The second part of this two part overview of System Center Endpoint Protection will look at how SCEP is managed through central policies and the new role for delegated administration as well as new reports.
Manage System Center Endpoint Protection
There are two things you should do before enabling SCEP on your clients and servers; first of all configure your policy settings for the different types of clients and servers you have. SCEP doesn’t just let you manage AV policies but you can also control Windows Firewall settings and exceptions. If you’re already doing this through some other mechanism today (Group Policy) you can continue to use that model but if you’re not it certainly makes sense to centralize most policy settings for security in one management interface.
In the RTM version you have to configure a custom policy with all the settings you desire for a particular subset of computers which means that you might end up with numerous similar policies to maintain. In the forthcoming Service Pack 1 (in CTP2, pre-beta at the time of writing) you can create a policy with just the differing settings and the client will automatically merge together targeted policies, making maintenance much smoother.
Controlling Windows Firewall through the same policies used to control the overall antimalware solution makes for a smooth administration experience.
The second step is to configure signature distribution – SCEP clients can pick up their signatures from a file share, through Windows Update / Microsoft Update (Wu/Mu) or through software updates in SCCM. The latter method is the most common and involves configuring Automatic Deployment Rules. These are new to SCCM 2012 and bring the same functionality that’s been available in Windows Server Update Services (WSUS) where you can configure that particular types of updates (critical security patches) are automatically approved and deployed to sets of machines. New in SCEP 2012 is that the signatures are fanned out through the normal Distribution Points. In the RTM version you can only configure updates to go out once per day, in SP 1 you’ll be able to set it to every eight hours, to match Microsoft’s signature update publishing.
Controlling how your clients receive signature updates is crucial in today’s distributed networks.
Roles and Reporting in System Center Endpoint Protection
Role Based Access Control is new in SCCM, consequently there’s a new Endpoint Protection Administrator role that can customized and scoped in larger environments. Messages about infections generated at the client are sent to the management server with high priority and these alerts can be sent to administrators as emails. There are also new reports that make it easier to correlate user actions with infection rates.
Another new feature in 2012 is Real Time Actions – also known as the Big Green Button – a way for administrators to push out urgent actions across a large number of clients to combat a particular infection through a quick or full scan for instance.
Earlier versions had a feature called Microsoft Spynet; no points for guessing why the uptake of this service was less than enthusiastic. In this version this feature is called Microsoft Active Protection Service and it’s a cloud based service that offer signature updates in near real time to combat newly identified threats for instance. The heuristics scanning that attempt to identify infections or threats that haven’t been identified yet is also improved in this version.
The integration of SCEP into SCCM in this version is flawless and will appeal to any Sysop looking for simplicity, and the overall management process is remarkably easy. Of course there will always be CSOs that claim that it’s better to have a third party AV product than relying on Microsoft to protect its own products but seeing as you get SCEP for “free” (there’s client licensing involved depending on which SC products you use in your environment) with SC 2012 I suspect that many more businesses will choose this excellent anti malware product in the future.