Management Features Fail to

By Andrew Garcia  |  Posted 2007-05-17 Print this article Print

Impress"> Client agent prices start at $1.06 per user (or per device) per month, while the Security Management Console component costs $205.66 per month. Volume discounts are also available. Considering that Management Console licensing fee includes the costs for the SQL Server 2005 and MOM 2005, we found the pricing to be more than competitive. The licenses for these components are restricted solely for use with FCS, however.

We were somewhat disappointed with FCS disjointed management facilities, which for us fell short of the integrated, cohesive and simplified management experience for which Microsoft is aiming.
Rather, as we moved back and forth between the management consoles for WSUS, Active Directory, MOM and FCS itself, we felt that we were straddling too many disparate applications for comfort. We hope to see Forefronts management story becomes better aligned as Microsoft moves to an MMC-based management approach for WSUS 3.0. However, the Microsoft Forefront customer who we interviewed during our review disagreed with this perspective. Kevin Hayden, Desktop Engineering Manager for Analog Devices, of Norwood, Mass, indicated that his team does not spend much time in the MOM console, for instance, except when trying to isolate an alert. According to Hayden, after initial setup and trials, Forefront management was a pretty simple, single console affair. Whats more, Hayden told us that the inclusion of MOM gives his staff a leg up on a client operations management project they have in the works. Disparate management perspectives aside, one thing we can say for sure is that with all software components that FCS requires, administrators of the product will have to throw some significant hardware at their Forefront deployments. For a single server configuration that hosts all elements of the Forefront Client Security platform, Microsoft recommends at least a dual 2.85 GHz CPU server with 4GB of RAM. Forefronts component prerequisites may be split among up to six different servers, separating out the reporting, collections, management, distribution server components as well as the reporting and collection databases. Like Hayden, however, we opted for a two-server setup, using an existing WSUS 2.0 server while hosting all other elements on a single machine. To encrypt or not to encrypt? Click here to read more. Microsofts decision to utilize WSUS and Windows Automatic Update client to deliver both the client software packages as well as malware signatures seems to us an odd match to fit the needs of a signature-based security solution. A WSUS server is only designed to synchronize with Microsoft Update servers on a daily basis, and Automatic Updates is only designed to install software once a day. During tests, we found Microsoft released new signature files between three to six times a day, so WSUS and Automatic Updates—at least in their default configurations—fall short. Fortunately, Microsoft has addressed these shortcomings by providing a component for installation on the WSUS server that bumps synchronization frequency to once per hour. Along similar lines, Forefronts client software component triggered more frequent update checks. Companies that have chosen a third-party patch delivery system will likely be loathe to install and maintain WSUS on top of their existing systems, not to mention re-enable Automatic Updates on their clients. Microsoft does offer signature file downloads from their Web site, and these files can be installed manually or with a script—this, however, is hardly an ideal solution given the frequency of signature updates. Moving forward, we expect to see third-party patching vendors offer scripts or other mechanisms to automate this process for their own customers, which would make life easier for companies out to mix Forefront with non-Microsoft patching products. During our tests, we configured FCS updates by visiting the WSUS console, enabling WSUS synchronization and approving the signature files and FCS client installation package to push out to our Windows endpoints. We also configured WSUS to automatically accept, download and deploy future updated signature files. Before we could begin deploying Forefronts components to our clients, we had to visit a separate interface, the FCS Management Console, to create a security policy to govern the process. Forefronts security policies allowed us to centrally control whether to engage anti-virus or anti-spyware defenses, enable heuristic detections, schedule scan times, or create exemptions (either file folders or file types). We could also schedule periodic security state assessments, providing a Baseline Analyzer-type scan to look for missing patches, unnecessary services, compromiseable passwords . Next Page: Reporting and detection.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel