企業電腦修補程式更新、資安設定與防毒一次搞定

SIA302

Perl Tsai James Lin微軟特約講師 資深技術經理

Systex

IT 的新挑戰

防護的作法

持續性進階威脅

雲端運算力

法規遵循

IT 消費化

硬體

作業系統

資料及設定

應用程式

從桌面組成看起 ..• 如何保障文件及資料安全 ?• 如何確保使用者遵循相關資安

規定 ?

• 如何快速地佈署新版應用程式和取得資產報表 ?

• 如何防止惡意軟體造成的資安風險 ?

• 是否即時更新、是否符合公司訂定的端點安全政策

• 防毒程式是否安裝、更新 ?

• 如何進行硬體加密 ?• 如何防止隨身碟遭竊資料外洩 ?

作業系統• 是否即時更新、是否符合公司

訂定的端點安全政策• 防毒程式是否安裝、病毒碼是

否有按時更新 ?

Nefarious Personas

整體效益

個人效益

個人名利

好奇心

剛入行 業餘級 專家級 進階級

使用者

竊賊

間諜

入侵者 初階駭客拿著專家的工具進行不太熟練的攻擊

快速成長階段

創造者

Unified Infrastructure

Reduce the cost of maintaining secure

endpoints with unified management

and security infrastructure

Simplified Administration

Single administrator experience for

simplified endpoint protection and management

Enhanced Protection

Protect against known and unknown threats

with endpoint inspection at behavior,

application, and network levels

System Center 2012 Endpoint Protection

Mgmt + Security In Configuration Manager 2012

Exchange Connector

Settings Management

Software Updates + SCUP

Endpoint Protection

SWDOSD

Unified Infrastructure

Reduce the cost of maintaining secure

endpoints with unified

management and security

infrastructure

System Center 2012 Endpoint Protection

Easy to setup and operate the management infrastructure

Easy client install and migration

Automated deployment of updates using ConfigMgr infrastructure

Simplified deployment of antimalware policies

Infrastructure Changes from FEP 2010

EP CLIENT on

ConfigMgr Server

FEPSERVIC

E

FEPDW

FEPDB

CMDB

CONFIGURATION MANAGER SITE SERVER

MANAGEMENTPOINT

CM CLIENT

DISTRIBUTION

POINTEP CLIENT

EXCELTEMPLATE

REPORTS

FEPEXTENSION

S

EP DEPLOYMENTEP OPERATIONS

EP POLICY

SERV

ER

CLIE

NT

CONFIGURATION MANAGER 2007FOREFRONT ENDPOINT PROTECTION 2010

EP SITEROLE

CONFIGURATION MANAGER 2012ENDPOINT PROTECTION 2012

Pre-Packaged EP CLIENT

FEP DEPLOYMENT

FEP OPERATIONSFEP POLICY

Definition Catalogs

Simplified Deployment of AM Policies

Centralized management for AM and Firewall Policy

AM and FW policy delivered as ConfigMgr policy – no package/program dependency

Out of box templates

Import, Export, Merge

Prioritization of policies

by collection

Simplified UI for customizing policy

Signature Update DistributionEasier distribution process Automatic deployment rules within ConfigMgr software updates

Minimizes WAN impact Uses distribution points and reduced definition size

Ensures always up-to-date security regardless of the client location Multiple update sources (ConfigMgr, WSUS, Microsoft Update, Windows File

Share)

MICROSOFT UPDATE

ON THE ROAD

Fallback to online update

Corporate Network

Updates distributed through ConfigMgr,

WSUS or Windows File Share

DELTA UPDATE SIZE: 50-2048 KBUPDATE FREQUENCY: 3 TIMES/DAY

Signature update

Configure Polic

y

EP client

install

Silent remov

al of

third-party produ

cts

EP enabled

in the console

- EP installat

ion starts on the device

EP agent installer deployed with

ConfigMgr Client

Simplified Client SetupEase of client setup and deployment No separate deployment needed for endpoint protection client Endpoint Protection agent installer deployed with Configuration Manager client setup Endpoint Protection client and definitions easily integrated with OSD

Flexible administrative control Administrator can force or suppress any required reboots Configurable option for automatic removal of existing AV client

Easy migration from existing solutions and automatic removal of existing clients Symantec McAfee TrendMicro Forefront Client Security or Forefront Endpoint Protection

Client Installation Flow

System Center 2012 Endpoint Protection

Single interface for client management and security

Improved alerting, client to admin within 5 minutes, and reporting, with real-time and user-centric data views

Simplified Administration

Single administrator experience for

simplified endpoint protection and management

Single Interface For Management And SecuritySingle interface for client management and security Dashboard integrated

with ConfigMgr console Simplified cross-feature

integration

Quick identification and remediation of client security issues Dashboard focused

on actionable events

Flexibility to separate security admin role Role-based

administration Access to only relevant

security information

Monitoring Client Security

Quick alerts and event notification in the console Uses high speed data

channel to notify events in real time

High speed data channel prioritizes EP messages in state system, and no client “wait” to send messages up

Integrated monitoring for client health and antimalware status

Email subscription for alerts

Rich Reporting And Analysis

Rich reporting on client security SQL Reporting Services-

based reports on many categories

User-centric reports enable identification of commonly impacted users

Customizable reports simplified through database integration

Management and Real-time Monitoring

System Center 2012Endpoint Protection SP1

Automatically deploy definition update 3 times per day

Category based scan from client to WSUSDelta syncs between SUP and WSUS

Real-time administrative actions:Run Definition UpdatesRun Quick ScanRun Full ScanAllow threatsExclude paths and/or filesRestore files quarantined by threat

Client side merge of antimalware policies

What’s new in

SP1

Real-time Administrative Actions

Administrator

“Dial tone”• Active TCP Session

with the MP• Client Checking for

urgent tasks

1

2

In administrative console selects “Run Full Scan” on a collection

“Call is placed”• Client via this TCP

connection is told there are urgent tasks to run

• Client then connects to the MP to get policy

• Client runs the Full Scan Task

4

Client

Task = “Run Full Scan”

• A task is created• MP is told that

new urgent task has been requested

3

Site Server and MP

All this happens within seconds

What’s new in

SP1

Real-time Administrative Actions in Endpoint Protection SP1

System Center 2012 Endpoint Protection

Comprehensive protection stack building on Windows Security

Proactive protection against known and unknown threats

Reduced complexity while protecting clients

Enhanced Protection

Protect against known and unknown threats

with endpoint inspection at behavior,

application, and network levels

Comprehensive Protection Stack Building on Windows Platform security

Proactive Techniques (Against Unknown Threats)

APPLICATION

FILE SYSTEM

NETWORK

Reactive Techniques (Against Known Threats)

Behavior Monitoring

Vulnerability Shielding (Network Inspection System)

Windows Firewall Centralized Management

DYNAMIC CLOUD UPDATES

Mic

roso

ft M

alw

are

Prot

ectio

n Ce

nter

Dyn

amic

Sig

natu

re S

ervi

ce

System Center Endpoint Protection

Windows 7

Data Execution Prevention

Address Space Layout

Randomization

Windows Resource

Protection

User Account Control

Antimalware Dynamic Translation and Emulation

Internet Explorer® 8 SmartScreen Microsoft BitLockerMicrosoft

AppLocker

Dynamic Translation With Heuristics

Real Time

Protection

Driver Interce

pts

Industry-leading proactive detection Emulation based

detection helps provide better protection

Safe translation in a virtual environment for analysis

Enables faster scanning and response to threats Heuristics enable one

signature to detect thousands of variants

Potential Malware Execution attempt on the system

VIRTUALIZED RESOURCES

Safe Translation Using DT

Malware Detected

Malicious File

Blocked

Behavior Monitoring And Dynamic Signatures

Live system monitoring identifies new threats Tracks behavior of unknown

processes and known bad processes

Multiple sensors to detect OS anomaly

Updates for new threats delivered through the cloud in real time Real time signature delivery

with Microsoft Active Protection Service

Immediate protection against

new threats without waiting for scheduled updates

RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY

BEHAVIOR CLASSIFIERS

Microsoft Active Protection Service

Properties/

Behavior

Real-time signature

Samplerequest

Samplesubmit

1 2 3 4

Protect Clients With Reduced Complexity

Simple interface Minimal, high-level

user interactions

Administrative Control User configurability

options Central policy

enforcement

Maintains high productivity CPU throttling during

scans Faster scans through

advanced caching

Best Usability 2011 – AV Test

Heterogeneous Antimalware Clients

Mac OS XLinux

What’s new in

SP1

SummaryKey Scenarios Forefront Endpoint

Protection 2010System Center 2012 Endpoint Protection

Unified infrastructure

System Center Configuration Manager 2007

System Center 2012 Configuration Manager

Server setup Separate install Unified setup

Client deployment ConfigMgr distribution process Integrated

Signature updates Multiple sources (WSUS, File Share, Microsoft Update)

Multiple sources with automatic deployment rules from ConfigMgr console

Proactive protection

Firewall management

Role based administration

New

Alerts and monitoring

Real time alerts

Reports Additional user centric reports

Unify

Pro

tect

Sim

plif

y

移動式的電腦，或是一台不符合機關資安政策等級的電腦，接上公司內部網路時可能感染其他健康的電腦……

架構示意圖

政策制定監控與稽核

內部使用者 1 內部使用者2

網路存取保護

安全的存取管控 NAP – How it Works

要求存取內部資源

傳送端點資安等級及健康狀態到狀態確認伺服器

狀態確認伺服器驗證端點資安政策等級

如果符合，允許存取內部資源

若不符合，將該端點移置修復區域並開始進行修復

Microsoft NPS

Corporate Network

Policy Serverse.g.., Patch, AV

DHCP, VPN

Switch/Router

RestrictedNetwork

Remediation

Serverse.g., Patch

Not policy

compliant

Policy complian

t

1

3

5

4

1

3

4

5

2

2

在健康狀況下的網路位址

在健康狀態下與內部網路溝通情形

使用者嘗試違反安全設定

被導引至限制存取網段

無法存取內部網路資源

NAP 啟動更新使用者安全狀況

將使用者安全健康狀況更新

違反政策行為將被監控與稽核

監控行為也將在 DashBoard 上顯示

1Add SUP role and select products and classifications

PRIMARY SITE

Installs SUP role and configures WSUS through Admin SDK

MANAGEMENT

POINT

SUP (WSUS)

DISTRIBUTIONPOINT

5 Add 3rd party updates through SCUP Tool

3 Synch catalog of selected products and classifications4Catalog

metadata synched into

ConfigMgr database

MICROSOFT

UPDATE

Administrator Console

Hierarchy

Client

2

Plan and Configure: Setup

Plan and Configure: 3rd Party Updates

Catalogs downloaded

from web

ADMIN UPDATES PUBLISHER CONSOLE

WSUS SERVER

CONFIGMGR

SERVER / SUP

Create Updates

Publish Updates

Sync Updates

Import Updates

CONFIGMGR CLIENTS

Deploy Update

s

Scan Updates

Updates Publisher users can either download already existing catalogs or create their own. Once approved, updates can be published into WSUS which will be synchronized into a Configuration Manager environment. The updates are now in Configuration Manager and can be scanned and deployed on client machines with the same process as Microsoft Updates.

Plan and Configure: AdministrationCollections

Build collections through dynamic

queries

All Windows 7 Desktops in North

America

Role-based Access

Create SUM administrators and assign

to collections for which they need to manage

updates

Note: for multiple SUM admins you can also use scopes to further secure console objects

Create Templates

SUM Admin goes through the distribute software

updates wizard and saves his default settings for

deployments

Template Collection Deployment Schedule User

Experience Alerts Download

settings

Plan and Configure: End-user ImpactMaintenance Windows

Apply maintenance windows to collections to

manage when updates can occur

All Windows 7 Desktops

“Software updates and reboots can only occur from 8:00 – 10:00 PM on the 2nd Tuesday of

every month”

Non-business Hours

Melissa sets her own business hours in Software Center

Melissa’s Computer

Software can be installed from 6:00 PM to 7:00 AM

Suspend Software Center activities when in presentation mode

Software Center

Melissa gets notifications that

software updates are required

Options Postpone Install now Install after

business hours View updates

Plan and Configure: Infrastructure ImpactUsing Distribution Points

Deploy distribution points

to branch locations

Clients get their content from those distribution points

Internet-based Users

Configure internet facing SUPs and MPs

Client updates are managed on internet-

roaming clients, and they get their content from

Windows Update / Microsoft Update

Using Branchcache

Configure BranchCache on your clients and

appropriate ConfigMgr servers

Windows 7 clients get their software updates

from peers, and they don’t have to go over the

network, nor do you have to put a distribution point

at that location

Software Updates Planning and setup Targeting and

Delegation Maximizing

productivity

Plan and ConfigureAssessing ComplianceSoftware Updates Scanning for

compliance Measuring

compliance

Building Your Compliance Management Solution With Configuration Manager 2012

5 Admin sees compliance for all updates in console and in reports

PRIMARY SITE

MANAGEMENT

POINT

SUP (WSUS)

4Compliance state messages sent to

MP and DB 3 Scan results are written to WMI on the client

Windows Update Agent scans against WSUS catalog

DISTRIBUTIONPOINT

Administrator Console

Hierarchy

Client

Client gets SUM policy and is

assigned a SUP/WSUS server

MICROSOFT

UPDATE

Scanning and Measuring

1 2

Software updates• Planning and setup• Targeting and

Delegation• Maximizing

productivity

Plan and ConfigureAssessing ComplianceSoftware updates• Scanning for

compliance• Measuring

compliance

Remediating Non-complianceSoftware updates• Deploying monthly

updates• Monitoring ongoing

compliance

Building Your Compliance Management Solution With Configuration Manager 2012

1 ADR or Admin deploys applicable updates

PRIMARY SITE

MANAGEMENT

POINT

SUP (WSUS)

4Client gets deployment

policy

Updates are installed on a schedule or by the end user

5 Client gets update binaries from distribution point and caches them locally

DISTRIBUTIONPOINT

8 Admin views deployment status in-console or from reports

2 Binaries are downloaded from Microsoft Update

3 Updates are placed in deployment package and sent to Distribution Point

7Enforcement state messages sent to

MP and DB6

Administrator Console

Hierarchy

Client

MICROSOFT

UPDATE

Remediating Non-Compliance

• 安全地 Over-the-air 管理

• 監控及修補不合規範的裝置

• 部署及移除 AP

• 資產盤查

• 遠端抹除(WinCE 5.0, 6.0; Windows Mobile 6.0, 6.1, 6.5.x)

NOKIA

• EAS 原則套用

• 探索及盤點

• 設定原則

• 遠端抹除機制

一般管理

深度管理

行動裝置管理

一般性管理 - Exchange

提供基礎管理給所有 Exchange ActiveSync (EAS) 連線裝置支援功能 :

偵測 / 盤點設定原則遠端抹除

支援 Exchange 2010 及 Office 365

一般管理流程 : 針對 EAS 裝置

Primary Site

Device InfoDiscover

Mobile

DevicesSettings PolicySetti

ngs

Polic

yD

evic

e in

foD

isco

ver M

obile

D

evic

es

Configure Exchange Connector

Exchange Mailbox Server

Active Directory

ExchangeClient Access

Server

Apply SettingsCheck access

toExchange

Get Device

Settings PolicyDevice

SettingsApply

Settings

Mail RequestMail Request

Remote Wipe mobile phone

如何從 SCCM 2007 Migrate TO SCCM 2012

Inventory &Compliance

Data

Deployment Objects

Clients

Server Infrastructure

Migration Functionality Within Configuration Manager 2012

Configuration Manager 2012 Migration Target( 可以被遷移的目標 )

Collection

Boundries

Package

OSD

AISoftware Metering

Migration Functionality Within Configuration Manager 2012

Object Migration( 可遷移的物件 )Migration of collections, software distribution packages, boundaries, metering rules etc.

Distribution Point Sharing( 共享派送點 )Allows ConfigMgr 2012 client to acquire migrated content from ConfigMgr 2007 Distribution Point

Content Pre-stagingSimilar to PkgPreLoadOnSite tool but more robust

Distribution Point Upgrade( 派送點升級 )In-place upgrade of ConfigMgr 2007 Distribution Point to a ConfigMgr 2012 Distribution PointMigrated content converts which reduces need to redistribute content

Import of ConfigMgr 2007 inventory MOF files

Clients retain advertisement execution historyHow does this all work?

Assist with Migration of Objects

Assist with Migration of Clients

Minimize WAN impact

Assist with Flattening of HierarchyMaximize Re-usability of x64 Server

Hardware

Source Hierarchy有關的規劃及注意事項

指定最頂層的站台當第一個站台

要有兩個帳號 source site access account source site database account

需要開放的 port Netbios /SMB 445(TCP) RPC(WMI) 135(TCP) SQL Serve 1433(TCP)

Migration Process To Configuration Manager 2012

Assess current environment

Test/Proof of Concept Design

Requires ConfigMgr 2007 SP2

ConfigMgr 2012

HW Reqs:

Windows Server 2008 x64*

SQL Server 2008 x64

Setup Initial ConfigMgr2012 Site(s)

Configure Software Update Point & Synchronize Updates

Setup server roles

Make sure the hierarchy is operating and software deployment works

Configure Migration

Enable Distribution Point Sharing

Create Migration Jobs

Migrate Objects

Migrate Clients

Upgrade Distribution Points

Uninstall ConfigMgr 2007 sites

Rinse & Repeat

Plan Deploy Migrate

Building Your Compliance Management Solution With Configuration Manager 2012

Software Updates Planning and setup Targeting and

Delegation Maximizing

productivity

Plan and Configure

Settings Management Define standards Create baselines

and CIs

Assessing ComplianceSoftware Updates Scanning for

compliance Measuring

compliance

Settings Management Deploy compliance

baselines to collections of users or systems

Remediating Non-complianceSoftware updates Deploying monthly

updates Monitoring ongoing

compliance

Settings Management Monitor drift from

desired state Remediate issues

impacting setting of desired state

Endpoint Protection Enable the product Define standards for

protection (AM Policy, Definitions, Alerts)

Endpoint Protection Enable and deploy

EP client Actively monitor for

malware based on AM policy

Endpoint Protection Clients remediate

malware and rapidly report state

Admin intervenes where required

請協助完成「本課程問卷」，並在離開教室時交給工作人員！

填妥大會背包中的大會問卷，可於活動第三天兌換問卷禮哦！

感謝您的合作。