Forefront Client Security

Microsoft goes all out with this technology-heavy product

It wasn't until Microsoft's purchase of Giant Software and its Giant AntiSpyware product, and the subsequent release of Windows Defender, Microsoft's spyware scanning and removal tool, that the software giant really got serious about anti-malware. Now Windows Defender is built into Windows Vista and available as a free download for Windows XP. However, Windows Defender lacks centralized administration and alerting, which means it's not a serious anti-malware solution for most businesses. To fill this gap, Microsoft has released Microsoft Forefront Client Security, a client/server application targeted at businesses and designed to identify and block viruses, worms, spyware, rootkits, and other malicious software at the host level for servers and workstations.

Centralized Management Using Enterprise Tools
Although Forefront Client Security is new, the technologies behind it are not. Its pedigree includes the Windows Malicious Software Removal Tool, Windows Server Update Services (WSUS), Microsoft Operations Manager (MOM), Group Policy Objects (GPOs), and Microsoft SQL Server 2005, as well as work done by the Microsoft Product Support Services Security Response team, which is behind the malware definitions used by Windows Defender and Windows Live OneCare.

Forefront Client Security incorporates Windows Defender's real-time protection agents to watch for suspicious activities, such as whether new programs are configured to autostart, and to monitor changes to the Microsoft Internet Explorer configuration. You can also configure Forefront Client Security to participate in the Microsoft SpyNet program, which leverages a community of members to quickly spread the word about new threats.

The success of any antivirus or antispyware application depends on robust, up-to-date, and effective definition files. Forefront Client Security agents use an updated WSUS configuration that checks Microsoft Update hourly for new definitions. Many of the technologies used by Forefront Client Security are also used by Windows Live OneCare, which has been certified by ICSA Labs for antivirus and personal firewall use. Microsoft is seeking similar certification for Forefront Client Security. (For an insider's view of Forefront Client Security, download Karen Forster's interview of Microsoft Senior Product Manager Josue Fontanez at

Most of the technologies behind Forefront Client Security are proven enterprise solutions, and if you already have Microsoft server product expertise in-house, your IT staff will find Forefront Client Security familiar. However, if you're new to these enterprise technologies, you might find installation, deployment, configuration, and administration daunting on both the server and clients.

Architecture and Installation
Forefront Client Security follows the client/ server application model common to most antivirus and antispyware products. Every managed client needs the Forefront Client Security agent installed. The Forefront Client Security agent isn't the same as the Windows Defender agent included in Vista—you'll actually need to disable the Vista Windows Defender antispyware agent before installing the Forefront Client Security client. The Forefront Client Security agent communicates with the product's server components, which play four roles: management server, collection server, reporting server, and distribution server. Depending on your hardware and the size of your company, you might be able to run all four roles on one system, or you can spread them across computers to scale the deployment. The server components run on Windows Server 2003 Release 2 (R2) or Windows 2003 Service Pack 1 (SP1) with all security updates installed.

The installation of Forefront Client Security might seem massive and complex, especially when compared with other antivirus and antispyware programs. Besides requiring WSUS to deploy antivirus and antispyware definitions as well as new security updates, Forefront Client Security uses the Microsoft anti-malware engine to detect and remove the most common or harmful viruses and worms and leverages MOM for client alert and event management. If your enterprise already has MOM, deploying Forefront Client Security will install a parallel MOM server for Forefront Client Security alone. Forefront Client Security stores all its data in a SQL Server 2005 database and uses SQL Server 2005 Reporting Services (SSRS) to generate reports. Forefront Client Security includes MOM, but you must download and install the other components individually. Note that I tested the public beta of Forefront Client Security, which might differ from the RTM version.

Prerequisite software. Before you install the server components, you need to make sure you've installed the prerequisite software:

  • Microsoft IIS, ASP.NET, and Microsoft FrontPage Server Extensions
  • SQL Server 2005 Enterprise Edition SP1
  • Group Policy Management Console SP1
  • Microsoft .NET Framework 2.0
  • Microsoft Management Console 3.0
  • WSUS 2.0 SP1

(For step-by-step instructions for installing these products and troubleshooting problems, see As part of the prerequisite work, you'll also set up a Windows Update GPO in your test environment to point test clients to the WSUS server.

Installing the server software. After you install the prerequisite software, download Forefront Client Security at the Microsoft Web site and run the installer. A wizard does a pretty good job stepping you through the configuration and setup, but you'll want to pay close attention to the dialog boxes and instructions, especially if you're installing the product components across multiple servers. The wizard will prompt you for information required for a basic MOM installation, such as the server name, MOM group name, and database and account information. Make a note of all this information, as you'll be asked for it again later. You'll also configure the reporting server and reporting database. For a single-server installation, the wizard guides you through the configuration of the various Microsoft technologies used to build Forefront Client Security.

You'll notice two new programs: Forefront Client Security, which is the actual client installed on the Forefront Client Security server, and Forefront Client Security Console, which is your primary interface for managing the application. Launching the Console for the first time invokes a wizard that takes you through the rest of the configuration.

When configuration is complete, you'll see the Forefront Client Security management console, which Figure 1 shows. The console shows the status of the computers in your environment. On the Dashboard tab, you can immediately assess your security state, including seeing how many computers you're currently managing and their status, such as whether they have malware or vulnerabilities, whether their policies are out of date, and whether any alerts have been generated. You can access rich reports from the right side of the console, including summaries of alerts, malware, and security state.

Creating a policy. After you install the server components, you need to create a policy to define how to protect clients and to schedule scans and definition updates. It's best to create this policy before you deploy the agent software, so the agents will use your policy right away and not the default policy, which might schedule scans at a frequency and coverage level that doesn't suit the needs of your business.

You can create separate policies for servers and workstations, each with its own scan schedule and configuration. From the management console, click the Policy Management tab and select New. Enter a name for the policy and click the Protection tab, which Figure 2 shows. Here you define how Forefront Client Security should protect clients. I really like how Microsoft implemented the scheduling options. For example, you can schedule a full malware scan to occur every week and schedule quick scans, which check the registry and common locations where malware is often installed, to occur every few hours. You can also schedule a security state assessment scan, which differs from a malware scan in that it checks for missing updates and common security misconfigurations.

Options on the Advanced tab let you configure how to handle quarantined files and exclude certain files or folders from scans. You can also tweak your users' privileges on the client. For example, you can allow users to enable or disable virus or malware protection, and you can specify whether users can schedule their own scans. You can even let users respond to prompts, or you can choose to limit that privilege to administrators.

After you've created your policy, you must deploy it. Forefront Client Security lets you assign policies to organizational units (OUs) and security groups and configure a policy for implementation via a registry (.reg) file that runs directly on a client.

Installing the client software. The Forefront Client Security agent software can be installed on Windows 2003 R2, Windows 2003 SP1, Windows XP SP2, or Windows 2000 SP4 systems that have all security updates installed. All other antivirus and antispyware software must be uninstalled. You must also install Windows Update Agent 2.0 and Windows Installer 3.1 on XP and Win2K systems before you install the client. This requirement might complicate your deployment plans a bit.

To install the client software, copy the contents of the Client directory from the Forefront Client Security CD-ROM to the client computer. The setup program will install the MOM client installation program and the Forefront Client Security agent. Run ClientSetup.exe, using the /MS parameter to specify the name of the MOM management server and the /CG parameter to specify the name of the MOM configuration group. If you wanted to install the Forefront Client Security server components on a single server named, for example, you would run the following ClientSetup command:

  /CG ForefrontClientSecurity

Next, you must approve the client installation in the MOM console. (Alternatively, you can wait an hour, which is the default time for all pending installations to be automatically approved.) On the server where you installed the MOM console, click Start, All Programs, and launch the MOM 2005 Administrator Console. In the console's left pane, navigate to Administration, Computers, Pending Actions. In the right pane, right-click the name of the client computer and approve the manual installation. You can create your own logon script or use Microsoft Systems Management Server (SMS) or a third-party software management program such as LANDesk Software's LANDesk Management Suite to deploy clients, but you must create your own deployment package.

Make sure your clients are configured to pull their updates from the Forefront Client Security WSUS server so they'll receive the Forefront Client Security malware definitions. In addition to conducting on-demand and scheduled scans for malicious software, the Forefront Client Security client agent assesses the security configuration of the host computer. Configuration checks that the client agent can do include ensuring that Automatic Updates is enabled; checking whether anonymous connections are restricted or whether autologon is enabled; enumerating administrators groups; examining password expiration parameters; checking that NTFS is used; confirming that the guest account is disabled; identifying whether any "unnecessary services" are installed, such as WWW, FTP, SMTP or Telnet; and validating that security updates are applied. The client reports alerts to the Forefront Client Security server, where you can view the status of all your systems from a single console.

Navigating the Client
After you install the agent, log on to the client; navigate to All Programs, Microsoft Forefront; and run Forefront Client Security. Use the buttons at the top of the client interface to start a quick scan or a full scan, or to start a custom scan, which lets you select specific drives or folders to scan. The History button lets you review past actions, such as which suspicious items you've allowed to run and which have been quarantined. The Tools menu lets you review the quarantined-items list and set program options such as when to automatically scan a computer and how to handle alerts.

Alerts. Microsoft shows alerts in the system notification area and classifies them as high, medium, or low, depending on their severity. For example, if definitions are out of date, an orange icon appears in the notification area, signifying a medium risk.

If you've used other antivirus and antispyware programs, you'll find Forefront Client Security intuitive and easy to navigate. When suspicious activity is detected, Forefront Client Security notifies the local client and alerts the central console. The client provides good information to assist in troubleshooting, such as providing a direct link to the Malicious Software Encyclopedia for more information about the detected activity, making it easy to triage threats.

Armed with this information, you can configure a policy that automatically invokes a response, or you can specify an action such as removing or quarantining the file. You can also track an alert through MOM, which provides an operations view of the incident, including the current state, the time in the state, and real-time information about the threat received by the client. This information helps your IT staff determine a response.

Reports. Forefront Client Security reports are handled by SSRS and can be accessed from Forefront Client Security's management console. Forefront Client Security dynamically generates the reports and provides extensive drill-down capabilities. However, these capabilities put a performance load on SQL Server, so you'll want sufficient horsepower to generate your reports. No reusing old hardware here: Depending on your environment, I recommend a minimum of a dual-core processor that's faster than 2GHz, 4GB RAM, and at least 100GB of available hard-disk space.

A Hybrid with Potential
Forefront Client Security is the culmination of four years of work on loosely correlated Microsoft security products, and I'm glad Microsoft has released it. Still, there's room for improvement. I characterize the current release as a centrally managed, corporate-focused, Microsoft Baseline Security Scanner/Windows Defender hybrid, powered on the back end by some of Microsoft's most sophisticated software. Unfortunately, that hybrid nature makes Forefront Client Security more difficult to install than it needs to be, and the product's complexity can frustrate users, especially when something goes wrong.

For Forefront Client Security to meet its potential, administrators will need to view it as more than just an antivirus scanner. The product offers so much more, and when used in an all-Microsoft environment, it will really shine. Imagine using GPOs to define malware policies, and a shared infrastructure that deploys both security updates and malware definitions. Picture yourself viewing antivirus alerts on a network operations center console that also reports other critical infrastructure information, from outages on domain controllers to problems with Microsoft Exchange. Forefront Client Security has the potential to deliver much, but its ambitious use of many different and often complicated enterprise technologies might not appeal to small-to-midsized businesses or larger companies that prefer a simpler approach.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.