Security Component Monitoring

Updated: March 10, 2009

Applies To: Windows Essential Business Server

This section describes the monitoring of security components in Windows EBS. The monitoring data is collected from System Center Essentials, Active Directory Domain Services, log files, and performance counters, and then it is displayed on the Components page on the Security tab in the Administration Console.

The results pane on the Components page shows a summary of the status of the security components in Windows EBS. Click a security component to see the following additional information in the details pane: a description of the component, the number and type of recent alerts, and recent protection statistics. You can use the tasks on the Components page to resolve alerts and to manage the security components.

The following four components are monitored on the Components page:

noteNote
The Components page also displays add-in security components (published by Microsoft or non-Microsoft developers) that you have installed. For more information about an add-in security component, see the documentation for the add-in or contact the publisher.

E-mail anti-malware

The e-mail anti-malware security component monitors the status and settings for Forefront Security for Exchange Server on the Messaging Server. The status and data are derived from the Forefront Security for Exchange Server management pack in System Center Essentials.

For more information about the Forefront Security for Exchange Server management pack, see the “Forefront Server Security Management Pack User Guide” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=131260).

For more information about the configuration of Forefront Security for Exchange Server in Windows EBS, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=108919).

Alerts for e-mail anti-malware

The Status column indicates whether there are active critical alerts or warning alerts in the Alerts—Microsoft Forefront alert view in System Center Essentials.

noteNote
The Alerts—Microsoft Forefront view in System Center Essentials includes alerts that are in either the Alerts—Forefront for Exchange view or the Engine Update Failure view.

The Status is one of the following:

  • Alert.   One or more active critical or warning alerts.

  • Normal.   No active critical or warning alerts. There may be one or more information alerts.

The details pane provides a breakdown of the alerts by alert status, as follows:

 

Item Details

Recent Alerts

The count of active critical alerts, warning alerts, and information alerts that are in the Alerts-Forefront for Exchange alert view in System Center Essentials.

Update Status for Selected Engines

The count of active critical alerts, warning alerts, and information alerts that are in the Engine Update Failure alert view in System Center Essentials.

Tasks to resolve alerts

You can use the following tasks for the e-mail anti-malware component on the Components page to investigate and resolve alerts.

 

Task Details

View recent alerts

Starts the System Center Essentials console to display active critical, warning, and information alerts from at least the last seven days for the component.

Start Forefront Server Security Administrator console

Starts a RemoteApp connection to the Forefront Server Security Administrator console on the Messaging Server to manage e-mail anti-malware settings.

For more information about investigating and resolving alerts, see Investigate and Resolve Alerts in System Center Essentials, later in this document.

For more information about managing Forefront Security for Exchange Server, see Forefront Security for Exchange Server Help: On the Messaging Server, in the Forefront Server Security Administrator, press F1.

Statistics for e-mail anti-malware

The following table lists activity by Forefront Security for Exchange Server during the period from 2:00 A.M. on the previous day to 2:00 A.M. on the present day.

For more information about the performance views in the Forefront Security for Exchange Server management pack that are used to generate this data, see the “Views reference” for the Microsoft Forefront Server Security Management Pack at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=131261).

 

Item Details

Infected messages purged

Count of the e-mail messages that were purged by the Transport Scan Job and the Realtime Scan Job.

Message infections detected

Count of the e-mail messages that were tagged by the Transport Scan Job and the Realtime Scan Job.

Message scans performed

Count of the e-mail messages that were detected by the Transport Scan Job and the Realtime Scan Job.

Attachments cleaned

Count of the attachments that were cleaned by the Transport Scan Job and the Realtime Scan Job.

Attachments removed

Count of the attachments that were removed by the Transport Scan Job and the Realtime Scan Job.

E-mail anti-spam

The e-mail anti-spam security component monitors the status and settings for spam filtering in the Exchange Server Edge Transport role on the Security Server.

The status and data are derived from the Exchange Server management pack in System Center Essentials.

The details pane on the Components page shows recent alerts, anti-spam protection statistics, and e-mail spam confidence level (SCL) settings that are configured for the Content Filter in Exchange Server.

For more information about the Exchange Server management pack, see the “Exchange Server 2007 Management Pack Guide” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=131262).

For more information about how to configure spam filtering in Exchange Server in Windows EBS, see “E-mail Anti-spam Configuration” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=108918).

Alerts for e-mail anti-spam

The Status column indicates whether there are active critical alerts or warning alerts in the Alerts view for Exchange Edge Transport in System Center Essentials. This alert view is generated by the Exchange Server management pack.

The Status is one of the following:

  • Alert.   One or more active critical or warning alerts.

  • Normal.   No active critical or warning alerts. There may be one or more information alerts.

The details pane provides counts of active critical alerts, warning alerts, and information alerts that are in the Exchange Edge Transport Alerts view in System Center Essentials.

Tasks to resolve alerts

You can use the following tasks for the e-mail anti-spam component on the Components page to investigate and resolve alerts.

 

Task Details

View recent alerts

Starts the System Center Essentials console to display active critical, warning, and information alerts from at least the last seven days for the component.

Start Exchange Management Console

Starts a RemoteApp connection to the Exchange Management Console on the Security Server to manage e-mail anti-spam settings.

For more information about investigating and resolving alerts, see Investigate and Resolve Alerts in System Center Essentials. later in this document.

For more information about content filtering in Exchange Server, see Exchange Server Help: On the Security Server, in the Exchange Management Console, press F1.

Statistics for e-mail anti-spam

The following table lists anti-spam statistics that are collected by the performance data collection engine in the Exchange Server management pack during the period from 2:00 A.M. on the previous day to 2:00 A.M. on the present day.

 

Item Details

Junk e-mail messages detected and purged

Count of the e-mail messages that are deleted by the Exchange Server Content Filter agent.

Junk e-mail messages rejected

Count of the e-mail messages that are rejected by the Exchange Server Content Filter agent.

Junk e-mail messages quarantined

Count of the e-mail messages that are quarantined by the Exchange Server Content Filter agent.

E-mail messages scanned

Count of the e-mail messages that are scanned by the Exchange Server Content Filter agent.

Network firewall

The network firewall security component monitors the status and settings for Forefront TMG on the Security Server.

The status and data are derived from the Forefront TMG management pack in System Center Essentials and from log files in Forefront TMG.

For more information about the configuration of Forefront TMG in Windows EBS, see “Network Firewall Configuration” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=108921).

Alerts for the network firewall

The Status column indicates whether there are active critical alerts or warning alerts in the Active Alerts view for Forefront TMG in System Center Essentials. This alert view is generated by the Forefront TMG management pack.

The Status is one of the following:

  • Alert.   One or more active critical or warning alerts.

  • Normal.   No active critical or warning alerts. There may be one or more information alerts.

The details pane provides counts of active critical alerts, warning alerts, and information alerts that are in the Active Alerts view for Forefront TMG in System Center Essentials.

Tasks to resolve alerts

You can use the following tasks for the network firewall component on the Components page to investigate and resolve alerts.

 

Task Details

View recent alerts

Starts the System Center Essentials console to display active critical, warning, and information alerts from at least the last seven days for the component.

View weekly report

Generates and displays a weekly report of network firewall activity in Forefront TMG.

Start Forefront Threat Management Gateway Console

Starts a RemoteApp connection to the Forefront TMG console on the Security Server to manage network firewall settings.

For more information about investigating and resolving alerts, see Investigate and Resolve Alerts in System Center Essentials, later in this document.

For more information about managing Forefront TMG, see Forefront TMG Help: On the Security Server, in the Forefront TMG console, press F1.

Statistics for the network firewall

The following table lists the summary firewall statistics that are retrieved from Forefront TMG logs for the period from 2:00 A.M. on the previous day to 2:00 A.M. on the present day.

noteNote
The details pane also provides summary counts of the firewall policy rules and the Web filtering rules that are enabled in Forefront TMG.

 

Item Details

All firewall traffic

Bytes of Web and non-Web traffic that were sent through Forefront TMG.

Web traffic

Bytes of Web traffic that were sent through Forefront TMG.

Web requests

Count of the Web requests that were sent through Forefront TMG.

Web requests served from cache

Count of the Web requests that were served from the Web proxy cache by Forefront TMG.

Allowed connections

Count of the connections that were allowed by Forefront TMG.

Denied connections

Count of the connections that were denied by Forefront TMG.

For more information about the logs for firewall and Web proxy activity, see Forefront TMG Help: On the Security Server, in the Forefront TMG console, press F1.

Update Management

The Update Management component monitors the status and settings for Windows Server Update Services in System Center Essentials. Windows Server Update Services in System Center Essentials helps you deploy updates that are released through Microsoft Update to the managed computers in your network.

For information about the recommended Update Management settings in Windows EBS, see “Update Management Configuration” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=108922).

Alerts for Update Management

The Status column indicates whether software updates from Microsoft Update are up-to-date on the computers in your network.

noteNote
The status of the Update Management component is refreshed daily. However, the component monitors synchronizations and updates that occurred during the preceding seven days. It may not reflect the status of updates on computers and devices that recently joined the domain.

The Status is one of the following:

  • Alert.   One or more computers are not up-to-date, or the Update Management component is not configured with the recommended settings for Windows EBS.

  • Normal.   All computers in your network are up-to-date.

For a status of Alert, one of the following issues or deviations from the recommended settings in Windows EBS appears in Update Management Status, in the details pane:

  • You must approve updates before they can be installed.   There are updates that require approval. This status occurs when Windows Server Update Services is configured to synchronize updates that are not approved automatically.

  • Update classifications do not include all recommended classifications for Windows Essential Business Server.   Windows Server Update Services is not configured to synchronize one or more of the following update classifications: critical updates, definition updates, security updates, or service pack updates.

  • One or more updates failed to install on some computers.   A computer that is listed on the Managed Computers and Devices page has an update with a status of Failed to install, or Windows Server Update Services did not download some updates from Microsoft Update.

  • One or more update languages are not being downloaded.   A locale on a computer in the Windows EBS network is not configured for synchronization.

  • Update Management has not synchronized in at least 7 days.   The last synchronization with Microsoft Update took place more than seven days ago.

    The details pane shows more information about the last synchronization with Microsoft Update.

  • One or more computers have not contacted Update Management in at least 7 days.   One or more computers were last contacted by Windows Server Update Services more than seven days ago.

  • Unable to determine the status of Update Management.   The status of Windows Server Update Services cannot be determined.

Tasks to resolve alerts

You can use the following tasks for Update Management on the Components page to investigate and resolve alerts.

 

Task Details

Approve updates

Opens the Approve Updates dialog box to approve all critical and security updates for deployment to managed computers.

Apply Recommended Update Management settings

Opens the Apply Recommended Update Management Settings dialog box to confirm that you want to apply the recommended Windows EBS settings. The recommended settings configure Update Management to automatically download updates to the Windows operating system and to other Microsoft products, and then to apply those updates to computers in the Active Directory domain by using Windows Server Update Services.

Manage updates

Starts the System Center Essentials console in the Unapproved Updates view.

Configure update-management settings

Starts the Update Management Configuration Wizard in System Center Essentials.

View updates status summary

Starts the System Center Essentials console in the Updates Overview pane to display a summary of updates on managed computers.

For more information about update management in System Center Essentials, see System Center Essentials Help: On the Management Server, in the System Center Essentials console, press F1.

For information about managing Windows Server Update Services, see the “Microsoft Windows Server Update Services 3.0 SP1 Operations Guide” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=131263).

Synchronization status

The following table lists the synchronization status information that is shown in the details pane for Update Management on the Components page. Synchronization is the process that Windows Server Update Services uses to download updates from Microsoft Update to System Center Essentials. The synchronization status information is refreshed after each attempt to synchronize with Microsoft Update.

 

Item Details

Synchronization time

If synchronization is configured, this is the date and time of the last attempted synchronization.

Last synchronization status

The status of the last attempted synchronization that was performed by Windows Server Update Services.

Last synchronization error

If the last synchronization did not succeed, the text of the error message from Windows Server Update Services.

Next synchronization

The date and time of the next synchronization.

Community Additions

ADD
Show: