• Illustration: Forefront Client Security Architecture
• Illustration: FCS Policy Configuration

Forefront Client Security aims to provide unified malicious software and vulnerability protection that not only protects client computers but also provides administrators with centralized management and reporting. Customers already using technologies such as Active Directory, Group Policy, Windows Server Update Service, and Operations Manager will find Forefront Client Security an easy choice as a security management tool. However, independent evaluations show that Microsoft's security tools are less effective at recognizing malicious software than third-party alternatives, which may make organizations reluctant to switch from current tools.

Latest Security Product

Forefront is the brand name for a suite of Microsoft security products for organizations. Forefront Client Security (FCS) provides protection for individual devices—including servers, in spite of the "client" in its name—from malicious software. Other Forefront products handle other IT security tasks, such as scanning e-mail for malicious content.

FCS is based on technology acquired from GeCAD (antivirus) and Giant Software (antispyware) and was formerly referred to as Microsoft Client Protection. The underlying technologies are the same as those used in Microsoft's consumer-oriented products: Windows Defender, for antispyware, and Windows Live OneCare, for antivirus.

Client and Server Architecture

There are two key differences between FCS and its consumer-targeted counterparts:

• FCS uses a unified scanning agent instead of using one agent to check for spyware and a second agent to check for viruses and worms
• FCS provides a server for centralized administration and management.

(For an illustration, see "Forefront Client Security Architecture".)

Unified Client Protection

The FCS agent runs on each protected computer (desktop, laptop, or server) and performs three functions:

Malicious software protection. The kernel-mode engine encapsulated in the agent provides real-time and scheduled scans to detect, quarantine, and remove threats such as rootkits, spyware, viruses, and worms. FCS uses Windows' built-in Automatic Update (AU) agent to get the latest signature files for recognizing these threats. Signature files can come directly from Microsoft Update (a Microsoft-hosted Web service) or indirectly via an in-house Windows Server Update Services (WSUS) server.

Security state assessment checks. The same FCS agent also checks that critical and important security updates are installed and reports on security policy, such as whether a user is required to periodically change her password.

Event gathering and alerting. By integrating a specialized version of the Operations Manager (OM) agent, the FCS agent can report the status of the client, including scan results and security policy violations, to the centralized administration server.

By combining the functions of malicious software protection, security assessment, and reporting in a single agent, the security tools should make more efficient use of the computer's resources when scanning for malicious software.

FCS supports Windows 2000 SP4, Windows XP SP2, all editions of Vista, and Windows Server 2003 SP2. Windows Server "Longhorn," including the new stripped-down Core Server installations, will be supported when that product ships.

Centralized Server Administration

FCS uses Active Directory (AD) and Group Policy (GP) to configure the client agent. For example, GP is used to control whether the FCS agent gets the latest signature files from the public Microsoft Update site or continues to use older signature files already downloaded when an in-house WSUS server cannot be reached. Other options include the timing of automated scans and whether a user can modify the agent's configuration. If an organization does not use AD or GP or must manage computers that are not members of a domain, then FCS can be configured by distributing files that modify the client computer's Registry.

An FCS installation includes four server roles, which can be played by a single server or divided among multiple servers.

Management. Servers in this role allow an administrator to create and distribute client policies, activate agents, and manage other server roles using the FCS, WSUS, and OM consoles. (For an illustration, see "FCS Policy Configuration".)

Distribution. Servers in this role allow an administrator to get the latest signature files from Microsoft and approve their distribution to clients using WSUS and the WSUS console. The final release of the product will support distribution of the FCS agent to clients from the WSUS server. The Distribution role can also be handled by Systems Management Server or third-party patch distribution tools.

Collection. Servers in this role gather status information about each client and store the information in the OM database. The information includes successful or failed scans, detected malicious software, and status of the engine and signature files.

Reporting. Servers in this role use the FCS console and SQL Server Reporting Services to produce a variety of prepared and custom reports, such as a report of all the computers being scanned, malicious software detected, and security policy violations.

Installation and configuration, particularly for organizations already using AD and GP, is relatively straightforward, and familiarity with WSUS and OM will make it even easier. In these cases, the most difficult decision will be deciding whether to install all the roles on a single physical server or to distribute the roles across multiple servers.

If an organization is already using SQL Server, SQL Server Reporting Services, and WSUS, then a new instance of those servers is not required. However, even if an organization is using OM, it will still have to install the version of OM (2005) that is included with FCS. The need to install a separate, special instance of OM may be an artifact of FCS being a security product (with Windows Defender and Windows Live OneCare) rather than a member of the Systems Center management server family, or it may be that the FCS team did not want to be dependent on the OM team and the just-released OM 2007.

Signature File Quality Concerns

Although Microsoft began its foray into the malicious software protection market with the acquisition of GeCAD in 2003, and even though Windows Live OneCare has been available for a year, Microsoft is still showing signs of being the new kid on the block.

Windows Live OneCare, which uses the same basic signature files as FCS, has not done well in recent tests to determine which products are best at detecting malicious software. In addition, a problem in Windows Live OneCare incorrectly quarantined users' entire mail storage files, generating support calls and requiring each user to manually restore the file in order to read and send e-mail. (If OneCare was set to delete malicious files rather than quarantine them, the entire mail storage file was deleted.)

Although there are disputes over how to test signature files and which tests are most representative of threats that exist in the real world, Jimmy Kuo, a member of the Microsoft security research and response team, indicated in his blog that "the recent detection numbers were not stellar." Microsoft will have to prove its signature files are up to the challenge of finding the continually changing scope of threats.

A further problem is how to define malware. One person's utility is another person's spyware, and some customers consider even cookies an unwanted intrusion that they want detected and reported. In Windows Live OneCare, Microsoft controls any detection of malware and the threshold for taking action. Enterprise customers, in contrast, will want to make such decisions in-house, and this does not appear possible with the FCS product at this time.

Service Partner Opportunities Remain

Microsoft is entering a market where it formerly relied on partners to provide software and services. The window for software vendors may be closing, but there will still be some opportunities for professional services partners with FCS.

Despite the fact that installation and configuration is fairly simple, partners should be able to help customers determine the best configuration for the various roles and, most important, help customers monitor and take the necessary actions in response to the issues highlighted on the FCS dashboard or in status reports.

FCS is licensed on a per-user, per-device basis, starting at US$12.72 per year per user or device for the scanning agent and US$2,468 per year for the management console. The product is available for purchase today as part of the Microsoft Enterprise Client Access License suite via Microsoft Volume Licensing, with stand-alone product availability in July via standard Microsoft volume licensing channels.

Microsoft's Forefront Client Protection Web site is located at www.microsoft.com/forefront/clientsecurity/default.mspx.

Other members of the Forefront family of security products are described at www.microsoft.com/forefront/default.mspx.