Microsoft IT Uses Microsoft System Center 2012 Endpoint Protection for Unified Security and Management
Technical Case Study
Published: May 2012
The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
Learn how Microsoft IT implemented System Center 2012 Endpoint Protection to deliver a unified, integrated platform that supports multiple departments and roles, streamlines IT client management, and improves visibility into the security and compliance of the company's managed clients.
Technical Case Study, 1.49 MB, Microsoft Word file
Products & Technologies
Protecting the company's 280,000 managed client systems from malware threats is a priority for Microsoft IT and for the Microsoft Information Security & Risk Management Operations (ISRM) departments. Because role-based access was not available in the existing solution, ISRM had to rely on Microsoft IT—adding administrative overhead to both departments. Microsoft IT wanted to build a new unified endpoint protection environment that both departments could access, that could automate antimalware definition deployments, and that offers robust monitoring and reporting.
Microsoft IT used System Center 2012 Endpoint Protection as the foundation of their new unified endpoint protection environment.
Regardless of size, every business needs to protect its computers from the continuous threat of malware such as software viruses, Trojans, and spyware. However, the complexity of enterprise-scale corporations where multiple departments manage different aspects of hundreds of thousands of machines can make managing client security especially challenging.
At Microsoft, the Microsoft Information Technology (Microsoft IT) department is tasked with overall management of the approximately 280,000 managed client computers that connect to the corporate network worldwide. A separate department known as Information Security & Risk Management Operations (ISRM) is responsible for antimalware policies and requirements, compliance scanning and reporting, and evaluation and resolution of malware attacks.
Since its release in 2010, Microsoft IT had been using Microsoft Forefront® Endpoint Protection 2010 (Forefront Endpoint Protection) to protect the company's managed client computers. Microsoft IT administered the Forefront Endpoint Protection environment through the Microsoft System Center Configuration Manager 2007 administration console. But because Configuration Manager 2007 does not allow specific role-based access to the Forefront Endpoint Protection-related tasks within the console, ISRM was unable to obtain access that would be limited to the endpoint protection objects. Instead, ISRM had to depend on Microsoft IT for virtually all aspects of the company's endpoint protection management, including publishing new antimalware policies or changes to existing policies, configuring email alerts for malware detection, or even triggering remediation actions when needed. ISRM's reliance on Microsoft IT to administer Forefront Endpoint Protection resulted in an operational challenge for both departments.
In order to improve how the company managed endpoint protection, Microsoft IT wanted to enhance its client endpoint protection environment in a manner that could support both departments, unifying their respective client management and security tasks into a single, integrated solution that would provide access to different administrative features based on a person's role. The new environment would reduce administrative load by simplifying the administrative interface and providing key features such as automated antimalware definition deployment and in-console reporting.
As the company's first and best customer, Microsoft IT regularly adopts early releases of Microsoft technologies, tests them in a real-world environment, and provides critical feedback to improve products before they are generally available to the public. When the System Center product team began developing the next generation of Endpoint Protection, Microsoft IT worked closely with the team to meet the IT goals.
Why System Center 2012 Endpoint Protection?
Built on System Center 2012 Configuration Manager, System Center 2012 Endpoint Protection (Endpoint Protection) supports both client management and security within a single environment. Moreover, Endpoint Protection's support for role-based administration (RBA) enables the Microsoft IT and ISRM departments to access the Configuration Manager administration console while restricting access to the particular features and tasks that are appropriate to their roles.
The new System Center 2012 Configuration Manager-based environment provided additional opportunities to reduce administrative overhead. For example, Microsoft IT planned to use the Configuration Manager Software Update automatic deployment rule (ADR) to automate antimalware definition updates to Endpoint Protection clients—a manual process in the legacy environment that would require 3 to 4 hours of administration time using the Configuration Manager 2007 Software Updates Management feature.
Finally, Microsoft IT also saw System Center 2012 Endpoint Protection as a means to reduce network loads, consolidate servers, and streamline the company's infrastructure. These changes to the endpoint protection infrastructure are described in the following section.
Note: A separate Microsoft IT Showcase paper that discusses Microsoft IT's overall implementation strategy for System Center 2012 Configuration Manager is available at http://technet.microsoft.com/library/hh913620.aspx.
This section describes the various activities involved in Microsoft IT's implementation of their new System Center 2012 Endpoint Protection-based endpoint protection environment.
The Legacy Forefront Endpoint Protection Infrastructure
As illustrated in Figure 1, Microsoft IT's legacy Forefront Endpoint Protection environment included a central site that contained a central site server, a data warehouse server, a Microsoft SQL Server®, and a software update point (SUP) server that supported the central site. Each primary site contained a set of System Center Configuration Manager 2007 servers and SUPs running Microsoft Windows Server® Update Services (WSUS) that stored the antimalware definitions.
In the Forefront Endpoint Protection environment, the local distribution points did not store antimalware definitions. Instead, Forefront Endpoint Protection clients would download and install definition updates from a primary site's SUP server over the WAN.
Figure 1. Microsoft IT's legacy Forefront Endpoint Protection 2010–based infrastructure where clients had to request and download updates from a primary site over the WAN.
The New System Center 2012 Endpoint Protection Infrastructure
Microsoft IT's new System Center 2012 Endpoint Protection-based environment is tied to a broader initiative where Microsoft IT used System Center 2012 Configuration Manager as the basis of the company's new client management solution.
This new System Center 2012 Configuration Manager-based infrastructure enabled Microsoft IT to phase out the central site's data warehouse because the new Endpoint Protection environment no longer requires a data warehouse server by default. Furthermore, due to architectural changes in how the new environment manages data replication, Microsoft IT was able to consolidate what used to be a separate central site server and SQL Server into a single physical server that supports the new Central Administration Site (CAS) server and its associated SQL Server.
Microsoft IT also designed the new environment to improve how clients receive their antimalware definition updates. System Center 2012 Configuration Manager automates deployment rules run on the CAS site, identifies new updates, packages them, and replicates them to all distribution points in the hierarchy. During the next policy evaluation, the Configuration Manager client pulls the definition updates from a local distribution point with minimal network impact. The client then installs the update using Configuration Manager Software Updates Management feature.
Figure 2 provides a simplified diagram of the new System Center 2012 Endpoint Protection-based environment, showing how managed clients can now download the latest antimalware definition updates from a local distribution point.
Figure 2. Microsoft IT's new infrastructure based on System Center 2012 Endpoint Protection, where clients can download updates from a local distribution point with minimal network impact.
Reviewing the Potential Impact of Migrating Clients from Forefront Endpoint Protection 2010 to System Center 2012 Endpoint Protection
Microsoft IT reviewed the potential impact of migrating 280,000 client systems that were installed with the old Forefront Endpoint Protection 2010 clients to System Center 2012 Endpoint Protection. Distributing the new client to too many systems at one time would generate a flood of network traffic and degrade performance. In addition, the migration process needed to have minimal impact on other security teams' operations, such as monitoring and reporting of security-related issues.
Microsoft IT also needed to ensure that the deployment process would not block any high-priority services. Regular network bandwidth or hierarchy-impacting processes, such as monthly security update deployments, or high-priority data such as urgent packages, might not be able to be distributed if the network were to slow down from too many clients migrating at once.
By reviewing existing network loads, Microsoft IT determined that approximately 5,000 clients per primary site could be batched into a single collection and migrated at one time without affecting systems management operations.
Deploying the Solution
As discussed in the previous section, the large number of clients required Microsoft IT to devise a phased approach to their Endpoint Protection migration. Each phase was comprised of a dynamic collection that targeted a set of approximately 5,000 clients per primary site to be sent the new Endpoint Protection client.
The sequence of events in Microsoft IT's Endpoint Protection deployment was as follows:
- Enable a new System Center 2012 Endpoint Protection site system role on the CAS server.
- Create custom client settings to define the installation policy for System Center 2012 Endpoint Protection client installation. In contrast to using the default setting that would push out the installation to all systems at once, this custom policy ensures that the new Endpoint Protection clients will be deployed in dynamic collections (as described in the following step).
- Create a dynamically populated collection that targets approximately 5,000 clients that will be migrated from Forefront Endpoint Protection to System Center 2012 Endpoint Protection at the same time.
- Import the existing Configuration Manager 2007 antimalware policy into the new Configuration Manager hierarchy.
- Assign the custom System Center 2012 Endpoint Protection client policy to the dynamic collection to specify the subset of clients that will be migrated from Forefront Endpoint Protection to System Center 2012 Endpoint Protection, and assign the antimalware policy that was imported in the previous step to the dynamic collection.
- Install the System Center 2012 Endpoint Protection client, and apply the antimalware policy to each client targeted in the collection.
- Install the initial antimalware definition after the System
Center 2012 Endpoint Protection upgrade.
Note: The Configuration Manager default method of delivering the initial antimalware definition is from a local distribution point. But due to the scale of the rollout, some clients could attempt to access the data before it had been copied to all distribution points. In this situation, Configuration Manager would automatically attempt a retry 30 minutes later, which would result in end users seeing an alert on their machines about their antimalware definition being out of date. In order to alleviate this problem and to reduce potential support calls, Microsoft IT decided to configure the Endpoint Protection installation policy to install initial definition updates from a SUP server, or secondarily through Microsoft Update.
- Monitor the environment with the dynamic collection of System Center 2012 Endpoint Protection clients for 1 to 2 weeks to confirm successful installation, application of policies, user experience, and antimalware definition deployment before the next dynamic collection reevaluation.
- When the current collection reaches approximately 90 percent
deployed, prepare for the next dynamic collection to continue
expanding the System Center 2012 Endpoint Protection rollout
throughout the company:
- In the first phase, focus on deploying to Redmond, reaching approximately 50,000 clients.
- In the second phase, include all 150,000 client systems in the company's Redmond, North America, and Latin America domains.
- n the third and final phase, complete the worldwide rollout to a total of 280,000 systems across 8 domains.
- Ongoing maintenance:
- Deploy Endpoint Protection definition updates to clients using the automated deployment rule, and based on antimalware policy settings.
- Customize Endpoint Protection exclusions as needed to support requests for temporary exclusions.
The results from Microsoft IT deploying the new System Center 2012 Endpoint Protection-based endpoint protection environment are as follows:
- As of May 2012, Microsoft IT has rolled out the System Center 2012 Endpoint Protection client to all 280,000 managed client computers worldwide. By deploying in batches and monitoring the clients, Microsoft IT was able to complete the rollout with no significant impact to the network or end users.
- Implementing System Center 2012 Endpoint Protection and migrating managed clients from Forefront Endpoint Protection to the new Endpoint Protection client in phases resulted in minimal end user or support impact. Microsoft IT and ISRM administrators carefully monitored the number of Endpoint Protection support calls during the deployment and confirmed that there was no uptick in the average call frequency.
- With the new environment, Microsoft IT has seen a significant improvement in the system's response time for detecting serious infections and alerting ISRM and Microsoft IT. What used to require approximately 15 minutes to send a state message from an infected client to the site server is now flagged as highest priority and sent to the site server within1 minute, where it is processed through the high-speed data channel. The information becomes available to administrators through alerts, email, and the Configuration Manager administration dashboard in less than 5 minutes from initial detection of an infection to raising alerts.
- As shown in Figure 3 below, ISRM can now manage antimalware
policy directly and perform any required remediation actions
from the Configuration Manager administration console without
relying on Microsoft IT.
Figure 3. A view of some of the Endpoint Protection operations ISRM can manage through the administration console, such as antimalware policies.
Monitoring and Reporting
In addition to the previous set of results, Microsoft IT and ISRM are using the Configuration Manager in-console monitoring and built-in SSRS reports to monitor the company's managed clients. Out-of-the-box reports are available for antimalware activity, computer malware details, infected computers, top users by type of threat, and threats identified by user.
Figure 4 displays the in-console monitoring that Microsoft IT and ISRM used to track Endpoint Protection client status. In this case, the details reflect a snapshot of Endpoint Protection client status information for one sample Microsoft region. It is not intended to be representative of common threats to the Microsoft environment.
Figure 4. Monitoring dashboard snapshot showing a sample of client status information for one Microsoft region.
Figure 5 displays a Dashboard report, which provides summary-level Endpoint Protection status information and historical information for trend analysis.
Figure 5. System Center 2012 Configuration Manager Dashboard report displaying Endpoint Protection information
Figure 6 displays part of an antimalware activity report, with at-a-glance summary information and links that an administrator can use to drill into more details or run related reports.
Figure 6. Antimalware activity report
When working with System Center 2012 Configuration Manager to implement the new Endpoint Protection, Microsoft IT followed these best practices:
- Have a shared WAN utilization goal between operations and security teams. Consider the potential infrastructure impact of bringing antimalware definition evaluation into System Center 2012 Endpoint Protection. Will it add significant network load? Microsoft IT assumed that the existing model developed for Forefront Endpoint Protection was optimal, but this assumption might not be valid for others.
- Consider the potential impact of migrating from other endpoint protection clients such as Forefront Endpoint Protection to System Center 2012 Endpoint Protection. As different endpoint protection clients are disabled in preparation for migrating to System Center 2012 Endpoint Protection, end users might experience a warning or alert that is not actionable, but that could still cause concern. Microsoft IT implemented a communication plan to notify employees in advance of the client migration process about what they could expect, and they worked with the company's Help Desk to resolve support calls quickly.
- Determine an optimal antimalware definition evaluation frequency. When onboarding System Center 2012 Endpoint Protection, review your existing antimalware definition evaluation frequency. Should it be more or less? Will increasing it cause a noticeable network load? If a client checks in every 24 hours, inventories every 3 days, and looks for updates three times each day, is that amount of activity optimal, desired, or excessive?
- Use RBA for security and scoping of roles to allow different types of administrators to access what they need. Microsoft IT used RBA to provide administrators in the ISRM department with access to the appropriate areas of the Configuration Manager administration console and to the System Center 2012 Endpoint Protection Dashboard without granting access to inappropriate areas of the management environment.
- Realize that not all types of third-party antimalware products will be uninstalled by System Center 2012 Endpoint Protection. For uninstalling the third-party antimalware software that cannot be tackled by System Center 2012 Endpoint Protection, Microsoft IT recommends that the Configuration Manager Software Distribution feature be used to uninstall third-party software and to install the Endpoint Protection client.
By updating their endpoint protection environment to run on System Center 2012 Endpoint Protection, Microsoft IT derived a number of benefits:
- More granular management of permissions. Using role-based administration (RBA), Microsoft IT has defined a role that allows ISRM personnel to access the Endpoint Protection-related features with the Configuration Manager administration console without opening up other aspects of the management environment.
- Reduced administration overhead. Microsoft IT's new automated deployment process uses the Configuration Manager automatic deployment rule. This new deployment process requires no administrative overhead, and finalizes the deployment to Endpoint Protection clients in an average 10 minutes per rule.
- Better visibility into the security and compliance
of managed client systems. Robust reporting provides
at-a-glance insight into overall status. By preserving
historical data, administrators and management have the
opportunity to run long-term reports and to look for trends.
Faster, more reliable remediation actions. Remediation actions are part of the Configuration Manager policy in System Center 2012 Endpoint Protection, and are no longer dependent on scripts as they were in Forefront Endpoint Protection.
- Streamlined definition update maintenance windows. Instead of having to rely on a separate system to schedule definition updates, Microsoft IT can now use Configuration Manager directly to control when Endpoint Protection definition updates occur.
- Improved error handling and remediation. The System Center 2012 Endpoint Protection policy for retrying failed client installations is every 4 hours, and auto-remediation of agent services runs once a day.
System Center 2012 Endpoint Protection has fundamentally changed how Microsoft IT manages client endpoint protection. The unified, integrated platform of Endpoint Protection enables Microsoft IT to streamline much of the administrative overhead that was required in their legacy system. This new solution provides appropriate levels of access for Microsoft IT and ISRM personnel, automates the deployment of antimalware definition updates, and even uses System Center 2012 Configuration Manager to control when the Endpoint Protection definition updates occur.
Since migrating the company's 280,000 managed clients worldwide to System Center 2012 Endpoint Protection, management has been using the platform's in-console monitoring and reporting capabilities to gain an unprecedented level of insight into the state of the company's managed clients. Easy-to-read reports help Microsoft IT and ISRM with security planning, and ultimately improve the ability for Microsoft to respond to security threats in a proactive manner.
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2012 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Forefront, SQL Server, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.