SCEP 2012 inside SCCM 2012
21
System Center 2012 Endpoint Protection with Configmgr Kenny Buntinx Principal Consultant Inovativ
-
Upload
microsoft-technet-belgium-and-luxembourg -
Category
Technology
-
view
2.992 -
download
2
description
Presented by Kenny Buntinx.
Transcript of SCEP 2012 inside SCCM 2012
System Center 2012 Endpoint Protection with Configmgr Kenny BuntinxPrincipal Consultant Inovativ
Session ObjectivesSession Objective(s)Understanding the Microsoft protection stackChanges in System Center 2012 Endpoint Protection Service Pack 1Getting to know the Endpoint Protection clientHow to manage Endpoint protection within Configuration Manager
Comprehensive Protection Stack Building on Windows Platform security
MANAGEMENT
ANTIMALWARE
PLATFORM
System Center Configuration Manager and Endpoint Protection
Windows
Microsoft Malware Protection Center
Dynamic Signature Svc
Available only in Windows 8
Endpoint Protection
Management
Software Updates +
SCUP
Operating System
Deployment
Settings Management
System Center 2012 Endpoint Protection
Antimalware
Dynamic Translatio
n
Behavior Monitorin
g
Software Distributio
n
Vulnerability Shielding
Windows Defender
Offline
Internet Explorer BitLockerAppLocker
Address Space Layout Randomizatio
n
Data Execution Prevention
User Access Control
Secure Boot through UEFI
Windows Resource Protection
Measured Boot
Early Launch
Antimalware (ELAM)
MDM Software Updates
ELAM & Measured
Boot
Cloud clean
restore
System Center 2012 Endpoint Protection SP1
Real time Endpoint Protection operations from consoleSimplified
Administration
Single administrator experience for simplified endpoint protection and
management
Simplified, 3X delivery of definitions through software updates
Malware-driven operations from the console
Client-side merge of antimalware policies
Integrated optimizations for Windows Embedded clients
New and improved Endpoint Protection client
Real-time OperationsEP operations to clients in <1 minuteMonitor one-time operationsAvailable EP operations:Run Definition UpdatesRun Quick ScanRun Full ScanAllow threatsExclude paths and/or filesRestore files quarantined by threat
Malware Driven Operations
Admin can easily view and take follow up actions on specific malware by type, and remediation status
Antimalware OperationsDemo
Client-side mergeCreate granular policies for specific scenarios and have those merged on the clientsRemoves overhead of redundant policiesPolicies still honors relative priority, and merge when possible (exclusions, for example)
Improved software update integrationArchitectural changes to support 3X a dayCategory-based scans from clientsDelta synchs between SUP and WSUS
Architectural changes to simplify SUP setupSource top-level SUP from internal WSUS server (removes WU/MU-based catalog dependency)Simplified, fault tolerant software update point setup (add multiple SUPs as needed, up to 8 per Primary Site no NLB or active SUP requirements)• Multiple SUP model is built for fault tolerance• Best performance comes from using a shared SUSDB for your software update
points• Clients are optimized to NOT switch SUPs, and only do so after 4 failures (@ 30
minute intervals)• Full cross-forest support of SUPs including untrusted forests• Clients optimized to fallback to SUPs within their own forest first• If NLB required, then configure through the SDK (no longer in UI).• Use GP preferences if setting a WSUS server for client deployments.
PRIMARY SITE
Hierarchy (Forest1) Hierarchy (Forest2)
Client
Software Update: SUP List
Client
Software Update Point
1
Software Update Point
2
Software Update Point
3
Software Update Point
4
Client.Forest1 Client.Forest2
4X
Windows Embedded OptimizationsEndpoint Protection client installation can honor maintenance windowsEndpoint Protection client installation can install in the overlay, or disable write filters and commit the changesDefinition update deployments through SUM can commit changes or write in overlay
System Center 2012 Endpoint Protection
Common antimalware platform across Microsoft AM clients
Proactive protection against known and unknown threats
Reduced complexity while protecting clients
Enhanced Protection
Protect against known and unknown threats with endpoint inspection at
behavior, application, and network levels
Integration with UEFI Trusted Boot, early-launch antimalware
Common Antimalware PlatformCommon platform for all of Microsoft’s antimalware clients.Security Essentials alone has over 100 million users (#1 in North America).660 million executions of Malicious Software Removal Tool per monthAll of these clients service Microsoft’s protection services research and response
System Center 2012 Endpoint
ProtectionWindows Intune
Forefront Endpoint
Protection 2010
Windows Azure Endpoint Protection
Microsoft Security
Essentials
Windows Defender in Windows 8
Diagnostics and Recovery
Toolkit
Malicious Software
Removal Tool
Windows Defender
Offline
Antimalware Protection Service
AM API
Microsoft Malware Protection Center
Windows Update Microsoft Update
Microsoft Active Protection
Services & Cloud Restore
Updates
Engine and Definitions
Network Inspection
System
Client UI and Action
Center
Registry
WMI
Events
Policy
Status
Events
ConfigMgr
KernelEarly
Launch Antimalwar
e
Minifilter (Driver), File,
Registry, Process
Network
Application
MGMT DATA INTERCEPTION AND ENFORCEMENT CLOUD
Samples, Telemetry, DSS
CCF
Trusted and Measured Boot with UEFI• Trusted Boot
• End to end boot process protection: • Windows operating system loader• Windows system files and drivers • Anti-malware software
• Ensures and prevents: • a compromised operating system from starting• software from starting before Windows• 3rd party software from starting before Anti-malware
• Automatic remediation/self healing if compromised
Measured BootCreates comprehensive set of measurements based on Trusted Boot executionCan offer measurements to a Remote Attestation Service for analysis
Windows 7BIOS OS Loader
(Malware)3rd Party Drivers
(Malware)Anti-Malware Software
Start
Windows 8Native UEFI
Windows 8OS Loader
Anti-Malware Software Start 3rd Party Drivers
• Malware is able to boot before Windows and Anti-malware• Malware able to hide and remain undetected• Systems can be compromised before AM starts
• Secure Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by
Microsoft• Windows starts AM software before any 3rd party boot drivers• Malware can no longer bypass AM inspection
Trusted Boot: Early Load Anti-Malware
Windows 8UEFI
Windows 8OS Loader
Windows Kernel & Drivers Anti-Malware Software
Windows 7BIOS MBR & Boot Sector OS Loader Kernel Initialization 3rd Party Drivers
• Measurements of some boot components evaluated as part of boot
• Only enabled when BitLocker has been provisioned
• Measures all boot components• Measurements are stored in a Trusted Platform Module (TPM)• Remote attestation, if available, can evaluate client state• Enabled when TPM is present. BitLocker not required
Measured Boot
Protect Clients With Reduced ComplexitySimple interface Minimal, high-level
user interactions
Administrative Control User configurability options Central policy enforcement UI Lockdown and disable
Maintains high productivity CPU throttling during scans Faster scans through
advanced caching
Minimal network and client impact of definition updates
Binary delta signature update 3 times per day (<.5MB)
Full update (new machine, or not updated in 31 days, <80MB)
Delta signature update (missed 3 days of delta, <5MB)
Heterogeneous Antimalware ClientsFeaturesAnti-virus and Anti-malware supportMachines connect directly to internet service for security contentClient UI for user visibility and controlSCOM monitoring pack for Linux with management control
PlatformsApple Mac (10.6-10.7). Linux Server: Redhat Enterprise 6SuSE Linux 11
Key Takeaways
Key TakewaysHow Microsoft delivers on the protection promise, end to endWhat’s new in System Center 2012 Endpoint Protection Service Pack 1Understanding the Endpoint Protection clientThe benefits of operationalized security (Configuration Manager and Endpoint Protection integration)
Q & A
