4. Optional Footer Information Here
Deployment Architectures
Single Site Distributed Site
Log Replication High Availability
5. Optional Footer Information Here
Content Distribution and Revision
Symantec releases certified content updates
3 times a day.
There are numerous methods to update
content on clients, however Symantec
recommends the use of the SEPM and
LiveUpdate as the two primary methods.
Symantec recommends that SEPM servers
download content every 4 hours. This ensures
that Clients receive delta content packages as
opposed to full content packages.
This also reduces the size of the content
package and needed bandwidth to deploy the
content package.
5
6. Optional Footer Information Here
Content Distribution and Revision Cont:
Another option for deploying content is to use
LiveUpdate. A client running LiveUpdate will
always request a delta from the LiveUpdate
source.
Clients can retrieve LiveUpdate content
directly from Symantec or from a locally
installed LiveUpdate Server. Symantec
recommends using LiveUpdate scheduling
when content updates need to occur during a
certain time window.
When updating content across WAN links or
where SEPM servers will not be installed in
remote locations with limited bandwidth
Symantec recommends the use of Group
Update Providers (GUPs).
Symantec also recommends to allow users to
manually LiveUpdate.
6
7. Optional Footer Information Here
Content Distribution and Revision Cont:
Symantec recommends that
Administrators set the Number of
Content Revisions to keep to at least 30
Days.
90 would be Ideal number to ensure that
clients will get deltas as far back as 1
month.
This allows for efficient time to handle an
employee that has not connected for a
week and is more cost effective then
sending full definitions across the
network.
7
8. Optional Footer Information Here
Log Retention
Logs can be configured to either retain
data by number of days or by the size of
the log.
For customers that need to store logs for a
set period of time and size is not a factor,
Symantec recommends the following
configuration:
Set Log Limits to 999999999 and then
configure the Number of Days you would
like to retain logs (Usually 30 or 60 days is
enough).
8
9. Optional Footer Information Here
Log Retention
Set Delete risk events after to be consistent with the number of days you retain logs
on.
9
10. Optional Footer Information Here
Proxy and SMTP Configuration
Few changes need to occur on the SEPM as default settings are configured mostly for best
practices.
Symantec recommends that each SEPM has the ability to connect to the internet and that
each SEPM is configured with the appropriate SMTP and Proxy Settings.
10
11. Optional Footer Information Here
Backup
It is recommended to back up the SEPM Server regularly.
In addition, it is also important to back up each SEPM‟s server certificate for use in recovery
operations.
11
12. Optional Footer Information Here
Administrator Accounts
Symantec recommends that
Administrators have at least two
System Administrative Accounts for
redundancy purposes.
Even if only one individual manages
the system, Symantec would
recommend that there be two
accounts in case account lockout
occurs.
12
15. Optional Footer Information Here
Antivirus/Antispyware Policy
Symantec always recommends running
SEP with Auto‐Protect enabled and
routine scheduled scans enabled.
It is typically recommended to start your
deployment with a full weekly scan.
If you notice that there are not many
infections being discovered via the
on‐demand scan, it is recommended to
decrease the frequency and depth of the
scan.
In environments with low infection rates, it
is not uncommon to find monthly full scan
or weekly quick scans being performed.
15
16. Optional Footer Information Here
Antivirus/Antispyware Policy Cont:
Symantec provides 3 Antivirus and
Antispyware policies out of box.
Symantec recommends the default
antivirus policy on most machines.
On machines that are slow, have high
resource utilization, or on machines
where users typically complain of
performance, Symantec recommends
applying the High Performance policy.
For machines that are mission critical
and for machines/users that have a high
infection rate (Bad Internet Hygiene),
Symantec recommends applying the
High Security Antivirus Policy.
16
17. Optional Footer Information Here
Antivirus/Antispyware Policy Cont:
It is suggested to enable the Delay
Scheduled Scans if running on Batteries.
Enabling this feature will typically increase
end user satisfaction with the product.
Running a full scan while running on
batteries depletes the power quicker.
To further increase end user acceptance of
the product, more companies provide the
end user the right to stop scans.
It is recommended to keep the defaults on
Internet Email Scanning, TruScan,
Quarantine, and Submissions.
Symantec only recommends installing
Outlook/Lotus plug‐ins when Antivirus is
absent on the Mail Server.
17
18. Optional Footer Information Here
Antivirus/Antispyware Policy Cont:
Symantec updates definitions three times
a day, each day that goes by without a
definition update means less protection.
On average, Symantec adds over 20K
signatures a day. It is recommended to
display a notification to end users if
definitions are out dated.
If users have the ability to initiate
LiveUpdate, then Symantec recommends
lowering the number of days before
sending a notification to 5 days when
content is out of date.
It is also recommended to set the
Internet Browser Protection recovery
home page to your companies‟ website.
Most companies redirect to an internal
web page with the security policies and
escalation procedures.
18
20. Optional Footer Information Here
Firewall Policy
There are 4 traditional configurations that individuals may consider when deploying a
client firewall. Each configuration provides a different level of protection and changes the
likelihood of encountering false positives and preventing legitimate applications from
working.
20
21. Optional Footer Information Here
Firewall Policy
Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake
with the configuration that can cause legitimate applications to cease working. Since
every network environment is unique, some customers find it easier to keep this
technology disabled until there is a need.
In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention
provides additional protection with minimal configuration and false positives.
Block Known Trojan Ports: Choosing to allow all network traffic with the exception to
ports commonly associated with known Trojans will provide an additional level of
Security while minimizing the risk of creating a policy that might block a legitimate
application. Although this might provide some protection, the Intrusion Prevention
Engine already provides signatures to detect and block most of these exploits.
In this configuration, Administrators can choose to block specific applications without the need of
knowing what is installed in the environment.
21
22. Optional Footer Information Here
Firewall Policy
Block all Inbound Connections: Configuring the firewall to block all inbound connections
greatly reduces the risk of an attacker gaining access to a client‟s resources or data. Most
applications that get installed on the box will still be allowed to initiate communications
which will minimize some of the configuration settings that would need to be configured.
This configuration will not stop all malicious pieces of code from getting installed on the box nor
will it prevent the malicious code from communicating important pieces of data to a hacker. This
configuration will also block some legitimate corporate applications like management utilities that
expect to receive connections from a management server. It is highly recommended to test this
configuration thoroughly prior to deploying the configuration.
Some companies have found it easier to deploy this configuration that blocks all inbound
connections except from the Servers installed in the organization. This has minimized the number
of changes that need to be made as new applications are installed and it has minimized the
number of exceptions needed to the policy.
Explicit Deny: In this configuration, the firewall is configured to block all communications
except for those settings that you choose to accept. This is the most secure approach to
creating firewall policies. This means that any new code introduced to the environment
(good or bad) will not be allowed to communicate until an administrator approves it.
Although this provides the most secure architecture, constant changes are usually needed
to accommodate application changes.
22
23. Optional Footer Information Here
Firewall Policy
Symantec recommends to start deployment with the firewall disabled and Intrusion
Prevention (IPS) enabled. Administrators can then increase the protection on the Client
by deploying the firewall over time.
Extensive testing should be conducted prior to deploying the firewall policy.
It is also beneficial to consider disabling the firewall when on the corporate network and
hardening the firewall when users disconnect from the corporate network.
This is normally done through the Location Awareness feature. Care should be taken when defining network
segments. Symantec recommends using multiple network identifiers when creating the policy.
Symantec also recommends the use of Peer to Peer Enforcement between Clients.
Peer to Peer enforcement forces a client to block all connections from a remote
machine until the machine has proven that it is in compliance to corporate policy.
23
24. Optional Footer Information Here
Instrusion Prevention Policy
Symantec recommends always running IPS on client machines. Symantec makes no
recommendations on changing the default settings for IPS.
If Administrators or individuals within the organization are running security tools and
assessment tools, Symantec does recommend excluding those machines from the IPS
detection as it may yield false positives.
Note: Symantec does not recommend running the IPS on a Server OS without
fully testing.
24
26. Optional Footer Information Here
Application and Device Control Policy
Application Control and Device Control are advanced features that can be used to further
enhance malware protection for your business. Extreme caution should be used in creating
application and device control policies as these advanced technologies may cause
legitimate applications to cease operating.
Symantec recommends using Application Control and Device Control Settings only after
testing the impact of the policy in your environment. Application Control and Device control
allows Administrators the ability to restrict the behavior of applications and users in the
environment. Since this is a diverse technology, the opportunities are endless as to what
can be done.
26
27. Optional Footer Information Here
Application and Device Control Policy
Allow Only Read to the following Keys to prevent tampering or changing of IE Settings
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOver
layIdentifiers
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftInternet ExplorerToolbarsRestrictions
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftInternet ExplorerControl Panel
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings
27
28. Optional Footer Information Here
Application and Device Control Policy Cont:
Allow only read to the following Registry Keys that allow applications to start automatically:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWindowsAppInit_DLLs
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
HKEY_CLASSES_ROOTcomfileshellopencommand
HKEY_CLASSES_ROOTpiffileshellopencommand
HKEY_CLASSES_ROOTexefileshellopencommand
HKEY_CLASSES_ROOTtxtfileshellopencommand
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing
Live
28
30. Optional Footer Information Here
LiveUpdate Policy
Symantec recommends to configure multiple methods for updating content on clients
that are mobile. This will allow those systems that are not connected to the corporate
network to receive content updates when not connected to the management server.
The most typical recommendation is for customers to create two polices. One that
defines clients update from the management server while connected to the network and
another policy that defines updating through LiveUpdate directly from Symantec when
the client machine is not connected to the corporate network.
30
31. Optional Footer Information Here
Location Awareness
Symantec typically recommends that
administrators create two locations
(Default/Internal and External) when using these
two LiveUpdate policies.
A default location is provided with each created
group.
The default location „LiveUpdate” policy should
have the Clients contact the SEP Manager
(SEPM) for their content updates.
The external location LiveUpdate policy shoul
dhvae Client conduct LiveUpdate calls directly to
Symantec‟s LiveUpdate site to retrieve content
updates.
31
32. Optional Footer Information Here
External LiveUpdate Policy
It is recommended to set the “External” LiveUpdate policy retrieval schedule for every 4
hours.
Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure
that the client systems stay up to date with the latest security content updates.
32
33. Optional Footer Information Here
External LiveUpdate Policy Cont:
It is also recommended to configure the Advanced Settings to “Allow the user to manually
launch LiveUpdate”.
33
34. Optional Footer Information Here
External Location Configuration Cont:
Specify the conditions for this location trigger. In this case the ability to connect to the
management server was a condition that was used.
Symantec recommends that more then one condition be speicified when configuring
a location.
34
36. Optional Footer Information Here
Centralized Exceptions Policy
• The recommendation for exceptions is to add exceptions as needed. SEP automatically
makes exceptions for certain applications, but it is best to add additional exceptions for
Databases, Transactional Logs, VMWare Images, and other items that high transactional
volume. It is also recommended to not allow employees the ability to add exceptions
unless needed. For additional information on default exceptions and information on how to
add exceptions, please reference the Symantec Online Knowledge Base.
36
38. Optional Footer Information Here
Documentation and Training
Dedicated Web Page
Migration and Installation
Information
Troubleshooting Information
Knowledgebase and White
Paper documentation
http://www.symantec.com/business/support/endpointsecurity/migrate/index.jsp
39. Optional Footer Information Here
Resources
Symantec publicly accessible user forums (peer to peer forums, not a replacement for technical support)
https://forums.symantec.com
Symantec Endpoint Security Migration and Installation website
http://www.symantec.com/enterprise/support/endpointsecurity/migrate/index.jsp
Symantec Endpoint Protection 11.0 ‐ Free online tutorials providing an overview and migration walkthrough
http://www.symantec.com/business/theme.jsp?themeid=sep11x&header=0&footer=1&depthpath=0
Comparison Tour ‐ Symantec System Center vs. the new Symantec Endpoint Protection Manager Console
http://www.symantec.com/business/support/endpointsecurity/ssc_sep/
Symantec Endpoint Protection 11.0 – Common Topics
http://service1.symantec.com/SUPPORT/ent‐security.nsf/docid/2008070715030248
Symantec Endpoint Protection 11.0 ‐ Product Documentation
http://www.symantec.com/business/support/documentation.jsp?pid=54619
Symantec Endpoint Protection 11.0 – Support homepage (search the Knowledge Base from here)
http://www.symantec.com/enterprise/support/overview.jsp?pid=54619