System Center Endpoint Protection in Academic Support

April 2015

Introduction

Over the course of a year IST has discussed Antivirus solutions for UW managed workstations and have come to the conclusion that we are actually paying for, and in some cases already have two viable solutions installed on managed workstations. Paying for two is not cost effective, and having two installed can cause other problems. The solution most will recognize is Symantec Endpoint Protection (SEP), which has been automatically installed by IST on all Academic Support and home PCs in the past. It has given us a sense of security, whether valid-or-not, for at least six years. The second solution is from Microsoft and goes by three different names, depending on how and where it is installed. This is the one we acquired as part of our System Center licensing for the entire campus. The names the Microsoft Endpoint Protection software goes by are:

1.       Security Essentials for W7 workstations: This is free for download, and a stand-a-lone anti-malware and anti-virus product. Unfortunately this cannot be legally installed on UW-owned PCs, but would make a great alternative for personal PCs. NOTE: There is an anti-malware (only) product that comes installed with W7 called Windows Defender, but it is not enabled by default.

2.       Windows Defender for W8 workstations: This is already part of the operating system and includes both anti-malware and antivirus scanning, so already on these workstations. When SEP is installed here at UW the W8 Windows Defender solution is not enabled.

3.       The third is called System Center Endpoint Protection (SCEP), and is the name given to the enterprise managed version of the first two. As part of our System Center (and SCCM) licensing, IST has paid for a SCEP client for every UW-owned PC.  This is the product IST is recommending now. SEP is being removed from most UW-owned PCs and being replaced by SCEP.

 

How to Proceed

If you have one of the many SCCM-managed PCs on campus, your department administrator may have already approved SCEP for your PC. If that is the case, SCEP automatically removes SEP and installs the Microsoft-supported System Center Endpoint Protection (SCEP) on your behalf. If your PC is SCCM managed, and you are still running SEP, talk to your departmental IT administrator. If your PC is not SCCM-managed, the SCCM client can be put onto your PC for the sole purpose of getting SCEP (with no other management required). Again, talk to your departmental administrator if this is what you’d like.

If you have a UW-owned laptop or home PC, Microsoft’s legal requirements state that we need to be using the SCEP version of Endpoint Protection. IST is offering a distributable package for UW-owned PCs that does the same as we do for on-campus SCCM-managed PCs. It will remove SEP and install SCEP. Please check the IST Software pages for this executable.

If you would like to mirror what UW is doing on your home PCs, Microsoft’s Security Essentials is the suggested package for Windows 7 PCs, and Windows Defender is the suggested solution for Windows 8 PCs. Security Essentials can be downloaded here: https://www.microsoft.com/en-ca/download/details.aspx?id=5201 . As stated above, Windows Defender in Windows 7 is only an Anti-malware product. Windows Defender in Windows 8 is the whole Endpoint Protection package and only needs to be enabled to work. (Other Antivirus and Endpoint Protection products should be removed to do this.)

Detailed View of System Center Endpoint Protection (SCEP)

As found at: http://endpoint-protection-software-review.toptenreviews.com/microsoft-review.html : “Endpoint protection is just one part of the System Center, which also includes data-protection managers, a unified installer and a virtual machine manager to complete an end-to-end data and security solution. The endpoint protection manager deploys and configures endpoint protection, … configures antimalware policies, updates antivirus definitions, manages email alerts and creates reports. It manages security protocols such as blocking incoming connections, suspicious downloads and rootkit exploits; monitors spyware; and manages network profiles.”

The Microsoft solution has matured and according to our Information Security Services team (that has looked into it extensively) SCEP is considered to be is every bit as good as SEP. Our needs regarding adequate client protection, as well as central management and reporting were met when Microsoft encapsulated the management of SCEP under the same infrastructure we now use to deliver patches, applications and application updates (SCCM). If clients currently have visibility to the SEP console for their clients, that can be arranged as well in SCEP.

NOTE: You do not have to agree to any other SCCM workstation management if you wish to leverage central System Center Endpoint Protection management, but you will need to agree to install the SCCM client.

Also NOTE: For clients not managed by SCCM, the W7 Security Essentials or the W8 Windows Defender is the same product as SCEP. The only difference is central management no longer controls its settings, just like the stand-a-lone unmanaged Symantec has nothing to do with the Enterprise solution.

Other features about SCEP we like are:

·         Virus and spyware definitions are delivered using the same delivery mechanism as OS updates and patches through SCCM

·         W7 and W8 workstations come with an integrated Windows Firewall. Leveraging SCEP instead of SEP allows Nexus Group Policy Object (GPO) management of that security aspect, the same as we already leverage GPOs for other security settings. SEP took this control away, and moving to SCEP returns control back to GPOs.

·         The SEP client has grown to over 170MB in size. SCEP is less than one quarter the size and as stated above, already exists on some managed PCs

·         Of possible interest: Volume license customers (like us) can download SCEP clients for Macs, Linux and UNIX servers as well as mobile devices enrolled by Configuration Manager

 

Antivirus on Non-SCCM-Managed and Home PCs

Home PCs and non-managed campus PCs have always been a challenge for us. We’ve licensed SEP for them in the past, but encourage clients not to point to our management servers since we have no administrative access and can’t manage them anyway. Even if we were to detect problems on these PCs, we often don’t know who the PC belongs to because the name changed when the PC went home, so central reporting is of little or no value to us or the client. For this reason we feel there is no real advantage, beyond a common solution across PCs, to have a “managed” endpoint solution for non-managed PCs.

For students and staff that ask, we have ISS-recommended solutions documented for non-SCCM-managed PCs including Macs, at:  https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/about-information-security-services-iss/endpoint-security-product-recommendations

System Center Endpoint Protection versus other Solutions

Every antivirus and endpoint solution for PCs has its problems. None will catch all viruses. Most are challenged by zero-day viruses and SCEP won’t be any different. That doesn’t make it better or worse than any other solution. We feel comfortable enough with the protection SCEP provides, and feel very comfortable with the management and reporting to the point that we chose SCEP as the Endpoint Protection tool of choice for our clients.

The following was harvested from: https://technet.microsoft.com/en-us/library/hh508836.aspx

Microsoft System Center 2012 Endpoint Protection provides an antimalware and security solution for the Microsoft platform.

When System Center 2012 Endpoint Protection is used with Microsoft System Center 2012 Configuration Manager, it provides a comprehensive enterprise management solution that lets you do the following:

·         View summary and detailed information from the Configuration Manager console and reports.

 

This document was prepared by Manfred Grisebach, Manager of Workstation Services, April 20th, 2015 and updated May 11th