I’ve been testing Forefront Client Security (FF Client) and so far it is decent. My biggest gripe so far is the lack of tamper protection while it’s deployed to desktops. However I found a post here: http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx.
Essentially there are two things that you must do to protect the FF Client all of which can be done through GPO.
- Protect the FF client services so only a select few accounts can stop the the services. I’d recommend setting up a separate security group for this. The important service to protect is the “Microsoft Forefront Client Security Antimalware Service”. However it may be a good idea to protect the other one as well called, “Microsoft Forefront Client Security State Assessment Service”.
- Change permissions on the uninstall information in the registry. (You should use the group that you setup for the rule in step one)
As you can see it’s not that hard to do and with GPO it should be easy to create a policy that will keep users from shutting off the FF client because they think it’s making their computer run slow.