One of the reasons why I really like System Center Endpoint Protection is its ease of management. This goes double when we’re using it to manage servers, as we get to leverage all the stuff that Configuration Manager has in its database to target policies. By targeting Antimalware Policies to collections that are based upon dynamic variables, we create an easy to manage environment that automates the provisioning of exclusion and scan policies for new and existing servers.
In this post I’m not going to get into the process of creating the exclusion policies. Microsoft has included templates for most of their stuff, which are the ones we’ll focus on today. What I will show, however, is the collections that we’re going to create and the order of the policies that will be applied.
To keep things clean and manageable, I like to keep my Endpoint Protection and Firewall collections together, so in the Assets and Compliance workspace we’ll create a folder called Managed Servers under the Device Collections Node.
The first collection we’ll created is for DCs, called Managed Servers – Domain Controller. Configure a Query Rule with the following statement:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.DomainRole >= 4
Next is Managed Servers – DNS with a Query Rule to check for the service:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "DNS Server"
Our next core Active Directory Role is the DHCP Server, named Managed Servers – DHCP with a Query Rule that also looks for the service:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "DHCP Server"
The next collection, Managed Servers – HyperV Host, also looks for a service. I found that when looking for the installed role, it didn’t return HyperV Hosts for all OSs. Here’s the Query Statement:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "Hyper-V Virtual Machine Management"
To grab Exchange boxes for the Managed Servers – Exchange collection, we’re looking for an installed application:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Exchange Server 2010" and SMS_G_System_SERVICE.DisplayName like "Microsoft Exchange%"
The Managed Servers – SQL 2016 collection query can be easily modified to change the target version. Here’s the one for 2016:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Name like "%Server%" and ((SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "%SQL Server 2016%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "%SQL Server 2016 Express%") or (SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName like "%SQL Server 2016%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "%SQL Server 2016 Express%"))
The next collection to create is Managed Servers – IIS. Its Query looks like this:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "World Wide Web Publishing Service"
The Managed Servers – Lync collection also looks for a running service:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "Lync Server Front-End"
Managed Servers – SharePoint took a little time to get right, but it ultimately came down to a service…no idea why I didn’t start there
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "SharePoint 2016 Administration"
If you’re using Microsoft’s Threat Management Gateway, it may be a little difficult to get these machines to show into this collection as they’re not often on the domain and managed by Configuration Manager…regardless, here’s the Query for the Managed Servers – TMG collection:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.DisplayName = "Microsoft Forefront TMG Storage"
To determine membership for the Managed Servers – File collection, we’re actually looking for the installed feature, for once!
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVER_FEATURE on SMS_G_System_SERVER_FEATURE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVER_FEATURE.Name = "File Server"
With all these collections now created, we need to assign Antimalware policies to each of these collections. Still in the Assets and Compliance workspace, expand the Endpoint Protection Node, and click on Antimalware Policies. Click the Import button from the Ribbon, and you will see a list of templates provided by Microsoft. In the order that we created the collections, each one needs to be individually imported. Just accept the default policy settings when the creation wizard appears for each one. Finally, we’ll import the Default Servers policy, setting it as the lowest priority of all the server policies.
We now need to go back through each of the policies, and deploy them to the applicable Managed Servers collection. The Default Servers policy will be deployed to the All Servers collection. By the time this task has completed, go back and have a look at the Managed Servers folder…there should be some memberships now.
So I’m guessing that since we’re only creating policies now, we haven’t actually deployed Endpoint Protection to the servers, right? To do that, we just need to create a Custom Client Settings Policy to enable Endpoint Protection, then deploy it to the All Servers collection. On the next policy cycle, Configuration Manager will install SCEP if an anti-virus product is not already present.
É