Endpoint Protection

 View Only

  • 1.  Best practice for groups/policies

    Posted Feb 02, 2018 04:01 PM

    With so many different servers playing so many different roles (SQL, Exchange, DC, Web, File, Print, etc), how do recommend breaking out groups?

    For example - on one end of the spectrum, I could have one group called "Physical Servers" and drop all of my physical servers in that group (SQL, Exchange, DC, Web, etc, etc).  From a policy standpoint (I'm mostly concerned about EXCEPTIONS for this example) I'd have ALL of my necessary exceptions for ALL of these server roles in ONE policy called "Physical Server Exceptions Policy".  This is obviously the EASIER route, but not very secure.

    On the other end of the spectrum, I could break out my "Physical Servers" group into MANY different subgroups and have a different set of policies per every server role.  This route seems unnecessarily granular and complex.

    Is there a happy medium?

    Any thoughts on this matter?

     

    Thank you!



  • 2.  RE: Best practice for groups/policies
    Best Answer

    Posted Feb 03, 2018 07:25 PM

    The less groups the easier to manage IMO. SEP does automatically detect and add exceptions for a few different MS products. Basically the two routes above that you mentioned are it so how easy is it for you to manage? That really depends on you. There is a best practice here:

    http://www.symantec.com/docs/TECH134409



  • 3.  RE: Best practice for groups/policies
    Best Answer

    Trusted Advisor
    Posted Feb 05, 2018 04:01 AM

    Hello,

    When creating group structure, it is best to keep the process as simple as possible to avoid confusion at later times. It is also helpful to remember the fact that policies apply directly to groups, not to clients. Clients will only inherit the policies of the group they are placed in.

    When Symantec Endpoint Protection detects the presence of certain third-party applications and some Symantec products, it automatically creates exclusions for these files and folders. The client excludes these files and folders from all scans.

    Note: The client does not exclude the system temporary folders from scans because doing so can create a significant security vulnerability on a computer.

    To improve scan performance or reduce false positive detections, you can exclude files by adding a file or a folder exception to an Exceptions policy. You can also specify the file extensions or the folders that you want to include in a particular scan.

    The client software automatically creates file and folder scan exclusions for the following Microsoft Exchange Server, Microsoft Forefront, Active Directory domain controller, Symantec products, Veritas products.

    Check these Articles below:

    Best Practices for Creating Client Group Structure

    https://support.symantec.com/en_US/article.TECH134409.html

    About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans

    https://support.symantec.com/en_US/article.HOWTO80947.html

    Recommended security settings for Endpoint Protection

     

    https://support.symantec.com/en_US/article.TECH173752.html

    Regards,