Vidéos d'aide de Screencast
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

CSP - Deployment on Exchange Cluster suggestions

Created: 06 Fév. 2013 | 1 commentaire

I have been doing the RT*M and see that it is "suggested" that we start with the CORE policy and tailor from there.  I cannot find any White Papers on CSP/Exchange best practice.  Core is applied and prevention is "disabled" on the 9 nodes in the cluster for the time being while I gather logs.  With the generic config described, if I enable as is, will it break Exchange?  Does anyone have documantation that describes a CSP/Exchange deployment?

Suggestions on appropriate tailoring would be appreciated.

Warnings on what to avoid would be VERY welcome.

Thank you.

Commentaires 1 CommentAccéder au dernier commentaire

l'image des AMoss

You're following the correct path...you're next challenge is to tune the policy based on the data that is currently being gathered while you're in monitor mode.

If you look in the 'Monitors' section of the console you can look at all the events that are currently being generated and events you need to focus on are the ones that are 'blue' in color.  If you enable prevention on the policy, the activities represented by these events would be blocked.  The challenge here is that there can be thousands upon thousands of events and it can be difficult to determine if you're dealing with a few simple, quick tunes to the policy or a much deaper effort.  Up until recently I used to digest these events in a very manual effort involving data exports and excel...until a colleague built a tool that makes this much quicker for me.

Couple of quick pointers:  Read the policy guide pdf and make sure that the 'Core' policy is going to meet your business needs.  In a nutshell, it focuses on restricting core OS services and functions (mitigating risks that modify/exploit core OS code behavior to acheive their goals).  For 'all other programs', the policy is not restrictive, enabling it to be, as suggested by SYMC, 'highly compatible'.  With this policy applied, you can't obviate the need for traditional AV to mitigate risks associated with malware.

Best of luck and feel free to PM me if you get stuck.

Looking for real-time reporting and data visualization for your Symantec Security solutions?  http://www.trysolve.com