Presentation is loading. Please wait.

Presentation is loading. Please wait.

企業電腦修補程式 更新、資安設定與 防毒一次搞定 Perl TsaiJames Lin 微軟特約講師資深技術經理 Systex.

Similar presentations

Presentation on theme: "企業電腦修補程式 更新、資安設定與 防毒一次搞定 Perl TsaiJames Lin 微軟特約講師資深技術經理 Systex."— Presentation transcript:

1 企業電腦修補程式 更新、資安設定與 防毒一次搞定 Perl TsaiJames Lin 微軟特約講師資深技術經理 Systex


3 IT 的新挑戰 防護的作法 持續性進階威脅雲端運算力 法規遵循 IT 消費化

4 硬體 作業系統 資料及設定 應用程式 從桌面組成看起.. 如何保障文件及資料安全 ? 如何確保使用者遵循相關資安 規定 ? 如何保障文件及資料安全 ? 如何確保使用者遵循相關資安 規定 ? 如何快速地佈署新版應用程式 和取得資產報表 ? 如何防止惡意軟體造成的資安 風險 ? 如何快速地佈署新版應用程式 和取得資產報表 ? 如何防止惡意軟體造成的資安 風險 ? 是否即時更新、是否符合公司 訂定的端點安全政策 防毒程式是否安裝、更新 ? 是否即時更新、是否符合公司 訂定的端點安全政策 防毒程式是否安裝、更新 ? 如何進行硬體加密 ? 如何防止隨身碟遭竊資料外洩 ? 如何進行硬體加密 ? 如何防止隨身碟遭竊資料外洩 ?

5 作業系統 是否即時更新、是否符合公司 訂定的端點安全政策 防毒程式是否安裝、病毒碼是 否有按時更新 ? 是否即時更新、是否符合公司 訂定的端點安全政策 防毒程式是否安裝、病毒碼是 否有按時更新 ?

6 整體效益 個人效益 個人名利 好奇心 剛入行業餘級 專家級 進階級 使用者 竊賊 間諜 入侵者 初階駭客拿著 專家的工具進 行不太熟練的 攻擊 快速成長 階段 創造者

7 Unified Infrastructure Reduce the cost of maintaining secure endpoints with unified management and security infrastructure Simplified Administration Single administrator experience for simplified endpoint protection and management Enhanced Protection Protect against known and unknown threats with endpoint inspection at behavior, application, and network levels

8 Exchange Connector Settings Management Software Updates + SCUPEndpoint Protection SWDOSD

9 Unified Infrastructure Reduce the cost of maintaining secure endpoints with unified management and security infrastructure Easy to setup and operate the management infrastructure Easy client install and migration Automated deployment of updates using ConfigMgr infrastructure Simplified deployment of antimalware policies


11  Centralized management for AM and Firewall Policy  AM and FW policy delivered as ConfigMgr policy – no package/program dependency  Out of box templates  Import, Export, Merge  Prioritization of policies by collection  Simplified UI for customizing policy

12 Easier distribution process  Automatic deployment rules within ConfigMgr software updates Minimizes WAN impact  Uses distribution points and reduced definition size Ensures always up-to-date security regardless of the client location  Multiple update sources (ConfigMgr, WSUS, Microsoft Update, Windows File Share) MICROSOFT UPDATE ON THE ROAD Fallback to online update Updates distributed through ConfigMgr, WSUS or Windows File Share DELTA UPDATE SIZE: 50-2048 KB UPDATE FREQUENCY: 3 TIMES/DAY

13 Ease of client setup and deployment  No separate deployment needed for endpoint protection client  Endpoint Protection agent installer deployed with Configuration Manager client setup  Endpoint Protection client and definitions easily integrated with OSD Flexible administrative control  Administrator can force or suppress any required reboots  Configurable option for automatic removal of existing AV client Easy migration from existing solutions and automatic removal of existing clients  Symantec  McAfee  TrendMicro  Forefront Client Security or Forefront Endpoint Protection

14 Single interface for client management and security Improved alerting, client to admin within 5 minutes, and reporting, with real-time and user- centric data views Simplified Administration Single administrator experience for simplified endpoint protection and management

15 Single interface for client management and security  Dashboard integrated with ConfigMgr console  Simplified cross-feature integration Quick identification and remediation of client security issues  Dashboard focused on actionable events Flexibility to separate security admin role  Role-based administration  Access to only relevant security information

16 Quick alerts and event notification in the console  Uses high speed data channel to notify events in real time  High speed data channel prioritizes EP messages in state system, and no client “wait” to send messages up  Integrated monitoring for client health and antimalware status  Email subscription for alerts

17 Rich reporting on client security  SQL Reporting Services- based reports on many categories  User-centric reports enable identification of commonly impacted users  Customizable reports simplified through database integration

18 Management and Real-time Monitoring

19 What’s new in SP1

20 Administrator “Dial tone” Active TCP Session with the MP Client Checking for urgent tasks 1 2 In administrative console selects “Run Full Scan” on a collection “Call is placed” Client via this TCP connection is told there are urgent tasks to run Client then connects to the MP to get policy Client runs the Full Scan Task 4 Client Task = “Run Full Scan” A task is created MP is told that new urgent task has been requested 3 Site Server and MP All this happens within seconds What’s new in SP1

21 Real-time Administrative Actions in Endpoint Protection SP1

22 Comprehensive protection stack building on Windows Security Proactive protection against known and unknown threats Reduced complexity while protecting clients Enhanced Protection Protect against known and unknown threats with endpoint inspection at behavior, application, and network levels

23 Proactive Techniques (Against Unknown Threats) APPLICATIO N FILE SYSTEM NETWORK Reactive Techniques (Against Known Threats) DYNAMIC CLOUD UPDATES Microsoft Malware Protection Center Dynamic Signature Service System Center Endpoint Protection Windows 7 Data Execution Prevention Address Space Layout Randomization Windows Resource Protection User Account Control Internet Explorer ® 8 SmartScreen Microsoft BitLocker Microsoft AppLocker

24 Real Time Protec tion Driver Interc epts Industry-leading proactive detection  Emulation based detection helps provide better protection  Safe translation in a virtual environment for analysis Enables faster scanning and response to threats  Heuristics enable one signature to detect thousands of variants Potential Malware Execution attempt on the system VIRTUALIZED RESOURCES Safe Translatio n Using DT Mal ware Dete cted Maliciou s File Blocked

25 Live system monitoring identifies new threats  Tracks behavior of unknown processes and known bad processes  Multiple sensors to detect OS anomaly Updates for new threats delivered through the cloud in real time  Real time signature delivery with Microsoft Active Protection Service  Immediate protection against new threats without waiting for scheduled updates RESEARCHER S REPUTATION REAL-TIME SIGNATURE DELIVERY BEHAVIOR CLASSIFIERS Microsoft Active Protection Service Propertie s/ Behavior Real-time signature Sample request Sample submit 1234

26 Simple interface  Minimal, high-level user interactions Administrative Control  User configurability options  Central policy enforcement Maintains high productivity  CPU throttling during scans  Faster scans through advanced caching


28 What’s new in SP1

29 Key ScenariosForefront Endpoint Protection 2010 System Center 2012 Endpoint Protection Unified infrastructureSystem Center Configuration Manager 2007 System Center 2012 Configuration Manager Server setupSeparate installUnified setup Client deploymentConfigMgr distribution processIntegrated Signature updatesMultiple sources (WSUS, File Share, Microsoft Update) Multiple sources with automatic deployment rules from ConfigMgr console Proactive protection Firewall management Role based administration New Alerts and monitoringReal time alerts ReportsAdditional user centric reports Unify Protect Simplify



32 要求存取內部資源 傳送端點資安等級及健康狀 態到狀態確認伺服器 狀態確認伺服器驗證端點資 安政策等級 如果符合,允許存取內部資 源 若不符合,將該端點移置修 復區域並開始進行修復 Not policy compliant Policy compliant 11 33 55 44 11 33 44 55 22 22










42 1 Add SUP role and select products and classifications PRIMARY SITE Installs SUP role and configures WSUS through Admin SDK MANAGEMENT POINT SUP (WSUS) DISTRIBUTION POINT 5 Add 3rd party updates through SCUP Tool 3 Synch catalog of selected products and classifications 4 Catalog metadata synched into ConfigMgr database MICROSO FT UPDATE Administrator ConsoleHierarchy Client 2

43 Catalogs downloaded from web ADMINUPDATES PUBLISHER CONSOLE WSUS SERVER CONFIGM GR SERVER / SUP Create Updates Publish Updates Sync Updates Import Updates CONFIGMGR CLIENTS Deploy Updates Scan Updates Updates Publisher users can either download already existing catalogs or create their own. Once approved, updates can be published into WSUS which will be synchronized into a Configuration Manager environment. The updates are now in Configuration Manager and can be scanned and deployed on client machines with the same process as Microsoft Updates.

44 Collections Build collections through dynamic queries All Windows 7 Desktops in North America Role-based Access Create SUM administrators and assign to collections for which they need to manage updates Note: for multiple SUM admins you can also use scopes to further secure console objects Create Templates SUM Admin goes through the distribute software updates wizard and saves his default settings for deployments Template  Collection  Deployment  Schedule  User Experience  Alerts  Download settings

45 Maintenance Windows Apply maintenance windows to collections to manage when updates can occur All Windows 7 Desktops “Software updates and reboots can only occur from 8:00 – 10:00 PM on the 2nd Tuesday of every month” Non-business Hours Melissa sets her own business hours in Software Center Melissa’s Computer  Software can be installed from 6:00 PM to 7:00 AM  Suspend Software Center activities when in presentation mode Software Center Melissa gets notifications that software updates are required Options  Postpone  Install now  Install after business hours  View updates

46 Using Distribution Points Deploy distribution points to branch locations Clients get their content from those distribution points Internet-based Users Configure internet facing SUPs and MPs Client updates are managed on internet-roaming clients, and they get their content from Windows Update / Microsoft Update Using Branchcache Configure BranchCache on your clients and appropriate ConfigMgr servers Windows 7 clients get their software updates from peers, and they don’t have to go over the network, nor do you have to put a distribution point at that location

47 Software Updates  Planning and setup  Targeting and Delegation  Maximizing productivity Plan and Configure Assessing Compliance Software Updates  Scanning for compliance  Measuring compliance

48 5 Admin sees compliance for all updates in console and in reports PRIMARY SITE MANAGEME NT POINT SUP (WSUS) 4 Compliance state messages sent to MP and DB 3 Scan results are written to WMI on the client Windows Update Agent scans against WSUS catalog DISTRIBUTION POINT Administrator ConsoleHierarchy Client Client gets SUM policy and is assigned a SUP/WSUS server MICROSO FT UPDATE 12

49 Software updates Planning and setup Targeting and Delegation Maximizing productivity Plan and Configure Assessing Compliance Software updates Scanning for compliance Measuring compliance Remediating Non- compliance Software updates Deploying monthly updates Monitoring ongoing compliance

50 1 ADR or Admin deploys applicable updates PRIMARY SITE MANAGEME NT POINT SUP (WSUS) 4 Client gets deployment policy Updates are installed on a schedule or by the end user 5 Client gets update binaries from distribution point and caches them locally DISTRIBUTION POINT 8 Admin views deployment status in-console or from reports 2 Binaries are downloaded from Microsoft Update 3 Updates are placed in deployment package and sent to Distribution Point 7 Enforcement state messages sent to MP and DB 6 Administrator Console Hierarchy Client MICROSO FT UPDATE

51 安全地 Over-the-air 管理 監控及修補不合規範的裝置 部署及移除 AP 資產盤查 遠端抹除 (WinCE 5.0, 6.0; Windows Mobile 6.0, 6.1, 6.5.x) NOKIA EAS 原則套用 探索及盤點 設定原則 遠端抹除機制 一般管理 深度管理 行動裝置管理

52 一般性管理 - Exchange 提供基礎管理給所有 Exchange ActiveSync (EAS) 連線裝置 支援功能 : 偵測 / 盤點 設定原則 遠端抹除 支援 Exchange 2010 及 Office 365

53 一般管理流程 : 針對 EAS 裝置 Primary Site Device Info Discover Mobile Devices Devices Settings Policy Device info Discover Mobile Devices Configure Exchange Connector Exchange Mailbox Server Exchange Client Access Server Apply Settings Check access to Exchange Exchange Get Device Settings Policy Get Device Settings Policy Device Settings Apply Settings Mail Request

54 Remote Wipe mobile phone

55 Inventory & Compliance Data Deployment Objects Clients Server Infrastructure


57 Collection Boundries Package OSD AI Software Metering

58 How does this all work? Assist with Migration of Objects Assist with Migration of Clients Minimize WAN impact Assist with Flattening of Hierarchy Maximize Re-usability of x64 Server Hardware


60 Assess current environment Test/Proof of Concept Design Requires ConfigMgr 2007 SP2 ConfigMgr 2012 HW Reqs: Windows Server 2008 x64* SQL Server 2008 x64 Setup Initial ConfigMgr2012 Site(s) Configure Software Update Point & Synchronize Updates Setup server roles Make sure the hierarchy is operating and software deployment works Configure Migration Enable Distribution Point Sharing Create Migration Jobs Migrate Objects Migrate Clients Upgrade Distribution Points Uninstall ConfigMgr 2007 sites Rinse & Repeat PlanDeployMigrate

61 Building Your Compliance Management Solution With Configuration Manager 2012 Software Updates  Planning and setup  Targeting and Delegation  Maximizing productivity Plan and Configure Settings Management  Define standards  Create baselines and CIs Assessing Compliance Software Updates  Scanning for compliance  Measuring compliance Settings Management  Deploy compliance baselines to collections of users or systems Remediating Non- compliance Software updates  Deploying monthly updates  Monitoring ongoing compliance Settings Management  Monitor drift from desired state  Remediate issues impacting setting of desired state Endpoint Protection  Enable the product  Define standards for protection (AM Policy, Definitions, Alerts) Endpoint Protection  Enable and deploy EP client  Actively monitor for malware based on AM policy Endpoint Protection  Clients remediate malware and rapidly report state  Admin intervenes where required




Download ppt "企業電腦修補程式 更新、資安設定與 防毒一次搞定 Perl TsaiJames Lin 微軟特約講師資深技術經理 Systex."

Similar presentations

Ads by Google