Update when the Client Security distribution server is unavailable?
Has Client Security identified as malware specific pieces of software that you want to allow on your computers?
The following sections discuss policy settings that you can change in response to these questions.
For more information about these settings, see the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkID=88221).
Policy settings for scanning
For most client computers, the default settings for scans are likely to be appropriate or to need few changes; however, there are common scenarios that may lead you to change policy settings affecting malware and SSA scans.
Settings for computers with higher security requirements
You may have computers requiring a high degree of protection, such as database servers or computers running mission-critical applications. Also, you may want the computers used by important end users to receive a high degree of protection.
The default settings for a Client Security policy reflect a conservative security stance, such as scheduled daily full scans; however, when configuring a Client Security policy for computers that need greater protection, consider the following changes to default settings.
| Tab | Area | Recommended setting | Note |
|---|---|---|---|
Protection |
Malware scanning |
|
Enabling quick scans at a short interval, such as every four hours, ensures that the following areas on the computer are checked several times a day:
|
Advanced |
Malware definition updates |
|
If, on the Protection tab, you enable quick scans at a frequent interval and use the default setting for update checks prior to scans, consider disabling checks for updates at a set interval. Note Interval checks for updates help ensure the effectiveness of real-time protection against new threats. It is strongly recommended that you do not disable interval checks for updates unless you use frequent interval scans and check for updates prior to scans. |
Reporting |
Alert level |
|
Specifying a higher alert level than the default level of 3 results in alerts for more events, ensuring that you are more thoroughly informed about the security status of the computer. For more information about alert levels, see Policy setting for alert level. |
Settings for computers with lower security requirements
You may have computers with lesser security requirements, such as computers without Internet access. When configuring a Client Security policy for computers that need less protection, consider the following changes to default settings.
| Tab | Area | Recommended setting | Note |
|---|---|---|---|
Protection |
Malware scanning |
|
A weekly full scan is likely adequate for computers at lower risk for infection; however, it is strongly recommended that you use the default settings for real-time protection and checks for definition updates. Instead of a daily full scan, consider daily quick scans, that is, a quick scan at an interval of 24 hours. |
Protection |
Security state assessment |
|
Twenty-four hours is the longest interval you can configure for SSA scans. It is recommended that you leave SSA scans enabled, so that SSA-related reports show potential vulnerabilities for the computers protected by the policy. |
Reporting |
Alert level |
|
Specifying a lower alert level than the default level of 3 results in alerts for fewer events, which is likely desirable for less important computers. |
Settings to improve performance of computers
You may have computers on which you want to minimize the performance impact of scans. When configuring a Client Security policy to improve computer performance, consider the following changes to default settings.
| Tab | Area | Recommended setting | Note |
|---|---|---|---|
Protection |
Malware scanning |
|
Of all Client Security features, full scans have the largest performance impact. Reducing the frequency to once a week should greatly reduce the effect of Client Security on computer performance. Important It is also strongly recommended that all computers receive full scans, even if it is only once a week. Consider optimizing the time of day that a scheduled full scan occurs, too. By default, scheduled full scans occur at 02:00 (2:00 A.M.); however, if this time interferes with other scheduled tasks, such as backups, consider modifying the policy to use a different time. |
Advanced |
Malware scan options |
|
Consider omitting archive files from scans. For more information about this setting, see Determining whether to scan archive files (https://go.microsoft.com/fwlink/?LinkId=88928). |
Advanced |
Exclusions from malware scans |
|
If there are large data files on scanned computers, you can omit them from scans. Important It is recommended that you set exclusions carefully. Exclusions set without forethought might lead to undetected malware, such as a virus present in an excluded data file. |
Settings to improve SSA report scores
SSA scans search for potential vulnerabilities by using SSA checks, which describe aspects of the operating system and common applications that can be better configured to protect a computer. Client computers can appear in Client Security SSA reports because of software configuration that is desirable for a variety of reasons but which an SSA scan detected as a potential vulnerability.
For example, the Password Expiration SSA check scans for local user accounts that have passwords that don't expire. Client Security assigns this vulnerability a score of Medium and logs an event if a client computer permits user accounts to have passwords that don't expire. Medium scores appear in Client Security reports, which is not helpful if you intend to allow a local user account to have a password that does not expire.
Client Security policies provide you only the ability to turn on SSA scans using all checks. Also, you cannot configure how Client Security determines the scores for an SSA check.
To reduce reporting about intentional configurations, it is recommended that you use Group Policy to enforce the settings that allow the configuration. Typically, when settings examined by an SSA check are configured by Group Policy, the resulting score is Informational, which is a score that is excluded in Client Security SSA reports. It is assumed that configurations enforced by Group Policy conform to your organization's standards and are therefore intentional.
Policy setting for alert level
You can configure a Client Security policy with one of five levels of alerting. Depending on the importance of the computers to which you deploy the policy, you can select the appropriate alert level. For example, it may be highly desirable to receive an alert for every detection of malware on database, Web, and e-mail servers, but less desirable for standard computers.
| Tab | Area | Setting | Note |
|---|---|---|---|
Reporting |
Alert level |
|
For alert level information, see the following table. |
The following table describes the five alert levels.
| Alert level | Description |
|---|---|
5 |
This level results in the highest number of alerts. Alerts at this level are applicable to executive and management computers, critical data servers and assets, and critical operations servers that require high availability or contain crucial data. |
4 |
This level results in a high number of alerts. Alerts at this level are applicable to high-priority operational servers, data servers, or important computers. |
3 |
This level is the default setting and results in a moderate number of alerts. Alerts at this level are applicable to high-priority computers. |
2 |
This level results in a low number of alerts. Alerts at this level are applicable to typical user computers. |
1 |
This level results in the lowest number of alerts. Only global outbreaks and flooding detection cause an alert at this level. Alerts at this level are applicable to computers that contain less critical data. For example, you might set this level for a policy covering a set of computers that is very large or includes no computers that require immediate response. |
Policy settings that control the end-user experience
You can determine what end users can do with the Client Security agent user interface (UI). Because Client Security policies apply to computers rather than users, the settings affecting what an end user can do affect all users of a computer.
For information about these settings, see Controlling the end-user experience (https://go.microsoft.com/fwlink/?LinkID=86661).
Settings to allow end users to run scans
The New Policy or Edit Policy dialog box settings in the following table allow end users to run scans but not to change other settings.
| Tab | Area | Setting | Note |
|---|---|---|---|
Protection |
Malware scanning |
|
By specifying scheduled and interval scans in a policy, you ensure that your users cannot configure them, despite having access to the Client Security agent UI. |
Advanced |
Client options |
|
This enables the user to open the Client Security agent UI and run scans. |
Settings to deny end users access to the Client Security agent UI
The default setting in a policy is to deny end users access to the Client Security agent UI. The following table shows the setting that controls whether users can access the Client Security agent UI. Users still see status messages and the Client Security icon in the notification area.
| Tab | Area | Setting | Note |
|---|---|---|---|
Advanced |
Client options |
|
This prevents the user from opening the Client Security agent UI and running scans. |
Settings to prompt end users about unclassified software
You can configure Client Security to prompt end users when the Client Security agent detects unclassified software, which is software that is not explicitly identified in malware definitions as malware or as trusted software.
Note
It is strongly recommended that you use a test environment to determine if Client Security detects suspicious actions by applications that are common and legitimate in your organization. To avoid prompting the user for these applications, you should exclude them from scans in policies that enable the Client Security agent to prompt users about unclassified software.
The following table shows the settings for enabling user prompts for unclassified software and for configuring scan exclusions.
| Tab | Area | Setting | Note |
|---|---|---|---|
Advanced |
Client options |
|
When you enable this setting, the Client Security agent displays balloon messages when it detects unclassified software. |
Advanced |
Exclusions from malware scans |
|
Excluding an unclassified program prevents users from being notified when Client Security detects it. |
For more information about exclusion settings, see Excluding files, folders, and file types from scans (https://go.microsoft.com/fwlink/?LinkId=88609).
Policy settings to exclude files, folders, and file types
You can configure a policy to omit specific files, folders, and file types (by file extension) from malware scans. This is primarily useful if Client Security falsely detects acceptable software as malware.
Note
It is strongly recommended that you use a test environment to determine if Client Security detects acceptable software as potential malware. Identifying such occurrences prior to deploying Client Security to a production environment can help reduce spurious reporting and end-user frustration.
The following table shows the settings for enabling user prompts for unclassified software and for configuring scan exclusions.
| Tab | Area | Setting | Note |
|---|---|---|---|
Advanced |
Exclusions from malware scans |
|
Excluding an unclassified program prevents users from being notified when Client Security detects it. |
For more information about exclusion settings, see Excluding files, folders, and file types from scans (https://go.microsoft.com/fwlink/?LinkId=88609).
When Client Security detects acceptable software as malware, consider submitting a sample of the software to Microsoft so that the software can be considered for approval as a known good application in future malware definitions. For more information, see Sending malware samples to Microsoft (https://go.microsoft.com/fwlink/?LinkId=89635).
Policy setting for Microsoft Update
It is important that all client computers be able to receive updates reliably, because malware definition files are updated frequently to protect your computers against new threats.
You can safeguard against the unavailability of your WSUS server by configuring the Client Security policy setting regarding Microsoft Update. The setting enables client computers to contact Microsoft Update if contacting your WSUS server fails. For portable computers, this setting is especially important, because portable computers can be disconnected from your organization's network and still receive updates through the Internet outside of your network perimeter.
| Tab | Area | Setting | Note |
|---|---|---|---|
Advanced |
Malware definition updates |
|
This setting enables client computers to receive updates when WSUS is not available. Using Microsoft Update requires an Internet connection. |
For more information about this setting, see Configuring fallback for updates (https://go.microsoft.com/fwlink/?LinkId=88590).