Académique Documents
Professionnel Documents
Culture Documents
Enterprise Edition
Best Practices Guidelines
3 AntiVirus \ AntiSpyware
4 Firewall
8 Useful Resources
Set Delete risk events after to be consistent with the number of days you retain logs
on.
Few changes need to occur on the SEPM as default settings are configured mostly for best
practices.
Symantec recommends that each SEPM has the ability to connect to the internet and that
each SEPM is configured with the appropriate SMTP and Proxy Settings.
In addition, it is also important to back up each SEPMs server certificate for use in recovery
operations.
There are 4 traditional configurations that individuals may consider when deploying a
client firewall. Each configuration provides a different level of protection and changes the
likelihood of encountering false positives and preventing legitimate applications from
working.
Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake
with the configuration that can cause legitimate applications to cease working. Since
every network environment is unique, some customers find it easier to keep this
technology disabled until there is a need.
In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention
provides additional protection with minimal configuration and false positives.
Block Known Trojan Ports: Choosing to allow all network traffic with the exception to
ports commonly associated with known Trojans will provide an additional level of
Security while minimizing the risk of creating a policy that might block a legitimate
application. Although this might provide some protection, the Intrusion Prevention
Engine already provides signatures to detect and block most of these exploits.
In this configuration, Administrators can choose to block specific applications without the need of
knowing what is installed in the environment.
Block all Inbound Connections: Configuring the firewall to block all inbound connections
greatly reduces the risk of an attacker gaining access to a clients resources or data. Most
applications that get installed on the box will still be allowed to initiate communications
which will minimize some of the configuration settings that would need to be configured.
This configuration will not stop all malicious pieces of code from getting installed on the box nor
will it prevent the malicious code from communicating important pieces of data to a hacker. This
configuration will also block some legitimate corporate applications like management utilities that
expect to receive connections from a management server. It is highly recommended to test this
configuration thoroughly prior to deploying the configuration.
Some companies have found it easier to deploy this configuration that blocks all inbound
connections except from the Servers installed in the organization. This has minimized the number
of changes that need to be made as new applications are installed and it has minimized the
number of exceptions needed to the policy.
Explicit Deny: In this configuration, the firewall is configured to block all communications
except for those settings that you choose to accept. This is the most secure approach to
creating firewall policies. This means that any new code introduced to the environment
(good or bad) will not be allowed to communicate until an administrator approves it.
Although this provides the most secure architecture, constant changes are usually needed
to accommodate application changes.
Optional Footer Information Here 22
Firewall Policy
Symantec recommends to start deployment with the firewall disabled and Intrusion
Prevention (IPS) enabled. Administrators can then increase the protection on the Client
by deploying the firewall over time.
It is also beneficial to consider disabling the firewall when on the corporate network and
hardening the firewall when users disconnect from the corporate network.
This is normally done through the Location Awareness feature. Care should be taken when defining network
segments. Symantec recommends using multiple network identifiers when creating the policy.
Symantec also recommends the use of Peer to Peer Enforcement between Clients.
Peer to Peer enforcement forces a client to block all connections from a remote
machine until the machine has proven that it is in compliance to corporate policy.
If Administrators or individuals within the organization are running security tools and
assessment tools, Symantec does recommend excluding those machines from the IPS
detection as it may yield false positives.
Note: Symantec does not recommend running the IPS on a Server OS without
fully testing.
Application Control and Device Control are advanced features that can be used to further
enhance malware protection for your business. Extreme caution should be used in creating
application and device control policies as these advanced technologies may cause
legitimate applications to cease operating.
Symantec recommends using Application Control and Device Control Settings only after
testing the impact of the policy in your environment. Application Control and Device control
allows Administrators the ability to restrict the behavior of applications and users in the
environment. Since this is a diverse technology, the opportunities are endless as to what
can be done.
Allow Only Read to the following Keys to prevent tampering or changing of IE Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOver
layIdentifiers
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Allow only read to the following Registry Keys that allow applications to start automatically:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing
Live
The most typical recommendation is for customers to create two polices. One that
defines clients update from the management server while connected to the network and
another policy that defines updating through LiveUpdate directly from Symantec when
the client machine is not connected to the corporate network.
It is recommended to set the External LiveUpdate policy retrieval schedule for every 4
hours.
Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure
that the client systems stay up to date with the latest security content updates.
It is also recommended to configure the Advanced Settings to Allow the user to manually
launch LiveUpdate.
Specify the conditions for this location trigger. In this case the ability to connect to the
management server was a condition that was used.
Symantec recommends that more then one condition be speicified when configuring
a location.
Troubleshooting Information
http://www.symantec.com/business/support/endpointsecurity/migrate/index.jsp
Symantec publicly accessible user forums (peer to peer forums, not a replacement for technical support)
https://forums.symantec.com
Symantec Endpoint Protection 11.0 Free online tutorials providing an overview and migration walkthrough
http://www.symantec.com/business/theme.jsp?themeid=sep11x&header=0&footer=1&depthpath=0
Comparison Tour Symantec System Center vs. the new Symantec Endpoint Protection Manager Console
http://www.symantec.com/business/support/endpointsecurity/ssc_sep/
Symantec Endpoint Protection 11.0 Support homepage (search the Knowledge Base from here)
http://www.symantec.com/enterprise/support/overview.jsp?pid=54619