System Center 2012 Endpoint Protection OverviewJason Githens Mahyar GhadialiSenior Program Manager Lead Program ManagerMicrosoft Microsoft

UD-B331

Session ObjectivesSession Objective(s)Understanding the Microsoft protection stackChanges in System Center 2012 Endpoint Protection Service Pack 1Getting to know the Endpoint Protection client

Comprehensive Protection Stack Building on Windows Platform security

MANAGEMENT

ANTIMALWARE

PLATFORM

System Center Configuration Manager and Endpoint Protection

Windows

Microsoft Malware Protection Center

Dynamic Signature Svc

Available only in Windows 8

Endpoint Protection

Management

Software Updates +

SCUP

Operating System

Deployment

Settings Management

System Center 2012 Endpoint Protection

Antimalware

Dynamic Translatio

n

Behavior Monitorin

g

Software Distributio

n

Vulnerability Shielding

Windows Defender

Offline

Internet Explorer BitLockerAppLocker

Address Space Layout Randomizatio

n

Data Execution Prevention

User Access Control

Secure Boot through UEFI

Windows Resource Protection

Measured Boot

Early Launch

Antimalware (ELAM)

MDM Software Updates

ELAM & Measured

Boot

Cloud clean

restore

System Center 2012 Endpoint Protection SP1

Real time Endpoint Protection operations from consoleSimplified

Administration

Single administrator experience for simplified endpoint protection and

management

Simplified, 3X delivery of definitions through software updates

Malware-driven operations from the console

Client-side merge of antimalware policies

Integrated optimizations for Windows Embedded clients

New and improved Endpoint Protection client

Real-time OperationsEP operations to clients in <1 minuteMonitor one-time operationsAvailable EP operations:Run Definition UpdatesRun Quick ScanRun Full ScanAllow threatsExclude paths and/or filesRestore files quarantined by threat

Malware Driven Operations

Admin can easily view and take follow up actions on specific malware by type, and remediation status

Antimalware OperationsMahyar Ghadiali

Client-side mergeCreate granular policies for specific scenarios and have those merged on the clientsRemoves overhead of redundant policiesPolicies still honors relative priority, and merge when possible (exclusions, for example)

Improved software update integrationArchitectural changes to support 3X a dayCategory-based scans from clientsDelta synchs between SUP and WSUS

Architectural changes to simplify SUP setupSource top-level SUP from internal WSUS server (removes WU/MU-based catalog dependency)Simplified, fault tolerant software update point setup (add multiple SUPs as needed, up to 8 per Primary Site no NLB or active SUP requirements)• Multiple SUP model is built for fault tolerance• Best performance comes from using a shared SUSDB for your software update

points• Clients are optimized to NOT switch SUPs, and only do so after 4 failures (@ 30

minute intervals)• Full cross-forest support of SUPs including untrusted forests• Clients optimized to fallback to SUPs within their own forest first• If NLB required, then configure through the SDK (no longer in UI).• Use GP preferences if setting a WSUS server for client deployments.

PRIMARY SITE

Hierarchy (Forest1) Hierarchy (Forest2)

Client

Software Update: SUP List

Client

Software Update Point

1

Software Update Point

2

Software Update Point

3

Software Update Point

4

Client.Forest1 Client.Forest2

4X

Windows Embedded OptimizationsEndpoint Protection client installation can honor maintenance windowsEndpoint Protection client installation can install in the overlay, or disable write filters and commit the changesDefinition update deployments through SUM can commit changes or write in overlay

System Center 2012 Endpoint Protection

Common antimalware platform across Microsoft AM clients

Proactive protection against known and unknown threats

Reduced complexity while protecting clients

Enhanced Protection

Protect against known and unknown threats with endpoint inspection at

behavior, application, and network levels

Integration with UEFI Trusted Boot, early-launch antimalware

Common Antimalware PlatformCommon platform for all of Microsoft’s antimalware clients.Security Essentials alone has over 100 million users (#1 in North America).660 million executions of Malicious Software Removal Tool per monthAll of these clients service Microsoft’s protection services research and response

System Center 2012 Endpoint

ProtectionWindows Intune

Forefront Endpoint

Protection 2010

Windows Azure Endpoint Protection

Microsoft Security

Essentials

Windows Defender in Windows 8

Diagnostics and Recovery

Toolkit

Malicious Software

Removal Tool

Windows Defender

Offline

Antimalware Protection Service

AM API

Microsoft Malware Protection Center

Windows Update Microsoft Update

Microsoft Active Protection

Services & Cloud Restore

Updates

Engine and Definitions

Network Inspection

System

Client UI and Action

Center

Registry

WMI

Events

Policy

Status

Events

ConfigMgr

KernelEarly

Launch Antimalwar

e

Minifilter (Driver), File,

Registry, Process

Network

Application

MGMT DATA INTERCEPTION AND ENFORCEMENT CLOUD

Samples, Telemetry, DSS

CCF

Behavior Monitoring And Dynamic Signatures

Live system monitoring identifies new threats Tracks behavior of unknown

processes and known bad processes

Multiple sensors to detect OS anomaly

Updates for new threats delivered through the cloud in real time Real time signature delivery with

Microsoft Active Protection Service

Immediate protection against new threats without waiting for scheduled updates

RESEARCHERS REPUTATIONREAL-TIME SIGNATURE DELIVERY

BEHAVIOR CLASSIFIERS

Microsoft Active Protection Service

Properties/Behavior

Real-time signature

Samplerequest

Samplesubmit

1 2 3 4

Dynamic Translation With Heuristics

Real Time Protection

Driver Intercepts

Industry-leading proactive detection Emulation based detection

helps provide better protection

Safe translation in a virtual environment for analysis

Enables faster scanning and response to threats Heuristics enable one

signature to detect thousands of variants

Potential Malware Execution attempt on the system

VIRTUALIZED RESOURCES

Safe Translation Using DT

Malware Detecte

d

Malicious File

Blocked

Cloud Clean Restore

Advanced system file cleaning through replacement Replaces infected system files

with clean versions from a cloud source.

Uses a trusted Microsoft cloud source for the replacement file

Restart requirements orchestrated on system and wired to client UI (for in use file replacement).

Microsoft Symbol Store

System file compromise detected

(RTP or scan)

Compromised file

replaced

Request new file

1

2 3

4

Download replaceme

nt file

Trusted and Measured Boot with UEFI• Trusted Boot

• End to end boot process protection: • Windows operating system loader• Windows system files and drivers • Anti-malware software

• Ensures and prevents: • a compromised operating system from starting• software from starting before Windows• 3rd party software from starting before Anti-malware

• Automatic remediation/self healing if compromised

Measured BootCreates comprehensive set of measurements based on Trusted Boot executionCan offer measurements to a Remote Attestation Service for analysis

Windows 7BIOS OS Loader

(Malware)3rd Party Drivers

(Malware)Anti-Malware Software

Start

Windows 8Native UEFI

Windows 8OS Loader

Anti-Malware Software Start 3rd Party Drivers

• Malware is able to boot before Windows and Anti-malware• Malware able to hide and remain undetected• Systems can be compromised before AM starts

• Secure Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by

Microsoft• Windows starts AM software before any 3rd party boot drivers• Malware can no longer bypass AM inspection

Trusted Boot: Early Load Anti-Malware

Windows 8UEFI

Windows 8OS Loader

Windows Kernel & Drivers Anti-Malware Software

Windows 7BIOS MBR & Boot Sector OS Loader Kernel Initialization 3rd Party Drivers

• Measurements of some boot components evaluated as part of boot

• Only enabled when BitLocker has been provisioned

• Measures all boot components• Measurements are stored in a Trusted Platform Module (TPM)• Remote attestation, if available, can evaluate client state• Enabled when TPM is present. BitLocker not required

Measured Boot

Windows OS Loader

UEFI Boot

Windows Kernel and

DriversAM Software

AM software is started before all 3rd party software

Boot Policy

AM Policy

3rd Party Software

2

TPM3

Measurements of components including AM software are stored in the TPM

ClientRemote

Attestation Service

5

Client retrieves TPM measurements of client and sends it to Remote Attestation Service

Windows Logon

Client Health Claim

6

Remote Attestation Service issues Client Health Claim to Client

Secure Boot prevents malicious OS loader

1

Remote Resource

(Fie Server)

4

Client attempts to access resource. Server requests Client Health Claim.

Remote Resource

(File Server)

7

Client provides Client Health Claim. Server reviews and grants access to healthy clients.

Malware Resistance : Putting it all together

Protect Clients With Reduced ComplexitySimple interface Minimal, high-level

user interactions

Administrative Control User configurability options Central policy enforcement UI Lockdown and disable

Maintains high productivity CPU throttling during scans Faster scans through

advanced caching

Minimal network and client impact of definition updates

Binary delta signature update 3 times per day (<.5MB)

Full update (new machine, or not updated in 31 days, <80MB)

Delta signature update (missed 3 days of delta, <5MB)

Heterogeneous Antimalware ClientsFeaturesAnti-virus and Anti-malware supportMachines connect directly to internet service for security contentClient UI for user visibility and controlSCOM monitoring pack for Linux with management control

PlatformsApple Mac (10.6-10.7). Linux Server: Redhat Enterprise 6SuSE Linux 11

Better Together – Operationalized SecurityJason Githens

Key Takeaways

Key TakewaysHow Microsoft delivers on the protection promise, end to endWhat’s new in System Center 2012 Endpoint Protection Service Pack 1Understanding the Endpoint Protection clientThe benefits of operationalized security (Configuration Manager and Endpoint Protection integration)

Online ResourcesLaunching a Windows Defender Offline Scan with Configuration Manager 2012 OSDOperating System Deployment and Endpoint Protection Client InstallationSoftware Update Content Cleanup in System Center 2012 Configuration ManagerBuilding Custom Endpoint Protection Reports in System Center 2012 Configuration ManagerManaging Software Updates in Configuration Manager 2012Endpoint Protection by the numbersGroup Policy Preferences and Software UpdatesSoftware Update Points in Configuration Manager 2012 SP1How-to-Videos  Product Documentation Security and Compliance Manager – Configuration Packs

Related ContentBreakout Sessions

UD-B309 Deploying and Configuring Mobile Device Management Infrastructure

UD-B310 Deploying and Managing Windows 8 with Configuration Manager 2012 SP1

UD-B317 Manageability of Mac & Linux Using System Center 2012 Configuration Manager SP1

UD-B318 Managing Embedded Devices with Configuration Manager 2012

UD-B325 System Center 2012 Configuration Manager SP1 Overview

UD-B330 System Center 2012 Configuration Manager SP1 and Windows Intune: Unified Modern Device Management

UD-B331 System Center 2012 Endpoint Protection Integration With Configuration Manager 2012 SP1

UD-B332 What’s New with Microsoft Deployment Toolkit 2012 Update 1

UD-B333 What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design

UD-B335 Windows Intune Overview

UD-B403 Infrastructure Changes for System Center 2012 Configuration Manager SP1: Advanced Topics and Troubleshooting

Related ContentInstructor-led and Hands-on Labs

UD-IL301 Basic Software DistributionUD-IL302 Deploying a Configuration Manager HierarchyUD-IL303 Deploying Configuration ManagerUD-IL304 Deploying Windows 8 to Bare Metal ClientsUD-IL306 Implementing Endpoint ProtectionUD-IL307 Implementing Role-Based AdministrationUD-IL308 Implementing Settings ManagementUD-IL309 Introduction to Configuration ManagerUD-IL310 Managing ApplicationsUD-IL311 Managing ClientsUD-IL312 Managing ContentUD-IL313 Managing Microsoft Software UpdatesUD-IL314 Migrating from Configuration Manager 2007 to Configuration Manager 2012UD-IL315 New for SP1: Deploying Windows 8 Applications in Configuration Manager 2012 SP1UD-IL316 New for SP1: Expanding a Configuration Manager 2012 SP1 HierarchyUD-IL317 New for SP1: Implementing App-V 5.0 in Configuration Manager 2012 SP1UD-IL318 New for SP1: Implementing Database Replication Controls in Configuration Manager 2012 SP1UD-IL319 New for SP1: Implementing Linux Clients in Configuration Manager 2012 SP1UD-IL320 New for SP1: Upgrading from Configuration Manager 2012 to Configuration Manager 2012 SP1UD-IL401 Advanced Software Distribution

Appendix

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.