34,79 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Microsoft System Center 2012 Endpoint Protection (previously known as Forefront Endpoint Protection 2012) protects client and server operating systems against threats with leading malware detection technologies. Built on Configuration Manager, it provides a unified infrastructure for client security and compliance management and "Microsoft System Center 2012 Endpoint Protection Cookbook" will help you get to grips with vital tasks for implementing this security tool.
With the release of System Center 2012 Endpoint Protection, Microsoft is continuing its commitment to offering a cutting edge, enterprise- ready Anti-Virus solution. With its practical and easy to follow recipes, "Microsoft System Center 2012 Endpoint Protection Cookbook" fully prepares you for a simple, headache-free migration.
This hands-on, practical cookbook will have you equipped with the knowledge to install and manage System Center 2012 Endpoint Protection like a pro in no time by following step by step recipes.
You'll gain insight into a wide range of management tasks, such as building your SCEP infrastructure, deploying SCEP clients and building the perfect AV policies for your workstation and servers. You'll also benefit from a complete SCEP walk-through in a bonus appendix chapter.
With "Microsoft System Center 2012 Endpoint Protection Cookbook" in hand, you will have the confidence to tackle essential tasks like deployment, policy and much more for SCEP.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 186
Veröffentlichungsjahr: 2012
Ähnliche
Table of Contents
Microsoft System Center 2012 Endpoint Protection Cookbook
Microsoft System Center 2012 Endpoint Protection Cookbook
Copyright © 2012 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: October 2012
Production Reference: 1270912
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-84968-390-6
www.packtpub.com
Cover Image by Artie Ng (<[email protected]>)
Credits
Author
Andrew Plue
Reviewers
Nicolai Henriksen
Matthew Hudson
Stephan Wibier
Acquisition Editor
Stephanie Moss
Lead Technical Editor
Azharuddin Sheikh
Technical Editor
Kaustubh S. Mayekar
Project Coordinator
Vishal Bodwani
Proofreader
Mario Cecere
Indexer
Monica Ajmera Mehta
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
About the Author
Andrew Plue is a Senior Consultant in the Secure Infrastructure Management group at Certified Security Solutions (CSS). He is veteran of the United States Army, and served as a paratrooper with the 1/508th Airborne Combat Team.
He has 18 years of experience in information security, with a focus on vulnerability detection, and corporate anti-virus solutions. During his tenure at CSS, he has acted as a lead engineer on numerous deployments of the Forefront Suite of anti-malware products, with production deployments of Forefront Client Security as large as 140,000 seats.
He has spoken at the Microsoft Worldwide Partner Conference on the topic of Forefront Client Security.
In his spare time, he does not do all that much, to be honest.
I would like to thank Norah, for inspiring to do more with my life. James and Linda, my parents, for not giving up on me (I was a bad kid). Nicholas, Natalie, Emily, and Jamenson for giving me hope for the future and Maximus, Purrrsy, Melonball, and Machka for keeping my feet warm and my house rodent free.
About the Reviewers
Nicolai Henriksen is working as a Chief Infrastructure Consultant, and has been in the consulting business since 1995 implementing mostly Microsoft systems, but also a wide range of other vendors and products. He has always had a great interest and skills within managing and securing systems, servers, and clients. He has wide experience with most of the malware protection products in the market today. He is also a Microsoft Speaker and has performed several presentations with great demos at Microsoft events and international conferences. He got awarded as an MVP Microsoft System Center Configuration Manager in 2012.
Matthew Hudson has been involved in technology since the early days with the TRS-80 Model III. He has over 20 years of experience in the systems management area, consulting, and programming. Matthew received the Microsoft MVP award in 2009 for his expertise, community involvement, and drive to push the SMS 2003 product beyond the norm. This is his fourth year as an MVP in System Center Configuration Manager. He holds an undergraduate degree in Engineering from Texas A & M University and a Masters degree in Computer Science from Prairie View A & M University.
Stephan Wibier is a consultant and all-around IT geek specializing in Microsoft Backend Services. He has specialized in OS Deployment using tools, such as WDS/MDT and SCCM 2007/2012.
His interest in the IT business goes way back to the early 80s, starting with the good-old Commodore 64. After that, it was only a matter of time before the virus hit hard. He is certified in several areas of Microsoft products and still keeps up with the new and fabulous changes in the modern IT market.
He is known for his pragmatic style, approaching problems as changes or opportunities.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Instant Updates on New Packt Books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page.
Preface
System Center 2012 Endpoint Protection (SCEP) is Microsoft's third-generation corporate anti-malware solution. At the core, it shares many similarities with their "free for home use" anti-malware product, Microsoft Security Essentials, which has been installed on over 50 million PCs the world over.
The explosion in popularity of the Microsoft Security Essentials benefits SCEP users through the malware telemetry data of 50 million users of the Microsoft Security Essentials that share with Microsoft through their MAPS (formerly known as Spynet) program. By integrating SCEP with the newly-released System Center 2012 Configuration Manager, they have created one of the easiest solutions to deploy and manage anti-malware products on the market.
In this book, you will see System Center 2012 Configuration Manager referred to as simply SCCM. Although Microsoft often refers to it as ConfigMgr in their documentation, the majority of the people the author has worked with over the years refer to the product as SCCM. System Center 2012 Endpoint Protection will be referred to as SCEP, although this is not an official acronym that Microsoft uses for the product.
Many of the recipes in this book begin with a step that asks you to log into your Central Administration Server (CAS). Depending on how your SCCM environment was designed, you may not have a CAS server, you may simply have a single Primary Site server as the top level of administration in your architecture. If this is the case, all the recipes can be completed on your Primary Site server.
Also, in most cases, it is not essential to physically log into the CAS or Primary site server. If you have the SCCM consoles installed on your workstation and are logged in with the correct permissions, the recipe can be performed on the local console.
What this book covers
Chapter 1, Getting Started with Client-Side Endpoint Protection Tasks, provides a number of recipes for performing tasks at the local client level, such as forcing a definition update or modifying the SCEP client policy.
Chapter 2, Planning and Rolling Installation, will walk you through some of the considerations you will need to make before deploying SCEP, as well as showing you how to enable the SCEP role on your SCCM server.
Chapter 3, SCEP Configuration, will show you recipes for performing essential tasks, such as configuring SCEP policies and alerts, as well as walking you through the process of setting up SCEP's reporting features.
Chapter 4, Client Deployment Preparation and Deployment, includes a number of recipes to assist you with every step of client deployment from preparation to actually deploying the clients.
Chapter 5, Common Tasks, covers a number of day-to-day tasks that every SCEP administrator will need to know how to do it correctly in order to keep SCEP healthy and your Endpoints protected from malware.
Chapter 6, Management Tasks, covers important high level tasks, such as using policy templates, merging polices, and responding to SCEP alerts.
Chapter 7, Reporting, makes a deep dive into the reporting capabilities offered with SCEP. You will be shown how to execute reports, as well as provide access to reports. You will also be shown how to create your own custom reports.
Chapter 8, Troubleshooting, provides you with some tools to assist you with the time-consuming effort of troubleshooting an anti-malware product. The recipes in this chapter will help you deal with Definition Update issues, as well as how to approach false positives.
Chapter 9, Building an SCCM 2012 Lab, is a great chapter for anyone who has not yet taken the plunge on SCCM 2012. There is just a single recipe in the chapter that will show you the quickest down-and-dirty method for standing up an SCCM 2012 server in a lab environment. This is vital to anyone considering deploying SCEP, because with the total integration of SCEP with SCCM 2012, you can't experience SCEP without an SCCM environment.
Appendix, walks you through the installation of the System Center Security Monitoring Pack for Endpoint Protection.
What you need for this book
To complete the recipes in this book, you will need a Windows 2008 level (or above) Active Directory environment, a Windows 2008 R2 server, SCCM 2012, and SQL server 2008.
Who this book is for
This book is intended for any SCCM 2012 administrator, who needs to quickly ramp up his or her skill sets in order to support SCEP. It is also intended for anti-malware administrators of an existing anti-malware solution (such as McAfee or Symantec) that needs to learn quickly the SCCM-related skills that he or she would need to have in to manage an anti-malware solution integrated with SCCM.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "The local SCEP client logs are stored in the program data folder".
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Click on File from the menu bar and select Exit to close the logfile ".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the erratasubmissionform link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Getting Started with Client-Side Endpoint Protection Tasks
In this chapter, we will cover:
Introduction
The tasks you will accomplish in this chapter are essential for any System Center Endpoint Protection (SCEP) administrator. Although many of the procedures can also be performed from within your System Center 2012 Configuration Manager (SCCM) console, it is also vital to understand how to perform these procedures at a local client level. As isolating infected PCs (or PCs that are suspected to be infected) from the rest of your corporate network is a commonly accepted best practice, a hands-on approach is often needed to remediate malware issues.
This chapter will cover all the essential skills an AV admin using SCEP will need to know, from finding and understating the SCEP client logs, to performing on demand scans with just the command line.
Locating and interrupting client-side SCEP logs
Primarily, reporting data is accessed through the SCEP dashboard within your SCCM console, or by executing SCEP reports in SQL Server Reporting Services. However, you may find yourself attempting to troubleshoot a malware issue on a client PC without an access to either of those resources. This is when you come to know where to find your SCEP client-side logs, and understand how to interrupt them, which will prove very useful.
In this section, you'll be working with the most vital SCEP log, which is known as the MPLog and using it quickly will locate pertinent information, such as definition update history and malware detection history.
Getting ready
The local SCEP client logs are stored in the program data folder. Keep in mind, this directory is hidden by default and you will not be able to browse to it without enabling view hidden files, folders, and drives in Windows Explorer. A log parsing utility, such as Microsoft's Trace32 or the new version that comes with SCCM 2012 CMTrace, can be utilized to expedite the process of locating data inside the MPLog, but in the following example, we will be utilizing Notepad.
How to do it...
Follow these steps:
How it works...
While the MPLog contains an abundance of data, the keywords we searched for will allow you to quickly locate some of the most pertinent data.
SCEP supports multiple definition update methods, which will be discussed later. Although the SCEP reports will show you which definition version a client is running, it does not reflect where a client receives its update. You should be able to find entries similar to this: Signature updated via InternalDefinitionUpdateServer on Sun Jan 02 2011 21:33:50.
In this case, InternalDefinitionUpdateServer would indicate that the definition update was pulled from a WSUS/SUP server within your corporate network.
In addition to this, there are several other entries you may find, such as Signature updated via MicrosoftUpdateServer on Sat Mar 12 2011 17:54:56. This would indicate that a definition was pulled from Microsoft Updates over the Internet. This should be common for remote users. Signature updated via UNC \\Servername\share indicates that an update was pulled from a UNC file share.
The MPLog also records any malware incidents the client has detected. If the client has experienced a virus detection, you will find an entry similar to Threat Name:VirTool:JS/Obfuscator. The following lines can provide some more background information about the virus detection, for example:
The resource path can provide some very useful information when determining the attack vector or source of an outbreak. In the previous example, the malware was detected in the user's temporary internet files, indicating the attempted infection likely occurred when the user browsed to a website containing malicious code.
