Hardening your Client Security deployment

Applies To: Forefront Client Security

When you deploy Client Security or change an existing deployment, you should review the deployment carefully to ensure its security. This topic details steps for securing a new or changed deployment.

To harden a new Client Security deployment

  1. Verify the Client Security installation. By performing this step, you establish an operational baseline prior to making security-related changes to Client Security.

    For information about verifying your installation, see the Client Security Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=59684).

  2. Secure each server on which you installed Client Security components.

Note

The Security Configuration Wizard is not supported for any computer running Client Security server components.

For server-specific security information, see the following topics:

  1. Ensure that service accounts are configured and used securely. For more information, see Securing service accounts.

  2. Ensure that users who perform administration roles have appropriate permissions. For more information, see Securing user accounts.

  3. Ensure that communications among Client Security servers are secure. For more information, see Securing connections.

  4. Ensure that client communications are secure. For more information, see Securing client computers.

  5. Review the Client Security policy settings that determine how much control end users have over the Client Security agent. Update and redeploy Client Security policies as applicable. For more information, see Securing client computers.

  6. Verify the Client Security installation again. Because you established an operational baseline, any issues found now must result from the changes made while performing this procedure. Troubleshoot and resolve any issue found.

    For information about verifying your installation, see the Client Security Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=59684).

  7. Run security state assessment (SSA) scans on all client computers. Client Security performs many SSA checks, such as determining if all available Microsoft security updates are applied to a client computer. For more information about configuring SSA scans, see Configuring security state assessment scans (https://go.microsoft.com/fwlink/?LinkId=87778).

    Use the Security State Assessment Summary report to learn about the potential vulnerabilities that Client Security finds in your organization. For information about using reports, see Viewing and printing reports (https://go.microsoft.com/fwlink/?LinkId=87776).

    For information about fixing computers that receive unacceptable scores for an SSA check, see About security state assessment checks (https://go.microsoft.com/fwlink/?LinkId=87775).

Securing changed Client Security topologies

If you make a change to a Client Security topology, you should ensure that the servers you changed are secure. This applies to all topology changes, which include:

  • Combining two or more Client Security components on a single server.

  • Moving two or more components to separate servers.

  • Rebuilding a server.

To secure a changed Client Security topology

  1. Ensure that service accounts used on the changed servers are configured correctly. For more information, see Securing service accounts.

  2. Ensure that permissions for users performing Client Security administration tasks are correctly configured. For more information, see Securing user accounts.

  3. Ensure that connections involving the changed servers are secure. For more information, see Securing connections.

  4. Run the Client Security Configuration wizard.

    1. On the management server, open the Microsoft Forefront Client Security Management Console.

    2. From the Action menu, click Configure. Follow the instructions in the wizard.

    The management server is updated with any applicable topology changes.

  5. Verify the Client Security installation. Troubleshoot and resolve any issue found.

    For information about verifying your installation, see the Client Security Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=59684).