企業電腦修補程式 更新、資安設定與 防毒一次搞定 Perl TsaiJames Lin...
-
Upload
kaia-quant -
Category
Documents
-
view
244 -
download
5
Transcript of 企業電腦修補程式 更新、資安設定與 防毒一次搞定 Perl TsaiJames Lin...
企業電腦修補程式更新、資安設定與防毒一次搞定
SIA302
Perl Tsai James Lin微軟特約講師 資深技術經理
Systex
IT 的新挑戰
防護的作法
持續性進階威脅
雲端運算力
法規遵循
IT 消費化
硬體
作業系統
資料及設定
應用程式
從桌面組成看起 ..• 如何保障文件及資料安全 ?• 如何確保使用者遵循相關資安
規定 ?
• 如何快速地佈署新版應用程式和取得資產報表 ?
• 如何防止惡意軟體造成的資安風險 ?
• 是否即時更新、是否符合公司訂定的端點安全政策
• 防毒程式是否安裝、更新 ?
• 如何進行硬體加密 ?• 如何防止隨身碟遭竊資料外洩 ?
作業系統• 是否即時更新、是否符合公司
訂定的端點安全政策• 防毒程式是否安裝、病毒碼是
否有按時更新 ?
Nefarious Personas
整體效益
個人效益
個人名利
好奇心
剛入行 業餘級 專家級 進階級
使用者
竊賊
間諜
入侵者 初階駭客拿著專家的工具進行不太熟練的攻擊
快速成長階段
創造者
Unified Infrastructure
Reduce the cost of maintaining secure
endpoints with unified management
and security infrastructure
Simplified Administration
Single administrator experience for
simplified endpoint protection and management
Enhanced Protection
Protect against known and unknown threats
with endpoint inspection at behavior,
application, and network levels
System Center 2012 Endpoint Protection
Mgmt + Security In Configuration Manager 2012
Exchange Connector
Settings Management
Software Updates + SCUP
Endpoint Protection
SWDOSD
Unified Infrastructure
Reduce the cost of maintaining secure
endpoints with unified
management and security
infrastructure
System Center 2012 Endpoint Protection
Easy to setup and operate the management infrastructure
Easy client install and migration
Automated deployment of updates using ConfigMgr infrastructure
Simplified deployment of antimalware policies
Infrastructure Changes from FEP 2010
EP CLIENT on
ConfigMgr Server
FEPSERVIC
E
FEPDW
FEPDB
CMDB
CONFIGURATION MANAGER SITE SERVER
MANAGEMENTPOINT
CM CLIENT
DISTRIBUTION
POINTEP CLIENT
EXCELTEMPLATE
REPORTS
FEPEXTENSION
S
EP DEPLOYMENTEP OPERATIONS
EP POLICY
SERV
ER
CLIE
NT
CONFIGURATION MANAGER 2007FOREFRONT ENDPOINT PROTECTION 2010
EP SITEROLE
CONFIGURATION MANAGER 2012ENDPOINT PROTECTION 2012
Pre-Packaged EP CLIENT
FEP DEPLOYMENT
FEP OPERATIONSFEP POLICY
Definition Catalogs
Simplified Deployment of AM Policies
Centralized management for AM and Firewall Policy
AM and FW policy delivered as ConfigMgr policy – no package/program dependency
Out of box templates
Import, Export, Merge
Prioritization of policies
by collection
Simplified UI for customizing policy
Signature Update DistributionEasier distribution process Automatic deployment rules within ConfigMgr software updates
Minimizes WAN impact Uses distribution points and reduced definition size
Ensures always up-to-date security regardless of the client location Multiple update sources (ConfigMgr, WSUS, Microsoft Update, Windows File
Share)
MICROSOFT UPDATE
ON THE ROAD
Fallback to online update
Corporate Network
Updates distributed through ConfigMgr,
WSUS or Windows File Share
DELTA UPDATE SIZE: 50-2048 KBUPDATE FREQUENCY: 3 TIMES/DAY
Signature update
Configure Polic
y
EP client
install
Silent remov
al of
third-party produ
cts
EP enabled
in the console
- EP installat
ion starts on the device
EP agent installer deployed with
ConfigMgr Client
Simplified Client SetupEase of client setup and deployment No separate deployment needed for endpoint protection client Endpoint Protection agent installer deployed with Configuration Manager client setup Endpoint Protection client and definitions easily integrated with OSD
Flexible administrative control Administrator can force or suppress any required reboots Configurable option for automatic removal of existing AV client
Easy migration from existing solutions and automatic removal of existing clients Symantec McAfee TrendMicro Forefront Client Security or Forefront Endpoint Protection
Client Installation Flow
System Center 2012 Endpoint Protection
Single interface for client management and security
Improved alerting, client to admin within 5 minutes, and reporting, with real-time and user-centric data views
Simplified Administration
Single administrator experience for
simplified endpoint protection and management
Single Interface For Management And SecuritySingle interface for client management and security Dashboard integrated
with ConfigMgr console Simplified cross-feature
integration
Quick identification and remediation of client security issues Dashboard focused
on actionable events
Flexibility to separate security admin role Role-based
administration Access to only relevant
security information
Monitoring Client Security
Quick alerts and event notification in the console Uses high speed data
channel to notify events in real time
High speed data channel prioritizes EP messages in state system, and no client “wait” to send messages up
Integrated monitoring for client health and antimalware status
Email subscription for alerts
Rich Reporting And Analysis
Rich reporting on client security SQL Reporting Services-
based reports on many categories
User-centric reports enable identification of commonly impacted users
Customizable reports simplified through database integration
Management and Real-time Monitoring
System Center 2012Endpoint Protection SP1
Automatically deploy definition update 3 times per day
Category based scan from client to WSUSDelta syncs between SUP and WSUS
Real-time administrative actions:Run Definition UpdatesRun Quick ScanRun Full ScanAllow threatsExclude paths and/or filesRestore files quarantined by threat
Client side merge of antimalware policies
What’s new in
SP1
Real-time Administrative Actions
Administrator
“Dial tone”• Active TCP Session
with the MP• Client Checking for
urgent tasks
1
2
In administrative console selects “Run Full Scan” on a collection
“Call is placed”• Client via this TCP
connection is told there are urgent tasks to run
• Client then connects to the MP to get policy
• Client runs the Full Scan Task
4
Client
Task = “Run Full Scan”
• A task is created• MP is told that
new urgent task has been requested
3
Site Server and MP
All this happens within seconds
What’s new in
SP1
Real-time Administrative Actions in Endpoint Protection SP1
System Center 2012 Endpoint Protection
Comprehensive protection stack building on Windows Security
Proactive protection against known and unknown threats
Reduced complexity while protecting clients
Enhanced Protection
Protect against known and unknown threats
with endpoint inspection at behavior,
application, and network levels
Comprehensive Protection Stack Building on Windows Platform security
Proactive Techniques (Against Unknown Threats)
APPLICATION
FILE SYSTEM
NETWORK
Reactive Techniques (Against Known Threats)
Behavior Monitoring
Vulnerability Shielding (Network Inspection System)
Windows Firewall Centralized Management
DYNAMIC CLOUD UPDATES
Mic
roso
ft M
alw
are
Prot
ectio
n Ce
nter
Dyn
amic
Sig
natu
re S
ervi
ce
System Center Endpoint Protection
Windows 7
Data Execution Prevention
Address Space Layout
Randomization
Windows Resource
Protection
User Account Control
Antimalware Dynamic Translation and Emulation
Internet Explorer® 8 SmartScreen Microsoft BitLockerMicrosoft
AppLocker
Dynamic Translation With Heuristics
Real Time
Protection
Driver Interce
pts
Industry-leading proactive detection Emulation based
detection helps provide better protection
Safe translation in a virtual environment for analysis
Enables faster scanning and response to threats Heuristics enable one
signature to detect thousands of variants
Potential Malware Execution attempt on the system
VIRTUALIZED RESOURCES
Safe Translation Using DT
Malware Detected
Malicious File
Blocked
Behavior Monitoring And Dynamic Signatures
Live system monitoring identifies new threats Tracks behavior of unknown
processes and known bad processes
Multiple sensors to detect OS anomaly
Updates for new threats delivered through the cloud in real time Real time signature delivery
with Microsoft Active Protection Service
Immediate protection against
new threats without waiting for scheduled updates
RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY
BEHAVIOR CLASSIFIERS
Microsoft Active Protection Service
Properties/
Behavior
Real-time signature
Samplerequest
Samplesubmit
1 2 3 4
Protect Clients With Reduced Complexity
Simple interface Minimal, high-level
user interactions
Administrative Control User configurability
options Central policy
enforcement
Maintains high productivity CPU throttling during
scans Faster scans through
advanced caching
Best Usability 2011 – AV Test
Heterogeneous Antimalware Clients
Mac OS XLinux
What’s new in
SP1
SummaryKey Scenarios Forefront Endpoint
Protection 2010System Center 2012 Endpoint Protection
Unified infrastructure
System Center Configuration Manager 2007
System Center 2012 Configuration Manager
Server setup Separate install Unified setup
Client deployment ConfigMgr distribution process Integrated
Signature updates Multiple sources (WSUS, File Share, Microsoft Update)
Multiple sources with automatic deployment rules from ConfigMgr console
Proactive protection
Firewall management
Role based administration
New
Alerts and monitoring
Real time alerts
Reports Additional user centric reports
Unify
Pro
tect
Sim
plif
y
移動式的電腦,或是一台不符合機關資安政策等級的電腦,接上公司內部網路時可能感染其他健康的電腦……
架構示意圖
政策制定監控與稽核
內部使用者 1 內部使用者2
網路存取保護
安全的存取管控 NAP – How it Works
要求存取內部資源
傳送端點資安等級及健康狀態到狀態確認伺服器
狀態確認伺服器驗證端點資安政策等級
如果符合,允許存取內部資源
若不符合,將該端點移置修復區域並開始進行修復
Microsoft NPS
Corporate Network
Policy Serverse.g.., Patch, AV
DHCP, VPN
Switch/Router
RestrictedNetwork
Remediation
Serverse.g., Patch
Not policy
compliant
Policy complian
t
1
3
5
4
1
3
4
5
2
2
在健康狀況下的網路位址
在健康狀態下與內部網路溝通情形
使用者嘗試違反安全設定
被導引至限制存取網段
無法存取內部網路資源
NAP 啟動更新使用者安全狀況
將使用者安全健康狀況更新
違反政策行為將被監控與稽核
監控行為也將在 DashBoard 上顯示
1Add SUP role and select products and classifications
PRIMARY SITE
Installs SUP role and configures WSUS through Admin SDK
MANAGEMENT
POINT
SUP (WSUS)
DISTRIBUTIONPOINT
5 Add 3rd party updates through SCUP Tool
3 Synch catalog of selected products and classifications4Catalog
metadata synched into
ConfigMgr database
MICROSOFT
UPDATE
Administrator Console
Hierarchy
Client
2
Plan and Configure: Setup
Plan and Configure: 3rd Party Updates
Catalogs downloaded
from web
ADMIN UPDATES PUBLISHER CONSOLE
WSUS SERVER
CONFIGMGR
SERVER / SUP
Create Updates
Publish Updates
Sync Updates
Import Updates
CONFIGMGR CLIENTS
Deploy Update
s
Scan Updates
Updates Publisher users can either download already existing catalogs or create their own. Once approved, updates can be published into WSUS which will be synchronized into a Configuration Manager environment. The updates are now in Configuration Manager and can be scanned and deployed on client machines with the same process as Microsoft Updates.
Plan and Configure: AdministrationCollections
Build collections through dynamic
queries
All Windows 7 Desktops in North
America
Role-based Access
Create SUM administrators and assign
to collections for which they need to manage
updates
Note: for multiple SUM admins you can also use scopes to further secure console objects
Create Templates
SUM Admin goes through the distribute software
updates wizard and saves his default settings for
deployments
Template Collection Deployment Schedule User
Experience Alerts Download
settings
Plan and Configure: End-user ImpactMaintenance Windows
Apply maintenance windows to collections to
manage when updates can occur
All Windows 7 Desktops
“Software updates and reboots can only occur from 8:00 – 10:00 PM on the 2nd Tuesday of
every month”
Non-business Hours
Melissa sets her own business hours in Software Center
Melissa’s Computer
Software can be installed from 6:00 PM to 7:00 AM
Suspend Software Center activities when in presentation mode
Software Center
Melissa gets notifications that
software updates are required
Options Postpone Install now Install after
business hours View updates
Plan and Configure: Infrastructure ImpactUsing Distribution Points
Deploy distribution points
to branch locations
Clients get their content from those distribution points
Internet-based Users
Configure internet facing SUPs and MPs
Client updates are managed on internet-
roaming clients, and they get their content from
Windows Update / Microsoft Update
Using Branchcache
Configure BranchCache on your clients and
appropriate ConfigMgr servers
Windows 7 clients get their software updates
from peers, and they don’t have to go over the
network, nor do you have to put a distribution point
at that location
Software Updates Planning and setup Targeting and
Delegation Maximizing
productivity
Plan and ConfigureAssessing ComplianceSoftware Updates Scanning for
compliance Measuring
compliance
Building Your Compliance Management Solution With Configuration Manager 2012
5 Admin sees compliance for all updates in console and in reports
PRIMARY SITE
MANAGEMENT
POINT
SUP (WSUS)
4Compliance state messages sent to
MP and DB 3 Scan results are written to WMI on the client
Windows Update Agent scans against WSUS catalog
DISTRIBUTIONPOINT
Administrator Console
Hierarchy
Client
Client gets SUM policy and is
assigned a SUP/WSUS server
MICROSOFT
UPDATE
Scanning and Measuring
1 2
Software updates• Planning and setup• Targeting and
Delegation• Maximizing
productivity
Plan and ConfigureAssessing ComplianceSoftware updates• Scanning for
compliance• Measuring
compliance
Remediating Non-complianceSoftware updates• Deploying monthly
updates• Monitoring ongoing
compliance
Building Your Compliance Management Solution With Configuration Manager 2012
1 ADR or Admin deploys applicable updates
PRIMARY SITE
MANAGEMENT
POINT
SUP (WSUS)
4Client gets deployment
policy
Updates are installed on a schedule or by the end user
5 Client gets update binaries from distribution point and caches them locally
DISTRIBUTIONPOINT
8 Admin views deployment status in-console or from reports
2 Binaries are downloaded from Microsoft Update
3 Updates are placed in deployment package and sent to Distribution Point
7Enforcement state messages sent to
MP and DB6
Administrator Console
Hierarchy
Client
MICROSOFT
UPDATE
Remediating Non-Compliance
• 安全地 Over-the-air 管理
• 監控及修補不合規範的裝置
• 部署及移除 AP
• 資產盤查
• 遠端抹除(WinCE 5.0, 6.0; Windows Mobile 6.0, 6.1, 6.5.x)
NOKIA
• EAS 原則套用
• 探索及盤點
• 設定原則
• 遠端抹除機制
一般管理
深度管理
行動裝置管理
一般性管理 - Exchange
提供基礎管理給所有 Exchange ActiveSync (EAS) 連線裝置支援功能 :
偵測 / 盤點設定原則遠端抹除
支援 Exchange 2010 及 Office 365
一般管理流程 : 針對 EAS 裝置
Primary Site
Device InfoDiscover
Mobile
DevicesSettings PolicySetti
ngs
Polic
yD
evic
e in
foD
isco
ver M
obile
D
evic
es
Configure Exchange Connector
Exchange Mailbox Server
Active Directory
ExchangeClient Access
Server
Apply SettingsCheck access
toExchange
Get Device
Settings PolicyDevice
SettingsApply
Settings
Mail RequestMail Request
Remote Wipe mobile phone
如何從 SCCM 2007 Migrate TO SCCM 2012
Inventory &Compliance
Data
Deployment Objects
Clients
Server Infrastructure
Migration Functionality Within Configuration Manager 2012
Configuration Manager 2012 Migration Target( 可以被遷移的目標 )
Collection
Boundries
Package
OSD
AISoftware Metering
Migration Functionality Within Configuration Manager 2012
Object Migration( 可遷移的物件 )Migration of collections, software distribution packages, boundaries, metering rules etc.
Distribution Point Sharing( 共享派送點 )Allows ConfigMgr 2012 client to acquire migrated content from ConfigMgr 2007 Distribution Point
Content Pre-stagingSimilar to PkgPreLoadOnSite tool but more robust
Distribution Point Upgrade( 派送點升級 )In-place upgrade of ConfigMgr 2007 Distribution Point to a ConfigMgr 2012 Distribution PointMigrated content converts which reduces need to redistribute content
Import of ConfigMgr 2007 inventory MOF files
Clients retain advertisement execution historyHow does this all work?
Assist with Migration of Objects
Assist with Migration of Clients
Minimize WAN impact
Assist with Flattening of HierarchyMaximize Re-usability of x64 Server
Hardware
Source Hierarchy有關的規劃及注意事項
指定最頂層的站台當第一個站台
要有兩個帳號 source site access account source site database account
需要開放的 port Netbios /SMB 445(TCP) RPC(WMI) 135(TCP) SQL Serve 1433(TCP)
Migration Process To Configuration Manager 2012
Assess current environment
Test/Proof of Concept Design
Requires ConfigMgr 2007 SP2
ConfigMgr 2012
HW Reqs:
Windows Server 2008 x64*
SQL Server 2008 x64
Setup Initial ConfigMgr2012 Site(s)
Configure Software Update Point & Synchronize Updates
Setup server roles
Make sure the hierarchy is operating and software deployment works
Configure Migration
Enable Distribution Point Sharing
Create Migration Jobs
Migrate Objects
Migrate Clients
Upgrade Distribution Points
Uninstall ConfigMgr 2007 sites
Rinse & Repeat
Plan Deploy Migrate
Building Your Compliance Management Solution With Configuration Manager 2012
Software Updates Planning and setup Targeting and
Delegation Maximizing
productivity
Plan and Configure
Settings Management Define standards Create baselines
and CIs
Assessing ComplianceSoftware Updates Scanning for
compliance Measuring
compliance
Settings Management Deploy compliance
baselines to collections of users or systems
Remediating Non-complianceSoftware updates Deploying monthly
updates Monitoring ongoing
compliance
Settings Management Monitor drift from
desired state Remediate issues
impacting setting of desired state
Endpoint Protection Enable the product Define standards for
protection (AM Policy, Definitions, Alerts)
Endpoint Protection Enable and deploy
EP client Actively monitor for
malware based on AM policy
Endpoint Protection Clients remediate
malware and rapidly report state
Admin intervenes where required
請協助完成「本課程問卷」,並在離開教室時交給工作人員!
填妥大會背包中的大會問卷,可於活動第三天兌換問卷禮哦!
感謝您的合作。