A few weeks back, I talked about Microsoft's progress with its client-side security applications. But the biggest news in this space is the pending arrival of Forefront Client Security (FCS), Microsoft's pending managed client security solution. Aimed at medium- and large-sized businesses, FCS is a much-needed and eagerly-awaited solution for client security. And you can grab a public beta today and evaluate whether it's right for your business.

I spoke with members of Microsoft's Security, Access, and Solutions Division recently at a briefing in the Boston area to discuss FCS, a product I had first heard rumors of years ago. FCS is a centralized, managed solution that integrates with your existing Active Directory (AD) and Group Policy (GP) infrastructure to protect client PCs (including desktop PCs and portable computers) and servers from viruses, spyware, and other malware. As you might expect, FCS includes a management dashboard, the FCS Management Console, as well as a single client-based agent that must be deployed to all protected systems.

From a technological perspective, Microsoft is handling its security wares intelligently: FCS uses the same backend as its other anti-malware solutions, such as Windows Live OneCare, Windows Defender, and ForeFront Security for Exchange (formerly Sybari Antigen, and shipping next month for Exchange 2007). This brings with it certain efficiencies, of course, but the use of a single back-end means that FCS' protections will have been used in the real world by millions of people by the time the product ships.

In use, FCS is everything you'd expect from a Microsoft enterprise product: The console is rich with features and easy to use, and deploying the agents through GP to, say, an AD organizational unit (OU) is straightforward. By default, users will typically never even be aware that FCS is working in the background, and indeed, you can configure it so that they'll never have to deal with a single dialog box. Users who are permitted to do so can run the client-side code manually and will see an application window modeled after that of Windows Defender.

FCS utilizes Windows Server Update Services (WSUS) to provide definition updates for the product's anti-malware functionality, and can fail-over to Microsoft Update (MU) if WSUS is not available. Administrators can simply choose to auto-approve all such updates, which is recommended, or you can manually approve them as you go. The client application checks for updated definitions on a scheduled basis, as you'd expect. And each morning, it's possible to scan a security summary report through the FCS Management Console to get a capsule view of how the past day went. There's also trend information, which goes back 30 days by default.

Currently, a public beta of FCS is available from the Microsoft Web site (see below), and the company intends to ship the final version by the second quarter of 2007. While Microsoft hasn't yet announced pricing, FCS will be made available via a subscription model where customers pay a licensing fee per year, per device. As part of that licensing fee, you receive constant definition updates and rights to any new versions of FCS that ship in that timeframe.

FCS looks great, and I recommend checking it out. The only question is its suitability for small businesses, which is a market that is currently unserved by Microsoft's security solutions. On the very low-end, home-based and other very small businesses could be well served by a solution like OneCare, and of course FCS targets mid- and large-sized businesses. But Small Business Server (SBS) customers might be out of luck, though Microsoft is looking at a more pervasive security solution for that platform, perhaps one that combines the functionality of FCS with that of ForeFront Security for Exchange, for the future. Stay tuned.

Forefront Client Security Beta

This article originally appeared in the November 21, 2006 issue of Windows IT Pro UPDATE.