SYMANTEC TECHNOLOGY NETWORK: SECURITY Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection
Purpose of this Whitepaper:... 3 Overview... 4 The SEP Client Interface... 5 Changing Policy Configuration Settings... 5 Accessing the SEP Client Interface... 9 Disabling/Uninstalling the SEP Client from outside the Client Interface... 11 Stopping SEP Services...11 Uninstalling the Client...12 Additional Technologies for Protecting the SEP client... 14 Tamper Protection Protecting SEP Processes...14 Application Control Protect Client files and registry keys...15 Appendix A One Page Overview... 16 2 / 17
Purpose of this Whitepaper: This Whitepaper provides guidance on the different ways to control access to specific parts of the Symantec Endpoint Protection (SEP) client. Many organizations do not allow administrative users to make changes to installed security software. Since the SEP client has many different security technologies in a single client, there are various ways to ensure that administrative users cannot make changes to the client software. This paper provides guidance for administrators who would like to ensure SEP client installations are protected from intended and/or unintended changes. 3 / 17
Overview There are different ways that a SEP client can be protected from intentional or unintentional changes. This Whitepaper describes three main approaches to protecting the SEP client and describes details about any limitations. This Whitepaper intends to provide guidance in protecting the SEP client from being tampered with by administrative users with administrative privileges on a system. Throughout this paper, the assumption is that administrative users should be prevented from making changes to the SEP client. By default, a restricted user cannot make changes to the SEP client. In cases where a restricted user can make changes, this will be noted in the document. Accessing the SEP client interface and changing policy configurations Administrators can control which parts of the SEP client interface are accessible or whether to hide it completely. In addition, administrators can control whether or not administrative can make changes to their policy configuration. When protecting a standard configuration from being changed, consider the following Policies: Antivirus and Antispyware policy Firewall Policy Intrusion Prevention Policy Application and Device Control policy LiveUpdate Policy Centralized Exceptions Stopping SEP client services or uninstalling of the SEP Client When the SEP client is installed, there are various ways to prevent administrative users from uninstalling the client, or stopping SEP Client Services. The following services are listed in the Microsoft Windows Services Manager: Symantec Endpoint Protection Symantec Management Client Symantec Event Manager Symantec Settings Manager Additional Technologies for protecting the integrity of the SEP client In addition to configuring Policies and Settings to prevent altering the SEP client, there are additional mechanisms to further protect the client from tampering. Application Control Tamper Protection 4 / 17
The SEP Client Interface This section provides an overview of what settings an administrator can set with respect to what a user is allowed to change. It is broken down into two main categories, changing policies, and accessing the User Interface Changing Policy Configuration Settings Please see each individual policy listed here for information on default settings and what needs to be done to lock down settings so they cannot be changed by administrative users. Antivirus and Antispyware policies By default administrative users can change Antivirus policy settings, including disabling Auto- Protect real-time scanning. In order to prevent administrative users from changing Antivirus and Antispyware settings each individual setting in the Antivirus and Antispyware policy must be locked. This is accomplished by clicking on the lock icon next to a given setting as shown in the screenshots below. Enable File System Auto-Protect unlocked (default setting) Enable File System Auto-Protect locked after clicking on lock icon A client with a locked Antivirus and Antispyware policy setting will still display the setting in the client User Interface but it will be grayed out and the user will not be able to change it. In order to lock all settings, each lock icon must be closed as shown in the screenshots above. The above example displays how to prevent administrative users from disabling Antivirus and Antispyware File System Auto-Protect. 5 / 17
Truscan Proactive Threat Protection Truscan Proactive Threat can be locked within the Antivirus and Antispyware policies. Truscan is the behavioral scanning component in Symantec Endpoint Protection. To lock administrative users from disabling Truscan Proactive, edit the Antivirus and Antispyware policy and configure as shown in the screenshot below. 6 / 17
Firewall Policies By default, Firewall policies rules and configurations cannot be changed in the Client Interface. By default, administrative users can disable Network Threat Protection (by right-clicking the tray icon and selecting Disable Symantec Endpoint Protection ). In order to prevent administrative users from disabling Network Threat Protection do the following steps in the SEPM. 1. Go to the Clients page and select the Policies tab. 2. Expand Location-specific Settings and click Client User Interface Control Settings. 3. Ensure the Server-Control radio button is selected and click Customize. 4. Uncheck the box next to Allow administrative users to enable or disable Network Threat Protection as shown below. Note: In order for this setting to take effect, it is required to block administrative users from disabling Antivirus and Antispyware Auto-Protect scanning and Truscan Proactive threat scanning through the configurations shown above. 7 / 17
Intrusion Prevention Policies Intrusion Prevention policies cannot be changed in the Client Interface by default. By taking the above steps to prevent administrative users from disabling Network Threat Protection, administrative users are prevented from disabling Intrusion Prevention scanning. Application and Device Control Policies Application and Device Control policies cannot be changed or disabled in the Client Interface by default. LiveUpdate Policies By default LiveUpdate policies cannot be changed in the Client Interface. Administrative users are also not allowed to run LiveUpdate manually from the user interface. If administrative users should be allowed to run LiveUpdate manually or change the LiveUpdate schedule this is done in the LiveUpdate Settings policy under the Advanced dialogue. Centralized Exceptions Policies By default, administrative users are able to add Exceptions to exclude files, folders, or threats from being scanned. In order to prevent administrative users from adding exceptions you must create a Centralized Exception policy and explicitly not allow administrative users to add their own exceptions as shown below. 8 / 17
Accessing the SEP Client Interface Administrators can control to what extent a user has access to the SEP Client interface. It is possible to provide granular control to administrative users using Mixed Control mode, however in this paper, only the option to hide the UI and/or System Tray icon completely will be discussed. By default a restricted user can open the SEP client interface. To access settings to configure access to the SEP client interface do the following steps: 1. Go to the Clients Page and select the Policies Tab. 2. Expand Location-specific Settings and click Client User Interface Control Settings. 3. Ensure the Server-Control radio button is selected and click Customize. This will show the below dialogue with options to hide the Tray icon and/or hide the Client Interface completely. Each option is described below. 9 / 17
Display the Client: By default, the SEP Client Interface will be shown if launched from the Tray icon or from the Start>Programs group. To hide the client, uncheck the box next to Display the Client. If the user tries to launch the SEP Client from Start>Programs>Symantec Endpoint Protection, they will get the following dialogue: ). Double- Display the notification area icon: By default the System Tray icon is shown ( clicking the icon launches the SEP User Interface. In order to hide the icon, uncheck the box next to Display the notification area icon. The SEP tray icon will not be displayed. 10 / 17
Disabling/Uninstalling the SEP Client from outside the Client Interface Aside from disabling the client through configurations in the interface many organizations wish to prevent the disabling of SEP via other methods (Task Manager, Services Manager., etc... ) or even uninstalling the client completely. Stopping SEP Services SEP client services can be seen in the Windows Services Control Manager. At this time the only service that can be prevented from being stopped manually is the Symantec Management Client. Although other services can be stopped, these do not disable antivirus protection because Auto- Protect is still active. It is important to note that restricted users cannot stop Windows services. It is best practices to provide employees with restricted user access unless it is necessary to allow administrative privileges. Administrative users can disable services within the Windows Service Control Manager because an Administrative user has root access to the Operating System. Here is an overview of SEP client services along with descriptions as to why stopping some services does not impact Antivirus protection: Symantec Endpoint Protection (rtvscan.exe) User mode antivirus functions (notifications, logging). There is no way to prevent administrative users from stopping this service. However, stopping this service does not disable Auto-Protect! Symantec Management Client (smc.exe) Network Threat Protection and client server communication functions. By default, it is not possible to stop this service in the Services Manager. If a user disables the service in the Services Control Manager, on shutdown the service will automatically be reset to Automatic. By default, Administrator administrative users can stop smc.exe by command line. In order to require a password for administrator administrative users to stop smc.exe by command line, do the following steps: 1. Go to the Clients page and select the Policies Tab. 2. Click General Settings and select the Security Settings tab. 3. Place a check in the box next to Require a password to stop the client service as shown in the screenshot below: 11 / 17
Symantec Event Manager (ccsvchst.exe) Common client component for Event Manager. There is no way to prevent administrative users from stopping this service. However, stopping this service does not affect Auto-Protect! Symantec Settings Manager (ccsvchst.exe) Common client component for Settings Manager. There is no way to prevent administrative users from stopping this service. However, stopping this service does not affect Auto-Protect! Additional protection for preventing SEP client services from being disabled by malicious programs is available in Tamper Protection, and is described below. Uninstalling the Client To prevent an administrative user from uninstalling the SEP client it is possible to require a password when uninstalling the client. To require a password do the following steps: 1. Go to the Clients page and select the Policies Tab. 2. Click General Settings and select the Security Settings tab. 3. Place a check in the box next to Require a password to uninstall the client as shown in the screenshot below: 12 / 17
13 / 17
Additional Technologies for Protecting the SEP client In addition to the steps listed above to protect the SEP client, there are technologies that provide additional ways of protecting the SEP client. Note that both of these features currently do not support 64 bit operating systems. Tamper Protection Protecting SEP Processes Tamper protection is a process that monitors SEP processes and prevents them from being shutdown forcefully from an external source, such as malicious code. By default this feature is enabled but set to log only and does not block processes. In order to activate Tamper Protection to block attempts to terminate SEP client services do the following stesp: 1. Go to the Clients page and select the Policies tab. 2. Click General Settings. 3. On the Tamper Protection tab, select Block it and log the event from the drop down box. 4. Click the Lock icon to prevent administrative users from disabling Tamper Protection as shown in the screenshot below: Note: Before configuring to block applications, be sure to monitor Tamper Protection logs to ensure that legitimate programs, such as software distribution software, doesn t stop SEP services for legitimate purposes. It is possible to exclude certain processes from triggering Tamper Protection. 14 / 17
Application Control Protect Client files and registry keys Symantec provides a pre-configured rule in Application Control policies to protect the client files and registry keys. When this rule is enabled, administrative users cannot manually delete SEP client files and/or registry keys. Enable this Application rule by creating an Application and Device Control policy and enabling as shown below: Note: This Application control rule is active on the local system. It does not prevent files from being deleted remotely. 15 / 17
Appendix A One Page Overview This check-list provides a summary of the components that organizations may wish to secure when hardening a client. Some options, such as hiding the Client User Interface completely, may not be a desired setting but is included here to provide an overview of available options. Preventing Administrative users from changing policies Lock Policies Manual Steps Required to lock policies? Antivirus and Antisypware Yes Firewall No IPS No Application and Device Control No LiveUpdate Policy No Centralized Exceptions Yes Disabling/uninstalling the SEP Client from outside the Client Interface Hardening Step Manual Steps Required? Require Password to open User Yes Interface Require Password when Yes uninstalling SEP Client Require Password when Yes stopping SEP service by command line (smc.exe stop) Require Password to import or Yes export a policy Hide System Tray Icon Yes Prevent Administrative users Yes from disabling SEP network threat protection in client UI Prevent Administrative users No from stopping SEP client service in Service Control Manager Prevent Administrative users Not possible at this time. Stopping other services does not from stopping other SEP disable Auto-Protect Antivirus protection Services in Service Control Manager Additional technologies to prevent tampering with the SEP Client Hardening Step Manual Steps Required? Tamper Protection Yes Application Control Default Rule to protect client files and registry keys. Yes 16 / 17
About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call tollfree 800 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 408 517 8000 800 721 3934 17 / 17 www.symantec.com Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the Symantec technical Technology documentation Network or the information contained herein is at the risk of the user. Copyright 2007 Symantec Corporation. All rights reserved. 09/04 10318317