کد:
http://itprosecure.com/blogs/fcs_administration/archive/2009/04/09/forefront-client-security-deploying-the-fcs-client-agent-to-a-target-currently-running-standalone-fcs-client-agent.aspx
Deploying the FCS Client Agent in a Corporate Environment to a Target currently running an unmanaged FCS Client Agent


I want to present a Scenario recently encountered in a Corporate Environment where a number of Target Workstations and Servers were running 'Standalone' versions of the Forefront Security Client SP1, but was in need of including those Targets into a 'Managed' Forefront Client Security environment. When I speak of a 'Managed' FCS Environment I am simply considering an environment similar to the following (may include 'lower' versions for Client Workstation, etc.):
Windows 2008 Active Directory Forest and Domain
Forefront Client Security SP1 in a Single Server Topology running Windows Server 2008
Windows Server 2008
Operations Manager 2005
SQL 2005 SP2 Database, Reporting Services and Integration Services
Windows Server Update Services (WSUS) SP1
Group Policy Management Console (GPMC) SP1
Windows Vista Enterprise SP1 Client Workstation
I will provide reference material specific to Forefront Client Security SP1 in separate Blog entries. In the meantime, take a look at the following Scenario where I move an 'Unmanaged' Client Workstation (a Client Workstation running only Forefront Client Security without being part of a Single Server Topology in a Corporate Environment) running Forefront Client Security SP1 to a 'Managed' Environment (a Single Server Topology running Windows Server 2008 fully managed by an FCS SP1 Console, WSUS 3 SP1 and the Operations Manager 2005 Agent).
As I begin, if you have considered the following questions - this Blog entry may help:

  1. Can I manage a Forefront Client Security Agent previously installed as a Standalone Agent?
  2. How do I transition from a Standalone Forefront Client Security Agent to a Managed Forefront Client Security Agent?
  3. What happens when I add a Client Policy to manage the Forefront Client Security Agent?
  4. How do I use Group Policy Objects (GPOs) to manage Forefront Client Security?



1. Let's begin by logging onto the Forefront Client Security SP1 Server and opening the FCS Console. In the FCS Console we see under the 'Dashboard' Tab the status of existing Targets managed by this FCS Server. Additionally, we observe the general 'health' of all Targets (both Workstations and Servers) relative to the Forefront Client Security Agent reporting using the Microsoft Operations Manager 2005 Agent. Most of the items on this Main Console page are linked directly to SQL Reporting Services Reports from the Forefront Client Security Database Reports.




2. When I select the 'Dashboard' Tab from the FCS Console we observe the various Policies for Administration of the Forefront Client Security Agent within this environment. A specific Policy titled 'FCS Policy - Target Group 5' has been created and deployed to a target Domain Global Security Group titled 'FCS Target Group 5'. This Domain Global Security Group includes as a Member a single Machine Account titled 'a01-cli05' (yes, you can readily add Machine Accounts to Domain Global Security Groups!). Next, I examine the Policy parameters to validate the configuration. The purpose of spending time reviewing the Client Policy is to ensure configuration parameters are correct for the Client Workstation targeted to be managed by this FCS Server.




3. An Edit of the Policy and selection of the 'Protection' Tab indicates settings such as the 'Time of Day' a Malware Scan should occur and the frequency for running an automated 'Security State Assessment'. I have selected to Run a Scan 'Every Day at 1 AM' for this Policy. The Policy values configured on this Tab are very different from the Policy values held by the Client Workstation configured as a Standalone Forefront Client Security Agent. Again, we will move this single Target Machine (a01-cli05) from Standalone to fully Managed by the Forefront Client Security Single Server Topology on Windows 2008.




4. The 'Advanced' Tab of this Policy defines characteristics such as 'Exclusion and Folder Paths', 'File Extension Exclusions', whether 'Users Can View the Client Security Agent Settings and Messages' and other important criteria. Also, here is the location for setting the Frequency for with the Client Agent 'checks' for Anti-Malware, Anti-Virus and other Definitions.




5. The 'Overrides' Tab provides the opportunity to select specific 'Classified Software (ie. Malware)' you may choose to run in your Environment. As strange as this seems, it occasionally happens. I select no 'Options' on this Tab of the Policy.




6. On the final Tab on the Client Policy items are defined such as 'Alerts Raised', 'Logging Levels' and participation in 'SpyNet'. SpyNet is the Microsoft supported Reporting Environment for forwarding Malicious new Malware Threats directly to Microsoft. The thought is to have a single 'clearinghouse' for reported Malware with a responsive Research Team to create a new Definition Update for the broader community. The forwarding of Malware events can occur through the Forefront Client Security Agent in an automated way if chosen. Closing out the 'Edit Policy' dialogue window confirms our Policy is complete relative to selection of the Features targeted for this Group. The next step in the process is to 'Deploy' this Policy. Forefront Client Security provides the ability to target Policy against the following sources:

  • Domain Global Security Group
  • Active Directory Organizational Unit (OU)
  • Group Policy Object (GPO)
  • A File

In this example I am targeting a specific Domain Global Security Group in which I have added a Member of the Target Client Workstation (a01-cli05).




7. Next, I move and Login to a Windows 2008 Domain Controller. My intent is to review the Client Policy Settings using the Group Policy Management Console SP1. Additionally, it is at this time I validate the Target Machine Account (the Workstation to be Managed by FCS) is in the proper Organizational Unit and Domain Global Security Group.





8. Once logged into this Domain Controller (you could do this from the FCS Server in the proper User Security Context) I open the Group Policy Management Console SP1 and begin to review the numerous Group Policy Objects associated with the Forefront Client Security environment. Note that each of the FCS Policies begin with the Prefix of 'FCS-' and include a long GUID String at the end. Also, note the FCS Policies are configured automatically as 'Enforced' Group Policy Objects. I can view the 'Settings' for the Client Policy and validate all Settings are accurate. Next, I move to the Active Directory Users and Computers (ADUC) Console to validate proper Membership of the Target Client Workstation in the Domain Global Security Group titled 'FCS Target Group 5'.




9. While logged into this Windows 2008 Domain Controller I would like to validate the Target Machine (Client Workstation) is a Member of the appropriate Domain Global Security Group. The name of the Domain Global Security Group is 'FCS Target Group 5'. Next, to validate the Membership in the Domain Global Security Group I select 'Properties' for the Group, then the 'Members' Tab.





10. The Domain Global Security Group titled 'FCS Target Group 5' Properties. I use this method of dividing Machine Accounts into specific Domain Global Security Groups to provide the 'targeting' required to deploy the Forefront Client Security Agent to 'groups' of Machine Accounts simultaneously. Additionally, once the Domain Global Security Group and Group Policy Object (GPO) are configured, additional Machine Accounts can be added to the Domain Global Security Group and the Forefront Client Security Agent is applied accordingly.





11. The Target Client Workstation is not a member of the Domain Global Security Group titled 'FCS Target Group 5', so I begin the process of adding this Client Workstation to this Group. On the 'Properties' for this Domain Global Security Group I select the 'Members' Tab.





12. Next, I select the 'Add' button receiving the 'Select Users, Contact, Computers or Groups' Modal Windows. Type in (or search for) the Target Client Workstation until it appears in the 'Enter the Object Names to Select' Modal Window. It will be required to select the 'Object Types' Button and select 'Computers' to properly search for and query Computer Machine Accounts in Active Directory.





13. Once the proper Target Client Workstation is selected I simply select the 'OK' Button to close the Group Properties window. Next, I move to the Target Client Workstation (a01-cli05) to update the Group Policy Object (GPO) and restart the Client Workstation (thereby 'resetting' the Computer Account into the Domain Global Security Group recently joined).





14. I login to the Target Client Workstation (a01-cli05) using a Security Context of 'Local Administrator'. This Target Client Workstation is Domain Joined (thereby allowing Group Policy Object application). Upon initial review we can see the Forefront Client Security Agent in the System Tray in the lower right hand corner. This is our Client Workstation currently running a Standalone Installation of Forefront Client Security which we will make a 'Managed' Installation of the Forefront Client Security Agent. Additionally, this Client Workstation runs Windows Vista Enterprise.





15. Upon opening a Command Prompt on the Target Client Workstation I issue the 'gpupdate /force' command to refresh the Group Policy Object for the User and Computer. I will take note of the currently applied GPOs as a comparative following a Reboot of the Target Client Workstation.





16. Next, at the Command Prompt I issue the 'gpresult /v' Command. This Command displays in 'Verbose Mode' the Group Policy Results. We don't see the output results in this sequence of Screen Captures, but if we did we would not see inclusion of the recently created Group Policy Object for the Forefront Client Security Policy. Due specifically to the fact that until the Machine Account is re-initialized in Active Directory the Group Membership is not accepted. A simple Reboot of this Target Client Workstation provides the re-initialization of the Group Membership.





17. I select the 'Start' Button, followed by 'Restart' from the Menu Option for changing the State of the Client Workstation.





18. After a successful Reboot of the Target Client Workstation I login with Local Administrator Credentials again. I then open a Command Prompt and issue the 'gpresult /v' Command to output the Applied Group Policy Objects (GPOs). Note the Forefront Client Security Group Policy Object beginning with the Prefix of 'FCS-' and including the Long GUID String at the end. This Target Client Workstation is receiving the proper GPO for the Forefront Client Security Single Server Topology on Windows 2008 that now Manages this Client Workstation.




19. Next, I invoke the Forefront Client Security Agent Application by Right-Mouse Clicking the FCS Agent icon in the System Tray and selecting 'Open'. Initially, the FCS Agent Graphical Interface appears the same. When I select the 'Tools' Menu Option and additional Menu Parameters will we begin to see the changes.





20. Here I select the 'Tools' Menu, then the 'Options' link from the 'Tools and Settings' Display. As you can see we can observe most of the Core Settings for the Forefront Client Security Agent from the 'Tools' Menu.





22. Upon observing the 'Options' configuration parameters we notice the settings all appeared 'Grayed Out'. This is because this Client Workstation is now Managed by the Forefront Client Security Single Server Topology on Windows 2008. We can note the Message on the 'Options' Menu that states 'Some settings are managed by your System Administrator'. Also, note the 'Automatic Scanning' Start Time of 'Daily at 1 AM'. This Setting is exactly as configured using the Forefront Client Security Console Client Policy Editor.





23. Confirmation! Client Policy value set to 'Daily at 1 AM' for a 'Full System Scan'.





24. Next I move back to Login to the Forefront Client Security Single Server Topology on Windows 2008 to validate Management of this Target Client Workstation in the 1) Forefront Client Security Console, and 2) the Microsoft Operations Manager 2005 Console. Forefront Client Security SP1 incorporates MOM 2005 for Agent Deployment and Reporting.





25. Next I open the Microsoft Operations Manager 2005 Operator Console on the Forefront Client Security Single Server Topology on Windows 2008 to deploy the MOM 2005 Agent to this Target Client Workstation. Again, Forefront Client Security SP1 uses the MOM 2005 Agent and Reporting to Alert and Report on the 'Health Status' of the FCS Agents deployed.





26. In order for Forefront Client Security to report on the FCS Agent to the recently deployed Target Client Machine I must 'Push' the MOM 2005 Agent to the Target Client Machine. I have separately configured Group Policy Objects that permit the Windows Firewall on both the Target Client Machine (Windows Vista Enterprise) and the Forefront Client Security Console (Windows 2008 Enterprise) to function properly. Upon opening the MOM 2005 Administrator Console I navigate to the 'Administration' Tree, then the 'Agent Managed Computer' Leaf. Then, I Right-Mouse Click the 'Agent-Managed Computers' Leaf and select 'Install/Uninstall Agents Wizard'. Which, of course begins walking through the Process of deploying the MOM 2005 Agent to a specified Target Client Machine.





27. Upon successful completion of the 'Push Agent' from the MOM 2005 Administrators Console process from the Forefront Client Security Single Server Topology on Windows 2008 it takes a few minutes for the Target Client Machine now running the MOM 2005 Agent to begin Reporting Health Status.





28. I next move to Login to the Forefront Client Security Single Server Topology on Windows 2008 and open the Forefront Client Security Console. Note the total number of 'Managed Computers' denoted is currently 5 Computers. If the MOM 2005 Agent is properly deployed and reporting back to the Forefront Client Security Console this number should increment up by 1 to 6 Computers.





29. Success! Upon selecting 'Action' then 'Refresh' from the Forefront Client Security Console we now have 6 Managed Computers in this Forefront Client Security Single Server Topology on Windows 2008.


If you'd like to 'Learn Advanced IT' - check out our new website exchangesummit.net! Use coupon code 'ITPS-777' for $100 off (through 9/1/2009) the Forefront Client Security SP1 Single Server Topology on Windows 2008. Detailed Course Description -15 hours of video training. Free training video content as well!


Summary: In this Blog entry I have taken a single Target Client Workstation running a Standalone Installation of the Forefront Client Security SP1 Agent, created a new Forefront Client Security Client Policy to manage this Target Client Workstation, pushed out the Client Policy using Group Policy Objects (GPOs), then pushed out the MOM 2005 Agent for Alerting and Reporting to the Target Client Workstation. In the end, the Target Client Workstation moved from a Standalone Installation of the Forefront Client Security SP1 Agent to a Fully Managed Forefront Client Security SP1 Agent. (Thereby allowing ongoing Support and Management from a single Console).







موضوعات مشابه: