Best practices for Endpoint Protection on Windows servers

book

Article ID: 177535

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article describes best practices for installing Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Manager (SEPM) on Microsoft Windows servers.

Resolution

Windows servers and Symantec Endpoint Protection Manager (SEPM)

Although SEPM can be installed on any Windows operating system that meets the system requirements, installing SEPM on a server with a critical role, such as a Domain Controller or Exchange server, is not recommended. SEPM provides only management functions, not system protection, and servers with critical roles are likely to need as much as possible of the computer's resources available.

The best practice is for SEPM to reside on a server operating system with high availability that does not serve a critical role. This practice allows SEPM to function at peak efficiency without taking disk space, RAM, CPU, and network bandwidth that could be used more effectively by critical servers.

Windows servers and the Symantec Endpoint Protection client

The SEP client should be installed on all computers on the network, including servers. On servers, SEP should be placed in appropriate client groups so that specific management policies and associated exceptions can be applied. Depending on the server's role, creating and applying the correct policies is critical for system performance in the areas of disk I/O and CPU usage.

Real-time and scheduled scanning exclusions

Some Windows server roles require that specific folders and processes be excluded from AntiVirus real-time and scheduled scans, Tamper Protection monitoring, and other heuristic monitoring components.

In SEP, these exclusions are set through the Centralized Exceptions policy in the SEPM, or directly through the user interface on an unmanaged SEP client. Administrators can exclude specific processes, file extensions, and folders from the AntiVirus Auto-Protect component, Tamper Protection, and TruScan, Proactive Threat Protection, or SONAR.

In most cases, it is not a best practice to create folder exclusions. Any malware in a folder that has a folder exclusion is effectively hidden from SEP. Setting folder exclusions is only considered a best practice if the product explicitly details a required exclusion from antivirus products.

Certain server roles, such as Active Directory Domain Controllers, Microsoft Exchange servers, and Microsoft SQL servers, have very specific requirements for antivirus scanning and firewall configuration. Some of these requirements are built directly into SEP; automatic exclusions of Exchange mailbox stores are one example. Even though these exclusions are created automatically, it is important to confirm that the required exclusions exist, as imported settings from previous upgrades or other configuration changes can overrule these automatic exclusions.

Firewall rules and IPS signatures

Windows server operating systems are typically installed in order to make use of one or more built-in roles, such as DNS, Active Directory, or IIS. Each of these roles has its own unique requirements for network communication. When SEP client is installed, these requirements must be taken into account in a SEP client Firewall Policy that permits or restricts communication as appropriate. Refer to the documentation from the product or manufacturer to identify the network communications requirements for that product. For more information on configuring the SEP firewall, refer to the Installation and Administration Guide.

Intrusion Protection System (IPS) helps to block attacks and threats based on network traffic. In most cases, using IPS is recommended to prevent against non-file based attacks against servers. The exception to this rule is that, in some cases, IPS can interfere with the operation of high-load or high-throughput servers. Symantec defines high-load or high-throughput as meeting one or all of the following criteria:

  • Average CPU utilization of 35% or more
  • Average TCP/UDP throughput of 300 Mbps or more
  • Use of NIC teaming technology

If a server meets one or more of these criteria, Symantec recommends testing the SEP client on a server in a lab environment that can simulate peak production demands on the system in order to gauge performance before deciding whether it is feasible to use IPS-dependent features on the server. The IPS component was designed, implemented and tested for network speeds up to 1Gb/s. It is expected that there will be a performance impact for networks beyond this speed. In an example of such real-world testing, a throughput of 1.8 Gb/s was achieved during ad-hoc testing on a 10 Gb/s network connection.

On servers that do not meet those criteria, Symantec recommends using IPS. While security features such as firewall and IPS always result in some performance impact, the additional burden placed on a server by the latest SEP client's Network Threat Protection and IPS components should not cause a significant decline in speed or responsiveness on a well-resourced server. IPS drivers use a maximum of 100 MB of non-page pool memory.

IPS-dependent features include Advanced Download Protection, SONAR, and IPS itself.

IPS also offers two specific Server Performance Tuning features, Out-of-band Scanning and Use Signature Subset for Servers, that can be used to help reduce the potential network speed impact experienced when using IPS on servers or on clients in high-throughput scenarios. These are detailed below. Please note that using Out-of-band scanning may potentially conflict with Windows Filtering Platform drivers on server operating systems. As a result, it is strongly suggested to test this option with a server operating system in a predeployment environment prior to enabling it in production.

  • Out-of-band Scanning configures IPS to use a multi-threaded processing approach for all network traffic examination via the IPS module. This improves the performance of IPS without reducing its effectiveness.
  • Use Signature Subset for Servers allows IPS to use a smaller, consolidated, and optimized set of IPS signatures intended for use in high-throughput scenarios. This feature set can be used on both servers and standard endpoint clients with high traffic throughput. These optimized signatures do not reduce the effectiveness or protection provided by IPS.

Certain server roles, such as Active Directory Domain Controllers, Microsoft Exchange servers, and Microsoft SQL servers, have very specific requirements for firewall configuration. Some of these requirements are built directly into SEP. Even though these rules are configured automatically, it is important to confirm that the required rules are in place, as either imported settings from previous upgrades or other configuration changes can overrule these settings.