Enterprises invest a lot of time and money in protecting their organizations from Malware and other threats. No doubt you've installed Microsoft Forefront Client Security or another anti-malware product on all of your managed PCs. You probably also have deployed edge protection such as Microsoft Forefront Threat Management Gateway and protected malware-bearing email from entering your organization with a product such as Microsoft Forefront Protection for Exchange Server. You even use network access control such as Microsoft NAP to insure that computers connecting to your corporate network through a VPN are up to date on patches and are running current anti-malware software. Despite all this, do you lay awake at night worrying about Distributed Denial of Service (DDoS) attacks against your company's website, as happened to major eCommerce sites this past holiday season? Or perhaps, despite your best efforts, the risk from your customers' accounts being penetrated and misused remains unacceptably high? Whether it is their unwitting participation in Botnets used to launch DDoS attacks, or surreptitiously installed keyloggers and rootkits being used to capture passwords and other customer information, unprotected consumer PCs are a major threat to your Enterprise. And that is where Microsoft Security Essentials (MSE) can help.
In my role as "tech support" for many relatives and friends one of my greatest frustrations has been discovering how many of them aren't running, or don't have current signatures for, anti-malware software. Some never complete the installation of the trial anti-malware software that was loaded on the new PC they purchased. Many fail to subscribe to updates once the trial period runs out. A few have even uninstalled anti-malware products after finding the one that came with their PC too intrusive. At one point I gifted subscriptions to Windows Live OneCare to a few people only to find the same pattern, once the subscription I paid for ran out they failed to renew it. Finally I discovered that my brother-in-law had installed a free anti-malware product on my in-laws' PC, solving the problem that they might not renew a paid product's expiring subscription. I followed suit, ensuring that everyone I knew had this basic protection in place. Now imagine a world in which all consumer PCs were similarly protected. Imagine that it was much more difficult for your customers' passwords and account information to be stolen or their PCs co-opted to attack your website. Wouldn't that help you sleep at night?
There are many high-quality consumer anti-malware products out there (both free and paid) and as IT professionals we should be encouraging all users to adopt one of them. Being in a group that produces anti-malware products I've received some flack for saying that I care more about making sure consumers install quality anti-malware software and keep it up to date than I do about which specific product they choose. But of course I favor Microsoft Security Essentials. Over the years Microsoft has invested heavily to create a world class anti-malware engine and Research and Response (R&R) team. We use the same anti-malware engine in both MSE and our Forefront products, and MSE users benefit from the same R&R efforts as do our Forefront customers. With its low false positive rate, use of Microsoft Update for signature and engine update distribution, and general focus on being unobtrusive MSE stays out of the user's way. A small download and fast installation ease the deployment burden. With MSE, we've pretty much eliminated the inhibitors to consumers having up-to-date anti-malware software installed. Now imagine that all your customers' currently unprotected PCs, indeed all the currently unprotected consumer PCs in the world, instead had MSE installed. Imagine it, and you know why Microsoft Security Essentials is good for business.
Doesn't it seem like every week there is some article pointing out how serious the cyber-security problem is? One of the triggers for my previous posting on Microsoft Security Essentials (MSE) was a survey claiming, if I recall correctly as I couldn't locate the link, about 22% of enterprises had suffered security breaches. Now this recent article highlights survey results from Symantec claiming 75% of companies have suffered a cyber attack in the last 12 months. While the reports no doubt measure somewhat different things, they are both cause for alarm. It is likely that few businesses have escaped at least cursory attempts to breach their defenses. And many have had successful breaches of one form or another. Microsoft is addressing these problems on multiple fronts.
For enterprises Windows 7's Bitlocker Drive Encryption (BDE) and Bitlocker To Go keep data stored on hard drives and portable storage devices from being lost or stolen. I recently had my briefcase stolen, and because the laptop inside had its hard drive encrypted with BDE I didn't have to worry about the data on it. Indeed, the loss of the laptop became the least of my concerns. Active Directory Rights Management Services (RMS) can be used to protect files from unauthorized access whether stored on a user's PC, email systems, file servers, in the cloud, or on a mobile device. I held three "Quest Summit" internal strategy conferences here at Microsoft, and at the last one we distributed the proceedings to attendees on USB Flash Memory Drives. Using RMS we were able to insure that only authorized members of the Quests community within Microsoft were able to open and read the files. What we really loved about using RMS is that even if the files are copied off the flash drive to a non-encrypted drive, or transmitted via an unauthorized channel such as a webmail service, the files themselves are encrypted and can not be accessed by unauthorized users.
The Forefront product family offers policy-driven protection for your clients and servers. I'm particularly fond of Forefront Threat Management Gateway 2010 (TMG) and its new capabilities for keeping your organization safe when employees are using the web. New capabilities such as URL filtering that allows you to control which sites employees can visit and web anti-malware protection (including the ability to filter https traffic) can help prevent malware from being introduced into your network. The new Network Inspection System allows Microsoft to issue signatures that block exploits of vulnerabilities from entering your corporate network, giving you time to test and deploy patches across your systems. These are on top of the protection technologies, such as the firewall, carried over from ISA Server 2006 that can help keep your organization's perimeter safe.
While we all know that the traditional perimeter is eroding that doesn't take away the need to protect it with a product like Forefront TMG. And it emphasizes the need to use technologies such as RMS to protect data whether it is inside or outside your perimeter. So while you can't stop the bad guys from trying to harm your business, you can make it very hard for them to succeed.
Andrew Garcia over at eWeek has written an excellent article describing his experience testing Microsoft Forefront UAG 2010's capabilities for assisting deployment of Microsoft Windows' DirectAccess. I thought I'd add a little color commentary to the deployment topic..
A little over a year before the release of Windows 7 and Windows Server 2008 R2 the UAG team looked at what it could do to incorporate DirectAccess as a technology in its overall "access" mission. Later, a Microsoft-wide virtual team looked into what we could do to accelerate DirectAccess deployment. These two activities have already born fruit, both in new features in UAG 2010 and the new DirectAccess Connectivity Assistant.
As an example, one of the key features UAG brings to the DirectAccess deployment story is support for the DNS64 and NAT64 IPv6 transition technologies. The "64" refers to "6-to-4", as in IPv6 to IPv4 (as oppsed to the common usage implying something to do with 64-bits). DNS64 and NAT64 are the latest technologies for allowing IPv6 clients to communicate with IPv4 servers. They are in the process of replacing the earlier DNS-ALG and NAT-PT technologies that were found to be flawed and moved to historical status by the Internet Engineering Task Force (IETF). As a result of DNS-ALG/NAT-PT's status customers may not be willing to deploy them and vendors (some of whom already support these technologies in shipping products) may not want to advocate their use. That left a big gap for customers considering deployment of DirectAccess, how to enable communications with servers that only support IPv4? UAG 2010 stepped in to help and is the first product to bring the newer DNS64 and NAT64 to market. Others will certainly follow as the need to enable transition to IPv6 becomes more urgent.
Although not part of UAG, the Microsoft DirectAccess Connectivity Assistant (DCA) is another important part of our efforts to accelerate DirectAccess deployment. One piece of feedback we received from early adopters of DirectAccess was that their end-users loved DirectAccess so much that when it didn't work they were quite vocal about their frustration. Perhaps it worked just fine from their home or hotel, but not when they were in their favorite coffee shop. The lack of an indicator that DirectAccess was "on" and working properly added to end-user frustration. The lack of an easy way to gather and deliver diagnostic information to IT, so they could help solve the problem, raised support costs. DCA displays the status of DirectAccess connections in the Windows 7 notification area, gives the end-user assistance in solving connectivity problems, and provides diagnostic information should IT need to get involved in resolving connectivity problems. DCA is now available for download on TechNet.
Making products easily deployable is a major focus for the Identity and Security Division and customers should start to see the result as we roll out new products. For DirectAccess we continue to drive a Microsoft-wide effort to accelerate deployment. In the short run you'll notice an increasing amount of deployment guidance becoming available. I urge you to keep an eye on the Forefront UAG Product Team Blog for announcements as well as for hints and deep dives to help with your UAG deployments (DirectAccess and otherwise).