Enterprise Manager administration

Applies To: Forefront Client Security

Using reports in Enterprise Manager

Reports in Enterprise Manager do not differ in appearance from the reports in a standard Client Security deployment, nor do they differ in how they are accessed. The only difference in Enterprise Manager reports is in the data that they display.

The reports in Enterprise Manager generate the data shown by querying the Enterprise Manager down-level databases. This data, to be as accurate and as timely as possible, is queried at the time the report is requested.

When a report is requested on an Enterprise Manager server, SQL Server Reporting Services calls stored procedures that query data from the target Enterprise Manager down-level databases. The data is returned to the Enterprise Manager reporting server and displayed to the Enterprise Manager user.

It is important to note that reports generated on the Enterprise Manager server contain information from all Enterprise Manager down-level databases. If you need to see reports from a single Enterprise Manager down-level database, you must query the Enterprise Manager down-level installation directly.

To access down-level deployment-specific reports

1. Open Internet Explorer.

2. In the Address bar, enter the URL of the Enterprise Manager down-level reporting server. The address consists of the server name and the virtual directory name ReportServer. Use the following URL: https://computername/reportserver

   If you use a named instance of SQL Server, use the following URL: **https://computername/reportserver$**instancename

3. In Internet Explorer, click Microsoft Operations Manager Reporting, and then click Microsoft Forefront Client Security.

4. Click the report name of the report you want to view. The report is generated and displayed in Internet Explorer.

For more information about working with Client Security reports, see Working with reports (https://go.microsoft.com/fwlink/?LinkId=103834)in the Client Security Administration guide.

About the data consistency banner

To notify you about the status of the data available in Enterprise Manager reports, a data consistency banner has been added to the top of Enterprise Manager reports.

Network connectivity problems or server availability issues may cause the Enterprise Manager server to be unable to contact Enterprise Manager down-level servers. If the Enterprise Manager down-level server cannot be reached, the data consistency banner appears on the report when the remaining data is returned.

The values in the data consistency banner represent the number of databases that have reported query failures ("Number that experienced query failures:n") out of the total number of databases being managed by Enterprise Manager ("Total number of databases:n").

Keep in mind that each down-level Client Security deployment has two databases that are managed by Enterprise Manager. For example, in a one-server down-level Client Security deployment, if the Client Security collection database is taken offline, the data consistency banner displays the following message: "Number that experienced query failures: 1." Taking the entire down-level Client Security server offline results in two databases reporting query failures.

However, long query response times do not cause the data consistency banner to appear. Reports in Enterprise Manager have a time-out value of 60 minutes. This time-out value should give the Enterprise Manager reporting service time to receive the query results from the Enterprise Manager down-level servers.

About down-level administrators

Administrators on the Enterprise Manager down-level servers can receive information about their individual deployments by viewing the Client Security reports directly from their local Client Security reporting server. The steps a down-level administrator needs to take are the same as those for the Enterprise Manager administrator viewing the down-level deployment-specific reports in the previous procedure.

Down-level administrators are not able to see the names of threats or Client Security policies in reports. Because this data is managed only on the Enterprise Manager server, these items display a globally unique identification (GUID) in place of the name.

The Enterprise Manager dashboard

The Enterprise Manager dashboard is largely unchanged from the standard Client Security dashboard. There are only two differences.

About aggregated data

The data represented in the dashboard is aggregated from all Enterprise Manager down-level deployments. However, unlike a standard one-server Client Security installation, the Enterprise Manager server does not appear in any of the dashboard data.

A background SQL Server Agent job runs every five minutes in order to cache data from the Enterprise Manager down-level servers. This cache procedure allows the Enterprise Manager dashboard to always have up-to-date data. When starting the Client Security dashboard on the Enterprise Manager server, the age of the cached data for each down-level server is checked.

• If the data in the cache for a down-level server is less than 10 minutes old, the cache data is used.

• If the data in the cache for a down-level server is older than 10 minutes, that down-level database is queried directly. If it does not respond, the cache data is used.

• If the data in the cache for a down-level server is older than 30 minutes, that down-level database is queried directly. If it does not respond, the dashboard does not display any data from that database.

About the data consistency banner

A data consistency banner has been added to the top of the Enterprise Manager dashboard. Network connectivity problems or down-level server availability issues may prevent the Enterprise Manager server from querying the latest data from the down-level servers. In the event this occurs, the Enterprise Manager dashboard displays the data consistency banner at the top of the dashboard. This banner represents the number of down-level databases that incurred query failures when the dashboard was refreshed.

The values in the data consistency banner represent the number of databases that have reported query failures ("Number that experienced query failures:n") out of the total number of databases being managed by Enterprise Manager ("Total number of databases:n").

Keep in mind that each down-level Client Security deployment has two databases that are managed by Enterprise Manager. For example, in a one-server down-level Client Security deployment, if the Client Security collection database is taken offline, the data consistency banner displays the following message: "Number that experienced query failures: 1". Taking the entire down-level Client Security server offline results in two databases reporting query failures.

If you click the data consistency banner, the Microsoft Operations Manager 2005 Operator Console opens. In the Operator Console, you can view alerts generated by the Enterprise Manager down-level deployments and investigate why the queries failed.

To investigate Enterprise Manager query failure

1. On the Enterprise Manager server, in the Client Security console, click the data consistency banner. The Microsoft Operations Manager (MOM) 2005 Operator Console opens.

2. In the Microsoft Operations Manager 2005 Operator Console, under Alert Views, expand the All: Alert Views tree, expand Microsoft Forefront Client Security, and then click Alerts.
   Note This alert view shows Client Security–specific alerts only.

3. In the Alerts pane, select the alert you want to view.

4. In the Alert Details pane, do one of the following tasks:

5. To view information about the alert, click the Properties tab.

6. To read general information about how to resolve this type of alert, click the Product Knowledge tab, and then read the information presented there.

7. To view the events that triggered the alert, click the Events tab. If the alert is more than three days old, the events are not available because MOM has removed them from the collection database. However, they are still available in the reporting database. You can use the Alerts History report to view alerts older than three days, including the associated events.

For more information about working with the Client Security dashboard, see Working with the dashboard (https://go.microsoft.com/fwlink/?LinkId=103826) in the Client Security Administration guide.

Managing Client Security policies with Enterprise Manager

In an Enterprise Manager environment, all Client Security policies must be managed on the Enterprise Manager server. As discussed in Deploying the Client Security agent in an Enterprise Manager environment, you should document any existing Client Security policies on the Enterprise Manager down-level servers and, if necessary, recreate them on the Enterprise Manager server.

The first Client Security policies that need to be deployed in your Enterprise Manager environment are the Client Security agent deployment policies, discussed in the previously mentioned topic. These initial policies deploy any new Client Security agents to target clients of your down-level instances.

Additionally, you must evaluate your enterprise protection policy and deploy Client Security policies to configure the Client Security agent on managed computers enterprise-wide.

It is important to remember that, just as before your installation of Enterprise Manager, there may be Client Security agents that need different configurations. It is likely that your organization already has an organizational unit (OU) structure; therefore, organization of the target computers into security groups based on Client Security policy requirements can ease the deployment of Client Security policies for management.

For example, consider the following scenario. You have three Client Security down-level deployments managed by the Enterprise Manager instance. In each of the down-level deployments are executive users who need a Client Security policy that allows them to view and modify the settings in the Client Security agent. The rest of the users in your enterprise should not be able to change any of the settings.

To satisfy this scenario for the users in the enterprise, do the following tasks:

• Create security groups in each domain that include all computers that are to be Client Security clients.

  Note

  Client Security policies are applied at the computer level, not at the user level.

  Note

  If your Active Directory forest is configured for Windows 2000 forest functional level, you must divide the computers into groups no larger than 5,000 members. If your Active Directory forest is configured for Windows Server 2003 interim functional level or higher, you may create groups larger than 5,000 members.

• Create a Client Security policy that restricts access to the Client Security agent settings, and then deploy this policy to the security groups created.

To satisfy this scenario for the executive users, do the following tasks:

• Create security groups in each domain that contain the computer accounts of the executive users.

• Create a Client Security policy that does not restrict the Client Security agent settings, and then deploy this policy to the executive computers.

For more information about planning Client Security policies, see Planning integration into your Active Directory environment (https://go.microsoft.com/fwlink/?LinkId=104234) in the Client Security Planning and architecture guide. For more information about using Client Security policies, see Working with policies (https://go.microsoft.com/fwlink/?LinkID=88415) in the Client Security Administration guide..

Working with alerts in Enterprise Manager

Alerts that are forwarded from down-level Client Security deployments appear in the Enterprise Manager dashboard. Working with alerts in the Enterprise Manager dashboard is functionally the same as working with alerts in stand-alone Client Security deployments.

For more information about managing alerts in Client Security, see Working with alerts (https://go.microsoft.com/fwlink/?LinkID=86813) in the Client Security Administration guide.

Scanning for malware in an Enterprise Manager environment

Scanning all computers or scanning one computer

Scanning your enterprise for malware in an Enterprise Manager environment is functionally the same as without Enterprise Manager. The primary difference is that, when you click the Scan Now button in the Client Security dashboard on the Enterprise Manager server, the scan is passed to the down-level servers to be run on the target managed computers.

When you click Scan Now, you can choose to scan either all client computers (Scan all managed computers) or a single computer (Scan a specific computer). This scan task is created in the Enterprise Manager collection database and sent to the down-level servers through the MOM agent installed on the down-level collection servers. The down-level collection server then does one of the two following things:

• If the scan task is targeted at a single computer, the down-level servers query the collection database for a matching managed computer. If there is no match in a particular collection database, the task is ignored; if a match is found, the task is sent to the managed computer through the MOM agent installed on the managed computer.

• If the scan task is targeted to all managed computers, the down-level servers create MOM tasks for each managed computer in their databases and send the task through the installed MOM agents.

Malware detected by scans on managed computers can be viewed in the Enterprise Manager dashboard as alerts are forwarded up to the Enterprise Manager database.

Scanning only a single management group

To scan a single management group, you must initiate the scan from the down-level Client Security management server. By clicking Scan Now on the down-level Client Security console and selecting Scan all managed computers, you scan only the computers in that management group. Alerts generated by detected threats are still forwarded up to the Enterprise Manager server for aggregated reporting.

For more information about scanning managed computers, see Scanning managed computers now (https://go.microsoft.com/fwlink/?LinkId=104313) in the Client Security Administration Guide.