“Tamper-proofing” Forefront Client Security

by Shijaz Abdulla on 31.05.2010 at 10:09

Most anti-virus solutions provide tamper protection mechanisms to prevent the users from disabling the Forefront Client Security software on their machines. Forefront Client Security only provides basic control over what the user can do with the FCS client console.

In order to further increase the tamper-protection measures, users should be prevented from stopping the FCS service or uninstalling the software from the machines.

Both of the above can be achieved by not providing administrative privileges to the users, but there are instances where the users may need to be local administrators on their machines. Under such circumstances, the following can be done:

  • Use Group Policy to protect the FF client services so that only a few selected accounts can stop these services. The service to protect is the "Microsoft Forefront Client Security Antimalware Service". Additionally, protecting the "Microsoft Forefront Client Security State Assessment Service" won’t hurt.
  •  

  • Change permissions in the registry for uninstalling FCS.
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
  • This can also be done using Group Policy.

    Both of these steps are described in detail over at the Security Wizard blog.

    Trackback Permanent Link

    3 Responses to “Tamper-proofing” Forefront Client Security

    Leave a Reply