Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines

Symantec Endpoint Protection

Enterprise Edition

Best Practices Guidelines

Regional Product Management Team – Endpoint Security

Optional Footer Information Here

Agenda

SEPM Architecture and Settings1

Recommended Client Protection Technologies2

AntiVirus \ AntiSpyware3

Firewall4

Application and Device Control5

Useful Resources8

Exclusions7

Application and Device Control6

SEPM Architecture and Settings


Deployment Architectures

Single Site Distributed Site

Log Replication High Availability


Content Distribution and Revision

Symantec releases certified content updates 3 times a day.

There are numerous methods to update content on clients, however Symantec recommends the use of the SEPM and LiveUpdate as the two primary methods.

Symantec recommends that SEPM servers download content every 4 hours. This ensures that Clients receive delta content packages as opposed to full content packages.

This also reduces the size of the content package and needed bandwidth to deploy the content package.

5


Content Distribution and Revision Cont:

Another option for deploying content is to use LiveUpdate. A client running LiveUpdate will always request a delta from the LiveUpdate source.

Clients can retrieve LiveUpdate content directly from Symantec or from a locally installed LiveUpdate Server. Symantec recommends using LiveUpdate scheduling when content updates need to occur during a certain time window.

When updating content across WAN links or where SEPM servers will not be installed in remote locations with limited bandwidth Symantec recommends the use of Group Update Providers (GUPs).

Symantec also recommends to allow users to manually LiveUpdate.

6


Content Distribution and Revision Cont:

Symantec recommends that Administrators set the Number of Content Revisions to keep to at least 30 Days.

90 would be Ideal number to ensure that clients will get deltas as far back as 1 month.

This allows for efficient time to handle an employee that has not connected for a week and is more cost effective then sending full definitions across the network.

7


Log Retention

Logs can be configured to either retain data by number of days or by the size of the log.

For customers that need to store logs for a set period of time and size is not a factor, Symantec recommends the following configuration:

Set Log Limits to 999999999 and then configure the Number of Days you would like to retain logs (Usually 30 or 60 days is enough).

8


Log Retention

Set Delete risk events after to be consistent with the number of days you retain logs on.

9


Proxy and SMTP Configuration

Few changes need to occur on the SEPM as default settings are configured mostly for best practices.

Symantec recommends that each SEPM has the ability to connect to the internet and that each SEPM is configured with the appropriate SMTP and Proxy Settings.

10


Backup

It is recommended to back up the SEPM Server regularly.

In addition, it is also important to back up each SEPM‟s server certificate for use in recovery operations.

11


Administrator Accounts

Symantec recommends that Administrators have at least two System Administrative Accounts for redundancy purposes.

Even if only one individual manages the system, Symantec would recommend that there be two accounts in case account lockout occurs.

12

Recommend Client

Protection Policies

Antivirus, Antispyware

&

TruScan Protection


Antivirus/Antispyware Policy

Symantec always recommends running SEP with Auto‐Protect enabled and routine scheduled scans enabled.

It is typically recommended to start your deployment with a full weekly scan.

If you notice that there are not many infections being discovered via the on‐demand scan, it is recommended to decrease the frequency and depth of the scan.

In environments with low infection rates, it is not uncommon to find monthly full scan or weekly quick scans being performed.

15


Antivirus/Antispyware Policy Cont:

Symantec provides 3 Antivirus and Antispyware policies out of box. Symantec recommends the default antivirus policy on most machines.

On machines that are slow, have high resource utilization, or on machines where users typically complain of performance, Symantec recommends applying the High Performance policy.

For machines that are mission critical and for machines/users that have a high infection rate (Bad Internet Hygiene), Symantec recommends applying the High Security Antivirus Policy.

16



It is suggested to enable the Delay Scheduled Scans if running on Batteries. Enabling this feature will typically increase end user satisfaction with the product. Running a full scan while running on batteries depletes the power quicker.

To further increase end user acceptance of the product, more companies provide the end user the right to stop scans.

It is recommended to keep the defaults on Internet Email Scanning, TruScan, Quarantine, and Submissions.

Symantec only recommends installing Outlook/Lotus plug‐ins when Antivirus is absent on the Mail Server.

17



Symantec updates definitions three times a day, each day that goes by without a definition update means less protection.

On average, Symantec adds over 20K signatures a day. It is recommended to display a notification to end users if definitions are out dated.

If users have the ability to initiate LiveUpdate, then Symantec recommends lowering the number of days before sending a notification to 5 days when content is out of date.

It is also recommended to set the Internet Browser Protection recovery home page to your companies‟ website. Most companies redirect to an internal web page with the security policies and escalation procedures.

18

Firewall

&

Intrusion Prevention


Firewall Policy

There are 4 traditional configurations that individuals may consider when deploying a client firewall. Each configuration provides a different level of protection and changes the likelihood of encountering false positives and preventing legitimate applications from working.

20


Firewall Policy

Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake with the configuration that can cause legitimate applications to cease working. Since every network environment is unique, some customers find it easier to keep this technology disabled until there is a need.

In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention provides additional protection with minimal configuration and false positives.

Block Known Trojan Ports: Choosing to allow all network traffic with the exception to ports commonly associated with known Trojans will provide an additional level of Security while minimizing the risk of creating a policy that might block a legitimate application. Although this might provide some protection, the Intrusion Prevention Engine already provides signatures to detect and block most of these exploits.

In this configuration, Administrators can choose to block specific applications without the need of knowing what is installed in the environment.

21


Firewall Policy

Block all Inbound Connections: Configuring the firewall to block all inbound connections greatly reduces the risk of an attacker gaining access to a client‟s resources or data. Most applications that get installed on the box will still be allowed to initiate communications which will minimize some of the configuration settings that would need to be configured.

This configuration will not stop all malicious pieces of code from getting installed on the box nor will it prevent the malicious code from communicating important pieces of data to a hacker. This configuration will also block some legitimate corporate applications like management utilities that expect to receive connections from a management server. It is highly recommended to test this configuration thoroughly prior to deploying the configuration.

Some companies have found it easier to deploy this configuration that blocks all inbound connections except from the Servers installed in the organization. This has minimized the number of changes that need to be made as new applications are installed and it has minimized the number of exceptions needed to the policy.

Explicit Deny: In this configuration, the firewall is configured to block all communications except for those settings that you choose to accept. This is the most secure approach to creating firewall policies. This means that any new code introduced to the environment (good or bad) will not be allowed to communicate until an administrator approves it. Although this provides the most secure architecture, constant changes are usually needed to accommodate application changes.

22


Firewall Policy

Symantec recommends to start deployment with the firewall disabled and Intrusion Prevention (IPS) enabled. Administrators can then increase the protection on the Client by deploying the firewall over time.

Extensive testing should be conducted prior to deploying the firewall policy.

It is also beneficial to consider disabling the firewall when on the corporate network and hardening the firewall when users disconnect from the corporate network.

This is normally done through the Location Awareness feature. Care should be taken when defining network segments. Symantec recommends using multiple network identifiers when creating the policy.

Symantec also recommends the use of Peer to Peer Enforcement between Clients. Peer to Peer enforcement forces a client to block all connections from a remote machine until the machine has proven that it is in compliance to corporate policy.

23


Instrusion Prevention Policy

Symantec recommends always running IPS on client machines. Symantec makes no recommendations on changing the default settings for IPS.

If Administrators or individuals within the organization are running security tools and assessment tools, Symantec does recommend excluding those machines from the IPS detection as it may yield false positives.

Note: Symantec does not recommend running the IPS on a Server OS without fully testing.

24

Application and Device

Control


Application and Device Control Policy

Application Control and Device Control are advanced features that can be used to further enhance malware protection for your business. Extreme caution should be used in creating application and device control policies as these advanced technologies may cause legitimate applications to cease operating.

Symantec recommends using Application Control and Device Control Settings only after testing the impact of the policy in your environment. Application Control and Device control allows Administrators the ability to restrict the behavior of applications and users in the environment. Since this is a diverse technology, the opportunities are endless as to what can be done.

26


Application and Device Control Policy

Allow Only Read to the following Keys to prevent tampering or changing of IE Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

27


Application and Device Control Policy Cont:

Allow only read to the following Registry Keys that allow applications to start automatically:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKEY_CLASSES_ROOT\comfile\shell\open\command

HKEY_CLASSES_ROOT\piffile\shell\open\command

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_CLASSES_ROOT\txtfile\shell\open\command

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing Live

28

LiveUpdate


LiveUpdate Policy

Symantec recommends to configure multiple methods for updating content on clients that are mobile. This will allow those systems that are not connected to the corporate network to receive content updates when not connected to the management server.

The most typical recommendation is for customers to create two polices. One that defines clients update from the management server while connected to the network and another policy that defines updating through LiveUpdate directly from Symantec when the client machine is not connected to the corporate network.

30


Location Awareness

Symantec typically recommends that administrators create two locations (Default/Internal and External) when using these two LiveUpdate policies.

A default location is provided with each created group.

The default location „LiveUpdate” policy should have the Clients contact the SEP Manager (SEPM) for their content updates.

The external location LiveUpdate policy shouldhvae Client conduct LiveUpdate calls directly to Symantec‟s LiveUpdate site to retrieve content updates.

31


External LiveUpdate Policy

It is recommended to set the “External” LiveUpdate policy retrieval schedule for every 4 hours.

Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure that the client systems stay up to date with the latest security content updates.

32


External LiveUpdate Policy Cont:

It is also recommended to configure the Advanced Settings to “Allow the user to manually launch LiveUpdate”.

33


External Location Configuration Cont:

Specify the conditions for this location trigger. In this case the ability to connect to the management server was a condition that was used.

Symantec recommends that more then one condition be speicified when configuring a location.

34

Centralized Exceptions


Centralized Exceptions Policy

• The recommendation for exceptions is to add exceptions as needed. SEP automatically makes exceptions for certain applications, but it is best to add additional exceptions for Databases, Transactional Logs, VMWare Images, and other items that high transactional volume. It is also recommended to not allow employees the ability to add exceptions unless needed. For additional information on default exceptions and information on how to add exceptions, please reference the Symantec Online Knowledge Base.

36

Additional Resources


Documentation and Training

Dedicated Web Page

Migration and Installation Information

Troubleshooting Information

Knowledgebase and White Paper documentation

http://www.symantec.com/business/support/endpointsecurity/migrate/index.jsp


Resources

Symantec publicly accessible user forums (peer to peer forums, not a replacement for technical support)

https://forums.symantec.com

Symantec Endpoint Security Migration and Installation website

http://www.symantec.com/enterprise/support/endpointsecurity/migrate/index.jsp

Symantec Endpoint Protection 11.0 ‐ Free online tutorials providing an overview and migration walkthrough

http://www.symantec.com/business/theme.jsp?themeid=sep11x&header=0&footer=1&depthpath=0

Comparison Tour ‐ Symantec System Center vs. the new Symantec Endpoint Protection Manager Console

http://www.symantec.com/business/support/endpointsecurity/ssc_sep/

Symantec Endpoint Protection 11.0 – Common Topics

http://service1.symantec.com/SUPPORT/ent‐security.nsf/docid/2008070715030248

Symantec Endpoint Protection 11.0 ‐ Product Documentation

http://www.symantec.com/business/support/documentation.jsp?pid=54619

Symantec Endpoint Protection 11.0 – Support homepage (search the Knowledge Base from here)

http://www.symantec.com/enterprise/support/overview.jsp?pid=54619

https://forums.symantec.com/

http://www.symantec.com/enterprise/support/endpointsecurity/migrate/index.jsp

http://www.symantec.com/business/theme.jsp?themeid=sep11x&header=0&footer=1&depthpath=0

http://www.symantec.com/business/support/endpointsecurity/ssc_sep/

http://www.symantec.com/business/support/documentation.jsp?pid=54619

Questions?

Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines

Technology

Transcript of Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines