Hardening your Client Security deployment
Applies To: Forefront Client Security
When you deploy Client Security or change an existing deployment, you should review the deployment carefully to ensure its security. This topic details steps for securing a new or changed deployment.
To harden a new Client Security deployment
Verify the Client Security installation. By performing this step, you establish an operational baseline prior to making security-related changes to Client Security.
Secure each server on which you installed Client Security components.
The Security Configuration Wizard is not supported for any computer running Client Security server components.
For server-specific security information, see the following topics:
Ensure that service accounts are configured and used securely. For more information, see Securing service accounts.
Ensure that users who perform administration roles have appropriate permissions. For more information, see Securing user accounts.
Ensure that communications among Client Security servers are secure. For more information, see Securing connections.
Ensure that client communications are secure. For more information, see Securing client computers.
Review the Client Security policy settings that determine how much control end users have over the Client Security agent. Update and redeploy Client Security policies as applicable. For more information, see Securing client computers.
Verify the Client Security installation again. Because you established an operational baseline, any issues found now must result from the changes made while performing this procedure. Troubleshoot and resolve any issue found.
Run security state assessment (SSA) scans on all client computers. Client Security performs many SSA checks, such as determining if all available Microsoft security updates are applied to a client computer. For more information about configuring SSA scans, see Configuring security state assessment scans (http://go.microsoft.com/fwlink/?LinkId=87778).
Use the Security State Assessment Summary report to learn about the potential vulnerabilities that Client Security finds in your organization. For information about using reports, see Viewing and printing reports (http://go.microsoft.com/fwlink/?LinkId=87776).
Securing changed Client Security topologies
If you make a change to a Client Security topology, you should ensure that the servers you changed are secure. This applies to all topology changes, which include:
Combining two or more Client Security components on a single server.
Moving two or more components to separate servers.
Rebuilding a server.
To secure a changed Client Security topology
Ensure that service accounts used on the changed servers are configured correctly. For more information, see Securing service accounts.
Ensure that permissions for users performing Client Security administration tasks are correctly configured. For more information, see Securing user accounts.
Ensure that connections involving the changed servers are secure. For more information, see Securing connections.
Run the Client Security Configuration wizard.
On the management server, open the Microsoft Forefront Client Security Management Console.
From the Action menu, click Configure. Follow the instructions in the wizard.
The management server is updated with any applicable topology changes.
Verify the Client Security installation. Troubleshoot and resolve any issue found.