Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Protecting Data on Servers

Created: 13 Sep 2012 | 7 comments
jawad1987's picture

How can DLP help in protecting Data on Servers. I mean if an Admin goes rogue and copies data on his flash off from servers like File Server, Exchange etc then its game over. This is a huge concern from a big client where we are deploying DLP. On Client machine there is Endpoint Agent. But in this case since Admin has access to Server he can simply plugin Removable Storage and can copy all company data easily. How can i stop this?

Comments 7 CommentsJump to latest comment

stumunro's picture

If you where that concerned a end point agent would stop this and alert on this, also if you are running SEP there are protection from flash drives also.

 

Netork monitor proballywould not work as you would need a mirror port for each server to see this data being copied across the network. one option is to may possibly encrypt the the server your are worried about with PGP so the data would need keys to used outside the system.

ShawnM's picture

jawad,

While the Endpoint Agent name would imply that it only works on Endpoints, it does function on servers as well. If you consult the System Requirements documentation (v11.6 P20), you will see the list of systems that are supported with the Endpoint Agent:

  • Microsoft Windows Server 2003 (32-bit) with Service Pack 2 or Windows Server 2003 R2 (32-bit)
  • Microsoft Windows XP Professional with Service Pack 2 or Service Pack 3 (32-bit)
  • Microsoft Windows Vista Enterprise or Business with Service Pack 1 or Service Pack 2 (32-bit)
  • Microsoft Windows 7 Enterprise, Professional, or Ultimate, including Service Pack 1 (32-bit or 64-bit)
  • Microsoft Windows 2008 Enterprise R2 (64-bit)
You will need to verify according to which version you are running if the Server OS is supported, but I believe this support has been the same through v11.x-11.6. The only thing I would advise is that you carefully select the endpoint agent configuration settings, as well as the policies to be used. This will help protect the use case you described of an Admin simply logging on and copying off the data without being seen.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

stumunro's picture

Shawn,

 

cood call on warning on the end point config, there are some variables you can set/adjust performance wise.

Jawad i would suggest finding a test box to use first so you can see what the agent is cpu of by limiting cpu and bandwidth requirements. also the other thing to remeber that you will need a endpoint server for this, as each endpoint agnet config requires a server it is one for one basis... Let me know if you have any more questions.

jawad1987's picture

@ Shawn

Majority of their server's are Linux and Unix based. Endpoint agent is only for Windows platform.

ShawnM's picture

Jawad,

Gotcha. That does present a bit of an issue then. I would suggest as an alternative method, you can look into 2 other approaches. 1 involves Data Insight, the other involves simple logging.

With Data Insight, they could have an alert configured to at the very least let them know when any user goes through and accesses so many sensitive files in a certain timeframe, or when a user breaks a threshold of "normal use" on the file server. This wouldn't stop it from happening, but it would give them a definitive real time alert, as well as a record of it. Next best thing from blocking.

The other approach would simply be to enable logging of any removable devices at the OS level, and forward those to a SIM/SIEM or central logging system. This would allow them to create a rule when these removable devices are plugged into a Linux/Unix box. While it isn't a guarantee someone is copying down data, I would imagine they don't normally have a need to plugin removable devices to these servers. Simple investigation from IT Security can confirm legitimate use vs illegitimate.

The last approach I could suggest, would simply be to restrict access to removable drives at the OS level. Being that it's admins, it's difficult, but it may make sense to remove certain functions as much as possible to a level of least privelege. This approach is always tricky with Admins. If the data is THAT sensitive though, then perhaps they can use a process of guarding the true Admin account to enable use of those removable devices.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

stumunro's picture

Jawad,

 

correct they are windows at this time, as a partner you are aware of the road map.

kishorilal1986's picture

As admin or anyone else having full rights/prevelages to allow/reject the rights. We can not block all people to get this. since atleast single person(Admin) must require rights to block all copy operation to anywhere. This is just matter of trust but one thing we can do. we can decentralised rights. It means that one can get alerts or check what other is doing.

 

Regarsd

Kishorilal