Forefront Protection Manager
Manage Forefront Security with Forefront Protection Manager
At a Glance:
- Managing Groups and Policies from the Forefront Protection Manager console
- Using Alerts and Tasks to discover and deal with security events
- Viewing your security state with Monitoring and Reporting
- Integrating with Operations Manager 2007 R2
The next generation of Forefront Security product management will come together under a single console known as Forefront Protection Manager (FPM). Previously code-named “Stirling,” FPM can centrally manage Forefront Client Security (FCS), Forefront Server Security for Exchange (FSE) and Forefront Server Security for SharePoint (FSSP). The Forefront Threat Management Gateway (TMG) connects to FPM via the Security Assessment Sharing (SAS) system. SAS, which allows both Microsoft and third-party applications to participate in the generation of assessments (analytical statements on the status of assets) will be covered in detail in a future issue. In this article, I'll walk through some console features. I'll dig into how an FPM administrator can easily manage both clients and servers through grouping and unified policy authoring. I'll also look at how the Tasks and Alerting system simplifies day-to-day management and discuss how all comprehensive security information is displayed in the console's Monitoring and Reporting views.
Once you've deployed the infrastructure for FPM (including SQL Server 2005 or 2008 and Operations Manager 2007 R2), you can deploy the server bits in a variety of configurations designed to support customers of many sizes. For smaller deployments, all FPM roles can be deployed onto a single server. For larger customers or for administrators who will be leveraging an existing SQL Server or Operations Manager deployment, the roles can be spread across many servers to meet an enterprise's scaling requirements.
After installation, you can manage all your groups and policies for FCS, FSE and FSSP from the FPM console. The Assets and Groups node manages the list of users and computers in the enterprise and the enterprise sources that FPM uses to discover new assets. FPM allows an administrator to group computers and users according to their Active Directory memberships, server roles, operating systems and other values. FPM discovers new computers from the Operations Manager 2007 R2 database and new users from Active Directory.
Figure 1 shows the Policies node in the console, filtered to Computer Policies. The central pane displays the list of currently available policies, which initially are all defaults that are preconfigured and include the FCS, FSE, FSSP, TMG and Network Access Protection policies. For example, the FCS policy for an Exchange server is preconfigured to exclude the directories and file types recommended by the Exchange team for best performance. Because FPM supports the ability to import a policy, other policies can be added later to provide the correct configurations for other server roles, including Domain Controllers.
Figure 1 Default computer policies displayed in the Forefront Protection Manager console. (Click the image for a larger view)
The Actions pane on the right lets you import a policy or create a new one using the Create New Policy Wizard, which walks the administrator through the steps of selecting the appropriate policy components and generating the policy document.
The ability to create a single policy that contains settings for multiple protection technologies really sets FPM apart from other security products. You can use the Create a New Policy Wizard to set up a new policy that contains both FCS and FSE settings. This allows you to protect both the operating system (via FCS) and an application (via FSE) for a set of servers without having to go through the trouble of creating separate policies. In other words, you can easily configure everything you need to protect your valuable assets, all from a single editing experience.
FPM provides a flexible binding stack that allows you to define the precedence order for all policies in the enterprise. The default FPM policies reside at the bottom of the stack and contain the baseline settings for a deployment. As you define more specific settings for different groups of users—say, one policy that establishes a schedule for antimalware scans for desktop users and another policy that opens a firewall port for a custom business application for executives—those policies are added to the stack. You can then define the ordering to which they apply.
To ensure that the ordering is correct, the administrator can browse the Resultant Set of Policy (RSoP) view for each asset, which displays a detailed breakout showing which policy section was applied. In the example above, a review of an executive's laptop should show that the firewall port for the business application was opened and the antimalware schedule was applied, but a member of the IT Department would only receive the antimalware scan schedule.
Forefront Client Security Policy
Let's take a closer look at the FCS policy, which encompasses several protection and remediation technologies that are deployed via a single client installer package. In addition to antimalware protection, FCS provides Windows Firewall management and Security State Assessment (SSA) information. SSA supplies a set of configurable checks to verify the security state of your managed assets. Remediation is provided via integration with Network Access Protection (NAP), which can be configured to quarantine assets that don't meet a specified set of security checks until the assets have been properly updated.
Here are some of the policy options available when configuring the settings for FCS:
Antimalware: A single engine drives the FCS antimalware protection to find viruses, worms and spyware. The engine supports both signature- and heuristic-based detections and can receive signature updates from Microsoft Update, Windows Server Update Services (WSUS) or a file share (optimally distributed using DFS). The settings in this policy section let you configure the various options for the service, including real-time protection, definition-update (signatures) schedules and locations, file, path and policy exclusions and overrides for specific software. You can also configure which FPM alerts apply to assets that receive this policy.
Windows Firewall: This option enables configuration of both Inbound and Outbound service and port and program exceptions, as well as specifics on the individual profiles.
Security State Assessment: SSA policy now allows you to enable or disable specific checks to tailor an application to a specific enterprise. SSA checks have been expanded to include:
- Configuring reboot policy
- Setting which services are unnecessary
- Enforcement of Data Execution Prevention settings
- Requirements for using the NTFS file system and restricting public shares
- IIS security requirements for Web servers
- Configuration requirements for the Guest accounts and password expiration
- Microsoft Office macro settings
- SQL Server security requirements for the database servers
- Internet Explorer security settings
- User Account Control
- Data Protection (BitLocker) enforcement
- Behavior of removable storage devices (USB drives, for example)
Security Updates: FPM provides a view into the patch status of your managed assets, allowing you to set rules around patch compliance and grace periods, as well as blocking network access via NAP for machines that are not compliant.
Alerts and Tasks
One of FPM's most critical features is its ability to notify administrators about security events requiring their attention via the Alerts system and to provide tools for responding through the Tasks system. FPM Alerts are logged to the console by default but can also be configured to notify the administrator directly via e-mail, pager or instant message. Figure 2 shows the configuration for paging an administrator directly about a repeat malware infection detected on a set of domain controllers. Alert notifications can be configured for particular alerts and targeted to individual groups, so you can ensure that the direct notifications are only for the specific events on the critical assets that your administrator is monitoring.
Figure 2 Sending an FPM security alert via pager. (Click the image for a larger view)
Once administrators have been directly notified about infections, they need to be able to respond directly to the infected assets from a central console. Using the FPM Tasks Wizard, an administrator can easily select a preconfigured response and target it directly to the selected group.
Bringing all the critical security information together into an easy-to-consume format is essential for FPM administrators and is the key driver behind the Monitoring node in the console. Figure 3 shows a view into the antimalware summary for FCS. Here the security administrator can easily see the critical statistics, including the Real-Time Protection state, which assets have successfully scanned recently and which machines have received the most recent set of signature updates. More important is the ability to drill into specific sections of the widgets to show the list of machines that aren't compliant with your network security requirements. One additional click from the list of assets takes you to the individual machine report, showing all the relevant configuration information. The ability to start with a high-level summary and, with two clicks, view specific details about an individual asset can be invaluable to administrators investigating how secure their enterprises are.
Figure 3 FPM anti-malware summary for Forefront Client Security. (Click the image for a larger view)
FPM and Operations Manager
FPM leverages the Operations Manager 2007 R2 infrastructure for all its information transport requirements. When a policy is authored in the FPM console, the XML content is handed off to Operations Manager via the SDK and delivered for processing. The XML is converted into an Operations Manager management pack and delivered to the local agent on each targeted asset.
The Operations Manager agent then routes the management pack to the local FPM agent, where it's converted back to XML and distributed to the individual protection technologies. This plug-in model allows future protection components to be added in more easily.
Telemetry from the end points reverses the path, so that data is passed to the local Operations Manager agent and then to the server, where it's loaded into the FPM database for monitoring and reporting.
FPM also adds support for non-domain-joined assets, a commonly requested feature from Forefront Client Security v1. Through certificates, a non-domain-joined asset can authenticate with the Operations Manager server, allowing it to receive policy and tasks and send telemetry data in the same fashion as domain-joined assets (which use Kerberos to authenticate with the server).
FPM and Windows PowerShell
All configuration settings, reports and other options accessible through the UI are also accessible through the Windows PowerShell layer. The FPM Windows PowerShell management window is easily accessible from the Start menu under the Forefront folder. One handy aspect of using Windows PowerShell is that commands that need to run frequently or on a unique schedule can be scripted. That provides a powerful tool for administering the FPM system outside the console interface.
I've covered just some of the features of the Forefront Protection Manager console. FPM offers the ability to manage policy and grouping for both FCS and FSE/FSSP from a single console, effectively and efficiently manage day-to-day security activities through Alerts and Tasks and get comprehensive visibility in the Monitoring node. Overall, it's a solid management solution for the Forefront system.
If you're ready to try the FPM console, visit the FPM homepage
at to learn how you can evaluate the latest edition.
Chris Sfanos is a senior program manager for the Forefront Protection Manager team, based in Redmond, Wash. A software professional for more than 11 years, he enjoys designing solutions that solve customer problems. He has also designed chips for satellite systems.