Best Practices for Installing Symantec Endpoint Protection (SEP) on Windows Servers
|Article:TECH92440|||||Created: 2009-01-18|||||Updated: 2013-11-17|||||Article URL http://www.symantec.com/docs/TECH92440|
Is there anything I should consider when installing Symantec Endpoint Protection (SEP) on Microsoft Windows servers?
Windows servers and Symantec Endpoint Protection Manager (SEPM)
Although Symantec Endpoint Protection Manager (SEPM) can be installed on any Windows operating system that meets the system requirements, installing SEPM on a server with a critical role, such as a Domain Controller or Exchange server, is not recommended. SEPM provides only management functions, not system protection, and servers with critical roles are likely to need as much as possible of the computer's resources available. The best practice is for SEPM to reside on a server operating system with high availability that does not serve a critical role. This practice allows SEPM to function at peak efficiency without taking disk space, RAM, CPU, and network bandwidth that could be used more effectively by critical servers.
Windows servers and the Symantec Endpoint Protection (SEP) client
Symantec Endpoint Protection (SEP) client should be installed on all computers on the network, including servers. On servers, SEP should be placed in appropriate client groups so that specific management policies and associated exceptions can be applied. Depending on the server's role, creating and applying the correct policies is critical for system performance in the areas of disk I/O and CPU usage.
Real-time and scheduled scanning exclusions
Some Windows server roles require that specific folders and processes be excluded from AntiVirus real-time and scheduled scans, Tamper Protection monitoring, and other heuristic monitoring components.
In SEP, these exclusions are set through the Centralized Exceptions policy in the SEPM, or directly through the user interface on an unmanaged SEP client. Administrators can exclude specific processes, file extensions, and folders from the AntiVirus Auto-Protect component, Tamper Protection, and TruScan, Proactive Threat Protection, or SONAR.
In most cases, it is not a best practice to create folder exclusions. Any malware in a folder that has a folder exclusion is effectively hidden from SEP. Setting folder exclusions is only considered a best practice if the product explicitly details a required exclusion from antivirus products.
Certain server roles, such as Active Directory Domain Controllers, Microsoft Exchange servers, and Microsoft SQL servers, have very specific requirements for antivirus scanning and firewall configuration. Some of these requirements are built directly into SEP; automatic exclusions of Exchange mailbox stores are one example. Even though these exclusions are created automatically, it is important to confirm that the required exclusions exist, as imported settings from previous upgrades or other configuration changes can overrule these automatic exclusions.
Firewall rules and IPS signatures
Windows server operating systems are typically installed in order to make use of one or more built-in roles, such as DNS, Active Directory, or IIS. Each of these roles has its own unique requirements for network communication. When SEP client is installed, these requirements must be taken into account in a SEP client Firewall Policy that permits or restricts communication as appropriate. Refer to the documentation from the product or manufacturer to identify the network communications requirements for that product. For more information on configuring the SEP firewall, refer to the Installation and Administration Guide.
Intrusion Protection System (IPS) helps to block attacks and threats based on network traffic. In most cases, using IPS is recommended to prevent against non-file based attacks against servers. The exception to this rule is that, in some cases, IPS can interfere with the operation of high-load or high-throughput servers. Symantec defines high-load or high-throughput as meeting one or all of the following criteria:
- Average CPU utilization of 35% or more
- Average TCP/UDP throughput of 300 Mbps or more
- Use of NIC teaming technology
If a server meets one or more of these criteria, Symantec recommends testing the SEP client on a server in a lab environment that can simulate peak production demands on the system in order to gauge performance before deciding whether it is feasible to use IPS-dependent features on the server. IPS-dependent features include Advanced Download Protection, SONAR, and IPS itself. For more information on using IPS on high-load or high-throughput servers, see Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers.
On servers that do not meet those criteria, Symantec recommends using IPS. While security features such as firewall and IPS always result in some performance impact, the additional burden placed on a server by the latest SEP client's Network Threat Protection and IPS components should not cause a significant decline in speed or responsiveness on a well-resourced server. IPS drivers use a maximum of 100 MB of non-page pool memory.
Note that in SEP 11.x, Firewall and IPS must be installed together, while in 12.1.x, Firewall and IPS can be installed separately. To use Advanced Download Protection or SONAR, you must install IPS.
Certain server roles, such as Active Directory Domain Controllers, Microsoft Exchange servers, and Microsoft SQL servers, have very specific requirements for firewall configuration. Some of these requirements are built directly into SEP. Even though these rules are configured automatically, it is important to confirm that the required rules are in place, as either imported settings from previous upgrades or other configuration changes can overrule these settings.
Article URL http://www.symantec.com/docs/TECH92440