Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform



Similar documents
Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Enabling Windows Management Instrumentation Guide

Symantec Endpoint Protection

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Getting Started with Symantec Endpoint Protection

Symantec Endpoint Protection Analyzer Report

Symantec Client Firewall Policy Migration Guide

Symantec Endpoint Protection

Altiris IT Analytics Solution 7.1 SP1 from Symantec User Guide

Symantec Endpoint Protection

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec Endpoint Protection Small Business Edition Installation and Administration Guide

Symantec Endpoint Protection Small Business Edition Getting Started Guide

Policy Based Encryption Essentials. Administrator Guide

Symantec Mobile Security

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Symantec Endpoint Protection Datasheet

Symantec LiveUpdate Administrator. Getting Started Guide

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Symantec Endpoint Protection Shared Insight Cache User Guide

Symantec Endpoint Protection Getting Started Guide

Configuring Symantec AntiVirus for Hitachi High-performance NAS Platform, powered by BlueArc

Symantec Mail Security for Microsoft Exchange

Symantec Endpoint Protection Getting Started Guide

Symantec Endpoint Protection and Symantec Network Access Control Client Guide

Track and Trace. Administration Guide

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION

Symantec Endpoint Protection Small Business Edition Implementation Guide

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Veritas Operations Manager Package Anomaly Add-on User's Guide 4.1

Symantec Endpoint Protection Small Business Edition Client Guide

Quick Start Guide for Symantec Event Collector for ForeScout CounterACT

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

Symantec Endpoint Protection and Symantec Network Access Control Client Guide

Symantec Protection Center Enterprise 3.0. Release Notes

Encryption. Administrator Guide

Endpoint Protection Small Business Edition 2013?

Symantec Advanced Threat Protection: Network

Symantec Security Information Manager 4.8 Release Notes

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Veritas Operations Manager LDom Capacity Management Add-on User's Guide 4.1

Symantec Backup Exec Management Plug-in for VMware User's Guide

Backup Exec 15. Quick Installation Guide

Best Practices for Deploying Behavior Monitoring and Device Control

Web Security Firewall Setup. Administrator Guide

Symantec AntiVirus Corporate Edition Patch Update

Symantec Protection Engine for Cloud Services 7.0 Release Notes

Insight. Security Response. Deployment Best Practices

Symantec Protection for SharePoint Servers Implementation Guide

Veritas Cluster Server Getting Started Guide

End to End Security do Endpoint ao Datacenter

Patch Assessment Content Update Release Notes for CCS Version: Update

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Symantec Security Information Manager 4.6 Administrator's Guide

Symantec ApplicationHA agent for SharePoint Server 2010 Configuration Guide

INFORMATION PROTECTED

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Symantec ApplicationHA agent for Internet Information Services Configuration Guide

Altiris Patch Management Solution for Windows 7.1 from Symantec Release Notes

Symantec Event Collector for Kiwi Syslog Daemon version 3.7 Quick Reference

UP L13: Leveraging the full protection of SEP 12.1.x

Symantec Enterprise Security Manager Oracle Database Modules Release Notes. Version: 5.4

Symantec Managed PKI. Integration Guide for ActiveSync

Symantec System Recovery 2013 Management Solution Administrator's Guide

Dell One Identity Cloud Access Manager How to Configure for High Availability

2012 Endpoint Security Best Practices Survey

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Enterprise Vault.cloud. Microsoft Exchange Managed Folder Archiving Guide

Quick Reference. Administrator Guide

Portal Administration. Administrator Guide

Symantec Endpoint Protection Integration Component 7.5 Release Notes

Configuring Symantec AntiVirus for NetApp Storage system

Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection

Unified Security, ATP and more

Norton Small Business. Getting Started Guide

W H I T E P A P E R : T E C H N I C AL

Using Backup Exec System Recovery's Offsite Copy for disaster recovery

SIMATIC. Process Control System PCS 7 Configuration Symantec Endpoint Protection (V12.1) Preface 1. Virus scanner administration 2.

Symantec NetBackup for Microsoft SharePoint Server Administrator s Guide

Symantec Critical System Protection Configuration Monitoring Edition Release Notes

Symantec Critical System Protection Agent Event Viewer Guide

Symantec NetBackup OpenStorage Solutions Guide for Disk

Symantec Critical System Protection Agent Event Viewer Guide

Symantec ApplicationHA agent for Microsoft Exchange 2010 Configuration Guide

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Symantec NetBackup Desktop and Laptop Option README. Release 6.1 MP7

Symantec Mobile Management for Configuration Manager

Symantec Mail Security for Microsoft Exchange

Symantec Security Information Manager - Best Practices for Selective Backup and Restore

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Symantec Data Center Security: Server Advanced v6.0. Agent Guide

Enterprise Vault 11 Feature Briefing

HP IMC Firewall Manager

Transcription:

TECHNICAL BRIEF: BEST PRACTICES GUIDE FOR RUNNING SEP ON.... AZURE.................................... Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform Who should read this paper Customers who are deploying Symantec Endpoint Protection on the Microsoft Azure Platform

Content Introduction........................................................................................................... 1 Overview of Symantec Endpoint Protection on the Azure platform......................................................... 1 Installing a Symantec Endpoint Protection client using Symantec installation files.......................................... 2 Installing a managed client........................................................................................... 2 Installing an unmanaged client........................................................................................ 2 Installing Symantec Endpoint Protection as a Microsoft Azure Security Extension........................................... 2 Managing Symantec Endpoint Protection clients running on Azure Virtual Machines......................................... 3 Advanced: Using Application Control and System Lockdown to restrict applications........................................... 3 Restricting applications with System Lockdown.......................................................................... 4 Restricting applications with Application Control........................................................................ 4 Restricting applications for system hardening........................................................................... 5 Known Issues when running Symantec Endpoint Protection on the Azure Platform.......................................... 5 Where to get more information.......................................................................................... 6 Legal notice........................................................................................................... 6

Introduction Microsoft Azure is a cloud computing platform that allows customers to build, deploy, and manage applications on virtual machines (VMs). Symantec Endpoint Protection (SEP) is certified to run on Azure Virtual Machines (VM). Symantec Endpoint Protection can be installed as a security extension within the Azure platform or from installation files you download from Symantec FileConnect. This document describes how to use Symantec Endpoint Protection to protect Microsoft Azure VMs. For more information on Microsoft Azure, identity management, roles, and security topics related to the Microsoft Azure platform, see the Microsoft website. Overview of Symantec Endpoint Protection on the Azure platform Symantec Endpoint Protection goes beyond antivirus to deliver multiple layers of protection for VMs on the Microsoft Azure platform. While our default settings includes virus and spyware technologies, we highly recommend that you also take advantage of other layers of protection for maximum security. Virus and Spyware Protection: This is a core component of Symantec Endpoint Protection and is automatically installed as part of the default setting. It includes signature-based file scanning that detects known threats and threat families. Insight : Insight is a cloud-based reputation engine that can accurately identify file reputation upon download. By analyzing key file attributes, Insight provides guidance on whether a file is good, bad or has an unknown reputation. If your VMs can download files through portal applications such as the Internet browser, email and FTP clients, we recommend you turn on the Insight engine. SONAR : SONAR monitors suspicious file behaviors to determine whether the files pose a danger to your system. By conducting real-time behavior scanning, SONAR can detect and block never-before-seen threats. We recommend you turn on SONAR to detect advanced threats. Intrusion Prevention System (IPS): IPS delivers inbound and outbound network packet scanning for malicious payloads and activity. It may reduce network speed on some high availability servers, so for Windows Azure VM roles running the Windows R2 Datacenter edition, we do not recommend you install IPS. The above technologies require updates from Symantec. Managed clients receive updates automatically from the Symantec Endpoint Protection Manager. Unmanaged clients receive updates from Symantec servers connected to the Internet by running LiveUpdate. Both Insight and SONAR require Internet access to leverage reputation data from the Symantec Global Intelligence Network. The following technologies provide additional protection for your VMs through rule-based policies for system hardening. They do not require updates from Symantec but you do need to enable and configure them. Application Control: Blocks autorun.inf, file access, registry access, processes from launching, access to removable drives, loading dlls and many additional options. Symantec recommends that you leverage the advanced rule-based protection templates for VMs in a Microsoft Azure environment. System Lockdown: Defines explicit whitelists or blacklists and that apply to a file fingerprint list. Enable System Lockdown to get the best protection. Firewall: This is not needed if your Azure VMs are already set up to restrict network traffic using the Windows firewall. Device Control: Blocks or allows devices by device or class ID. For example, it blocks USB sticks devices except for explicitly allowed models. Device Control is only needed if Azure VMs uses removable devices. 1

If the virtual machine is a Windows server and falls under performance metrics for high availability servers, see the following knowledge base article for specific recommendations: Best Practices for Installing Symantec Endpoint Protection (SEP) on Windows Servers http://www.symantec.com/business/support/index?page=content&id=tech92440 Installing a Symantec Endpoint Protection client using Symantec installation files Installing a Symantec Endpoint Protection client on an Azure VM is much like installing these clients on any other virtual or physical system. Installation files are available for download for customers with a valid license from FileConnect. Contact Symantec Customer Care if you need assistance. Installing a managed client To install a managed client, you can create and export a client installation package from the Symantec Endpoint Protection Manager console. You then copy the exported file locally to the target Azure VM. For more information, see the following knowledge base article: How to export an install package from the Symantec Endpoint Protection Manager http://www.symantec.com/docs/tech181666 Installing an unmanaged client To install an unmanaged client, download the client installation file from FileConnect to the target virtual machine and double-click setup.exe. For more information, see the following knowledge base article: Installing an unmanaged Symantec Endpoint Protection 12.x client http://www.symantec.com/docs/tech104386 Installing Symantec Endpoint Protection as a Microsoft Azure Security Extension As part of the VM configuration in the Azure management portal, Symantec Endpoint Protection is listed as an available security extension. By selecting Symantec Endpoint Protection when you deploy a VM, Symantec Endpoint Protection installs automatically. 2

The Symantec Endpoint Protection security extension is the same code as the client installation file. There are no code changes or alterations to the client itself to support installation on the Azure platform. The security extension is a simple wrapper that passes install parameters for use in the Azure platform. However, the Symantec Endpoint Protection security extension is a 60-day free trial version of the client. You must license the software by purchasing a copy of Symantec Endpoint Protection 12.1 or by installing your existing enterprise license. The default setting of Symantec Endpoint Protection when being installed from a Security Extension contains only Virus and Spyware protection. You will need to enable and configure the other protection technologies, such as Intrusion prevention, Insight and SONAR through the Control Panel under the Programs icon. Managing Symantec Endpoint Protection clients running on Azure Virtual Machines The Symantec Endpoint Protection Manager (SEPM) is the management console for Symantec Endpoint Protection clients. You can run the management console on your own on-premises hardware or from an Azure-hosted virtual machine. In both cases, make sure that your system meets the minimum system requirements. See the following knowledge base article for the latest system requirements: http://www.symantec.com/docs/tech224712 Whether Symantec Endpoint Protection Manager is installed on an on-premises system or on an Azure-hosted virtual machine, make sure that all ports are available and open for communication between the management console and the Symantec Endpoint Protection clients in Azure. For information on what ports are needed for a managed Symantec Endpoint Protection client, see the following knowledge base article: Which communication ports does Symantec Endpoint Protection use? http://www.symantec.com/docs/tech163787 Running LiveUpdate and performance If you configure the Symantec Endpoint Protection clients to run LiveUpdate to get updates, we recommend that you schedule the updates to run when the Azure VM is not running other CPU or disk-intensive activities. Advanced: Using Application Control and System Lockdown to restrict applications If you intend the Azure VM to run specific applications only, you can restrict unapproved applications using Application Control and System Lockdown. You should also use Application Control and System Lockdown for Azure VMs that do not have access to the Internet because the lack of Internet access prevents Insight and SONAR from protecting these VMs. 3

Restricting applications with System Lockdown System lockdown enables whitelisting or blacklisting capabilities. The whitelisting mode allows you to control which applications are allowed to run on the Azure VM. These approved applications are contained in a list of file fingerprints that include the application s checksums and file paths. Implementing system lockdown is a two-step process. First, create a file fingerprint list and then import the list into Symantec Endpoint Protection Manager for use in the system lockdown configuration. To generate the file fingerprint list, use the checksum tool included in the Symantec Endpoint Protection client installation. Symantec recommends that you create a software image that includes all of the applications to whitelist on the Azure VM, and then use this image to create a file fingerprint list. For more information on configuring system lockdown for whitelisting please visit: http://www.symantec.com/docs/howto80848 Restricting applications with Application Control In addition to signature or Symantec-defined rule-based protection, you can also restrict applications from running on the endpoints by creating protection rules that you define. These rules can range from the simple task of blocking access to autorun.inf files on all removable devices, to the more complicated tasks of preventing browser helper objects from being registered, or making USB devices read only in a specific location. Configure Application Control to allow only applications specific to the Azure VM as well as the required operating system applications that the VM runs at startup. To do this you will first monitor which applications the virtual machine runs, and then create a rule that allow these applications. To restrict applications from running on the VM using Application Control: 1. Run a tool, such as Process Monitor or Process Explorer, to get a list of all applications that run on the Azure virtual machine. Keep the tool running during normal activity to find startup processes and any applications that are short-lived. 2. With a list of all the applications, create an Application Control rule set at the highest priority to allow those applications to run. Include the full path and name of each application. 3. If you are using a software management tool, such as Symantec Endpoint Management or Microsoft System Center, create a second rule set at a lower priority to allow the software management tool to run any application. Enable the Sub-processes inherit conditions option for this rule. 4. Create a third rule set at a lower priority to block any application from running. These rule sets block other applications from running, even if the other applications are valid applications. The advantage of this blocking is that attackers sometimes use valid applications that are on the Azure VM, but that are not normally used to attack the system. For example, attackers may use applications like cmd.exe, cscript.exe, or even telnet.exe. For more information, see the knowledge base article About Application and Device Control 4

http://www.symantec.com/docs/howto80859 Restricting applications for system hardening In addition to restricting unapproved applications, use Application Control to harden an Azure VM. Symantec offers predefined rule sets to block behavior known to be malicious. As a best practice, enable the following rule sets to block malicious application behaviors. To enable system hardening, check the following rule sets in the default Application Control policy to enable them: 1. Block programs from running from removable drives 2. Block modifications to the hosts file 3. Block access to scripts 4. Block access to Autorun.inf 5. Block File Shares 6. Prevent changes to Windows shell load points 7. Prevent changes to system using browser or office products 8. Prevent vulnerable Windows processes from writing code 9. Prevent Windows Services from using UNC paths 10. Block access to lnk and pif files Known Issues when running Symantec Endpoint Protection on the Azure Platform When running Symantec Endpoint Protection on Azure VMs, you should be aware of the below issues. Remove duplicate offline clients in the Symantec Endpoint Protection Manager If you shut down and de-allocate the Azure VM using the Azure management portal or using Azure Powershell, a new hardware ID is assigned to the VM upon restart. As a result, duplicate clients appear in Symantec Endpoint Protection Manager. If you use the normal process of shutting down or restarting the VM through Windows, such as when you click Start > Shutdown, you do not generate duplicate clients. For information on how to purge the duplicate offline clients, see the following knowledge base article: Purging obsolete clients from the database to make more licenses available http://www.symantec.com/docs/howto81051 Disable the Prompt before allowing applications traffic option For an Azure VM with the Symantec Endpoint Protection client installed, make sure the Prompt before allowing application traffic option for the client group is disabled. This option is disabled by default, but if you enable this option, the Remote Desktop Protocol (RDP) session for the Azure VM immediately disconnects and you cannot reconnect. You may lose all data on the existing VM, and may have to recreate the VM. 5

You can find this option in Symantec Endpoint Protection Manager by clicking Clients > Group > Policies > Location-specific Settings > Client User Interface Control Settings. Set the control type to mixed control. On the Client/Server Control Settings tab, click Server for the Configure unmatched IP traffic settings option. On the Client User Interface Settings tab, disable the option by unclicking Prompt before allowing applications traffic. In the Symantec Endpoint Protection client, click Status > Network Threat Protection > Options > Change Settings > Firewall > Unmatched IP Traffic Settings. Do not block port 80 in with a Firewall rule If you block port 80 with a Symantec Endpoint Protection firewall rule on the computer used to access the Azure VM, the RDP session for the Azure VM immediately disconnects and you cannot reconnect unless you open port 80 again. Where to get more information For more information about running Symantec Endpoint Protection on the Azure platform, please see the following articles. Symantec Endpoint Protection on Microsoft's Azure platform http://www.symantec.com/docs/howto98414 Symantec Endpoint Protection Client best practices for Windows Azure VM Role http://www.symantec.com/docs/tech192909 Symantec Endpoint Protection and Microsoft Azure (Symantec TV) http://www.symantec.com/tv/products/details.jsp?vid=3662995462001 Microsoft Azure Site http://azure.microsoft.com Legal notice This Symantec product may contain third-party software for which Symantec is required to provide attribution to the third party ( Third-Party Programs ). Some of the Third-Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third-Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third-Party Programs. 6

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. 7

About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 3/2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information