Best Practices for Installing Symantec Endpoint Protection (SEP) on Windows Servers
|Article:TECH92440|||||Created: 2009-01-18|||||Updated: 2013-06-18|||||Article URL http://www.symantec.com/docs/TECH92440|
Is there anything I should consider when installing Symantec Endpoint Protection (SEP) on Microsoft Windows servers?
There are a number of considerations when installing a SEP client to Windows servers, particularly the server's role and the necessary exclusions and accommodations that need to be made to allow that role to function.
While the Symantec Endpoint Protection Manager (SEPM) can be installed on any Windows operating system that meets the system requirements, installing to a server with a critical role (such as a Domain Controller or Exchange server) is discouraged. Instead, only install the SEP client (rather than a SEPM and a SEP client) on these systems and place them in client groups so that management policies with appropriate exceptions can be applied. The reasoning for not installing the SEPM (which provides no protection to the system) is due to the SEPM's own system requirements and may use up available resources that the server's primary role require to effectively operate.
Real-time and Scheduled Scanning Exclusions
Some Windows server roles require that specific directories and processes be excluded from Antivirus real-time and scheduled scans, Tamper Protection monitoring, and other heuristic monitoring components.
In SEP, these exclusions are set through the Centralized Exceptions policy on the SEPM or directly through the GUI on an unmanaged ("self-managed") SEP client. Here you can exclude specific processes, file extensions, and directories from the Antivirus Auto-Protect component, Tamper Protection, and TruScan/Proactive Threat Protection. One new feature to SEP is that exclusions can now be set using Windows environment variables to accommodate different paths for key Windows folders in a single exception rule.
For more information on creating exclusions through the Centralized Exceptions policy, please refer to the document provided below in the references section or to your Symantec Endpoint Protection Administrator's Guide (Implementation Guide). Keep in mind that setting folder exclusions are not considered best practice unless the product that requires that folder explicitly details an exclusion from AV products. Any type of malware in that folder will be effectively hidden from SEP due to the folder exclusion.
Firewall Rules and IPS Signatures
Windows Server operating systems are typically installed to make use of one or more built-in roles (e.g., DNS, Active Directory, IIS and Web-hosting, to name a few). Each of these roles has its own unique requirements for network communication. Please refer to the documentation for each role the Windows server is performing and the necessary ports, processes and services that need to be allowed for network communication to occur. That information needs to be incorporated into the SEP Firewall Policy to define or restrict the communication as appropriate. Please refer to the Firewall documents listed below or your SEP Administrator's Guide for more information on creating firewall rules and administering the firewall policy. For server role or application specific questions, please refer to product-specific or manufacturer-specific documentation to identify the network communications requirements for that product.
Intrusion Protection Signatures (IPS) help to block attacks and threats based on the type of network traffic. While there are rare instances in which a server's activities may trigger one of these alerts, using IPS is strongly recommended to prevent against non-file based attacks against servers. In addition to the large number of attacks thwarted by IPS, a SEP administrator now has the ability to incorporate custom-made IPS signatures to add security and control communications that may be unique to the environment. Additionally, if there are machines that you want to exclude from blocking via IPS signatures (a Domain Controller may be a good candidate for this), you can add exceptions to the IPS policy to prevent any unwanted IPS blocks against those machines.
Please note that in SEP 11.0, the Firewall component of SEP (NTP, Network Threat Protection) must be installed and enabled in order to enable IPS protection.
Also note: while the use of security features such as firewalls will always result in some performance impact, the additional burden placed on a server by the latest SEP client's NTP and IPS components should not cause a significant decline in speed or responsiveness on a modern well-resourced server. With few exceptions (see articles linked, below) the use of NTP and IPS is recommended on servers by Symantec Technical Support.
Certain server roles have very specific requirements for AV scanning and Firewall configuration - Active Directory Domain Controllers, Microsoft Exchange servers, and Microsoft SQL servers are prime examples.
Some of these requirements are built directly into SEP (automatic exclusions of Exchange mailbox stores when a SEP client is installed on an Exchange server, as one example); however, it is important to always confirm the current requirements to assure no changes have occurred in the AV scanning or network communication requirements that may be overlooked. The References section of this document contains links to Symantec documentation on AV, IPS and Firewall policies documentation. If you have questions about the SEP policies and how they work, please refer to your SEP Administrator's Guide or contact your authorized Symantec Support center for assistance.
In addition to the Symantec documentation, there are links to Microsoft's documentation on Antivirus implementation for Windows environments from Windows 2000 through Windows 7 and Windows Server 2008 and Microsoft TechNet documentation on Antivirus considerations for the Microsoft ISA Server. The documents are provided as a courtesy; however Symantec has no control over the availability or accuracy of information provided by third-party web sites. Please follow up with the specific vendor or site master for questions regarding third-party applications and services.
See also the articles cross-referenced below.
Microsoft Knowledge base articles
|Virus scanning recommendations for computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7|
Service overview and network port requirements for the Windows Server system
Considerations when using antivirus software on ISA Server
Article URL http://www.symantec.com/docs/TECH92440