Endpoint Protection

After configuring policies for NTP and IPS in order to deploy to our servers, i had a tech support guy from Symantec telling me that i shouldn't be using NTP or IPS on server operating systems, which i said was a bit strange as there is plenty of documentation on best practices etc for deployment to server operating systems. I asked him to email me with his recommendation so that i had it in writing. He replied via the MySupport portal stating;

"the recommendation on the server machine is only to install AV and AS and not the NTP and the PTP"

I asked for him to send me this response in email so that i could have it for my own records. I then spent time recreating packages for deployment to servers and started. Later that evening i got an email stating;

"Symantec would not recommend uninstalling Network Threat Protection from your server. "

For anyone out there that has actually deployed SEP client software on server operating systems, i'd like to know if you have included NTP, IPS etc?

I am aware of creating custom IPS signatures, centralized exclusions etc so don't worry about referring me to the standard KB articles etc, i been there already - but i just want some feedback from people who have actually deployed as Tech Support are at the moment being extremely contradictory.

many thanks in advance

you can , but need to be careful with the rules assigned. You may not include the email plug in on the Server OS.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021811070448

find teh best practoce doc from Symantec.

I would recommend using AV only component for most critical role based servers.

We've deployed only AV and AS on our FileServers here. It's been a recommendation from our external Symantec partner.

I tried using the NTP and IPS on servers but they take a huge performance hit.  Expecially if the server has a lot of LAN traffic.  So now we only install AV & AS.  Though I would say that if you already have it installed and you are not having issues, leave it on there.  Removing it can cause bigger issues.  Anyone else had the Teefer drivers stick on you rendering the NIC unusable untill you re-install it?

I create a FULL package for our servers - the whole shooting match minus email protection for AV.
SEP is smart enough that when it installs, it will disable the PTP anyway, so that's not an issue.
I've honestly seen no "huge performance hit" although ANY protection such as firewalls, or services that inspect packets will slow things down some.
So we run the firewall, IPS, and AV (again, it disables PTP sensing the server OS)
For domain controllers, create a group just for them, and set it up so that IPS doesn't detect DOS attacks at all. DCs take a LOT of pings from clients, and if there's much fragmentation on your network, well............ just don't run DOS detection on the DCs, but that's covered via a group specific for DCs.
All other servers go into the same group except for the SEPM servers, and I've relaxed those because I"m the only person who ever goes there, and they are dedicated to SEPM only, so there's less risk. I just have all the normal firewall and AV stuff on them as far as group configuration.
Remember - regardless of what you install, it's your management CONFIGURATION that can make or break a server. So plan carefully, manage carefully. You can force even an AV-only install to cripple a server if not careful.
Maybe what I do here contradicts Symantec's "best practices" or recommendations, but I have to tailor things to our needs, our risks, and the state ISO rules and policies. If we don't abide by their policies, and we get "infected" and it risks their computers, they can cut our agency off the state network in a heartbeat.
You need to tailor the installs to best suite your needs - and what you feel your risks are. Our folks are prone to, well, accidents....... and not being careful. So I deal accordingly.

You can create full package, the SEP on OS server will disable the PTP. I my case i never had problem!!!