Symantec Endpoint Protection Recommended Best Practices for Securing an Enterprise Environment


Article ID: 154824


Updated On:


Endpoint Protection


The following is Symantec's recommended best practices for securing an enterprise environment with Symantec Endpoint Protection.


Symantec Endpoint Protection Technologies Explained

Symantec Endpoint Protection Modules Diagram
What does Intrusion Prevention do that Antivirus protection does not? 
Antivirus technology is a strong, effective technology that protects your computer from files that are on, or once they reach, the hard drive. The Intrusion Prevention System (IPS) technology is a strong, effective technology that prevents malicious files from getting to your hard drive in the first place.
Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats that use known exploits and attack vectors. IPS does not detect specific files, but rather, specific methods that can be used to get malicious files onto your network. This allows IPS to protect against not only known but also unknown threats even before antivirus signatures can be created for them. 
For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. However, since IPS already had signatures for the RPC Handling vulnerability, computers running IPS technologies were protected before the worm was ever released.
IPS is very good at detecting "drive-by" downloads of malware and fake-antivirus scanner Web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.
Why set Symantec Endpoint Protection to use Bloodhound Level 3? 
Malheur, a piece of Bloodhound that is active when set to Level 3, is a heuristics detection technology that will detect malicious files vs. clean files. Malware found by this signature are detected as Suspicious.*****. This is a new-style Bloodhound heuristic signature that has been successfully deployed in Symantec’s consumer products. We are now making it available for Enterprise products.
 Why enable Network Scanning?
By default, Auto-Protect scans files as they are written from your computer to a remote computer. Auto-Protect also scans files when they are written from a remote computer to your computer. When you execute files on a remote computer however, the file loads into memory on the local computer. Since real‐time scanning technologies like Auto-Protect cannot scan memory, this potentially allows malicious code to be launched on a machine before antivirus software can examine the code. By enabling Network Scanning, files on remote machines can be scanned when read, helping to block a large and growing attack vector for some of the most dangerous threats.
Why use Application and Device Control?
Application and Device Control policies provide the ability to monitor and control the behavior of applications, including malicious software, and lock out unauthorized devices like removable drives (a common threat spreading mechanism). For example, when encountering an outbreak, rules can be created to block modifications to the registry, disable the Autorun spreading mechanism, and prevent execution of exploited programs or operating system components.   Though specific policies should be designed by network administrators tailoring rules for their unique environments, a security hardening policy has been developed by Symantec. This is a security-aggressive policy, restricting unauthorized changes to the registry, changes to the hosts file, and preventing commonly exploited components of the operating system from making changes or calling other processes. The policy and its description are available here; Symantec Endpoint Protection Hardening Policy.
Workstation IT-based Security Best Practice Configurations 
Desktop Antivirus and Antispyware scans the file system for malicious threats. This is the fundamental layer of protection. Secure configurations will include a combination of on-access scanning for all file types as they are either created or modified, as well as configurations for regularly scheduled full system scans.
Client Firewall 
Client firewall technology is related to IPS technology and adds additional layers of protection. Firewalls help to block various types of traffic from systems within the network and outside of the network. An in-depth description of firewall best practices for Symantec Endpoint Protection can be found here: Network Threat Protection (Firewall) Overview and Best Practices White Paper
 External Device Control 
External storage devices, such as USB drives and media players, are common infection vectors for malicious threats. Many threats utilize the Autorun functionality which allows the threat(s) that reside on a USB device to automatically launch on the system when the device is plugged into the computer. Many of these “lifestyle” devices are used for both personal life and work life. Although this double usage of devices can add flexibility for users, it introduces an additional risk to an enterprise environment. There is no guarantee that the systems outside the purview of the enterprise that interact with these devices maintain an equivalent or better security posture than the enterprise. Symantec Endpoint Protection provides the ability to block or allow usage of various types of external devices. Instructions for managing external devices in Symantec Endpoint Protection can be found in the following documents:
Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
How to block USB devices while excluding mouse and keyboard?
How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.
Autorun functionality management 
External devices can be configured to automatically execute a given application at the moment when the device is connected to a computer. This is what allows the installation process for a new product to immediately commence when a product CD is inserted into a CD drive. Unfortunately, malicious attackers are able to take advantage of the same functionality. The most common types of autorun-enabled devices used by attackers are external USB drives and shared network drives. Configuration changes can be made to a desktop system to disallow Autorun functionality for USB devices and network shares while allowing the functionality for CD ROM devices. Information on disabling Autorun functionality via Symantec Endpoint Protection can be found here:
Preventing a virus from using the AutoRun feature to spread itself
Application Control functionality in Symantec Endpoint Protection may be employed to block attempts to create autorun.inf files. Symantec strongly recommends disabling Autorun functionality for USB devices and network drives.
Close open or unnecessary shares 
Many malicious threats attempt to enumerate all available file shares, either on other desktop systems or file servers, in order to spread to those systems. Therefore it is important to employ file shares on desktop systems only when absolutely necessary. An “open” share is a file share that requires no password for access. Shares of this type should never be used. Threats that take advantage of file shares within a network can be especially difficult to eradicate once they begin to infiltrate file shares and file servers. Any desktop system or file server that is not protected or is loosely configured may contribute to a difficult threat removal operation; thus, all systems within a network must be checked from time to time.
Limit network drive mapping to the bare minimum 
Mapped drives can be a transmission pathway for malicious code and they should therefore be managed carefully. Many threats will enumerate each drive letter on the system and attempt to copy themselves to that drive, allowing for rapid spread within a corporate network. It is best to only use these drive mappings when needed, and then ensure that the content is frequently scanned for malicious threats.
Complex passwords for all user accounts 
All user accounts should use complex passwords to increase the level of difficulty in guessing the password. At a minimum, the password:
  • Should be at least eight characters in length (longer is better).
  • Should contain a combination of letters, numbers and at least one special character.
  • Should contain a mixture of upper case and lower case letters.
  • Should be configured to expire on a regular basis, such as every three months.
  • Should not contain repetitions or sequences of characters, such as 12345678 or zzzzzzzz.
  • Should not contain familiar words or phrases.
  • Should not contain the user name.
 Judiciously apply security patches 
Attackers often exploit known vulnerabilities within software to facilitate easier system compromise. Security patches should be applied when available to help reduce the window of exposure for affected systems. Many threats exploit vulnerabilities that are months or years old and for which patches exist, which indicates that some users can be a bit slow in updating their systems. Examples of software that can be patched:
  • Operating systems
  • Browsers
  • Browser plug-in applications
  • Multimedia and data file applications, such as RealPlayer, QuickTime and Adobe Acrobat


Limit or eliminate local administrator privileges 
Malicious threats frequently execute with the same privileges as the current user. This means that if the current user is a local administrator the malicious threat will have virtually full access to the local system. It is best to provide the lowest level of privileges necessary to allow each user perform their normal tasks.
Server IT-based Security Best Practice Configurations 
Limit enduser write access to server volumes 
Many threats attempt to write themselves to file servers, thereby allowing quick spreading to other desktop systems that use these servers. Therefore it is prudent to limit the extent to which users have write access to these file servers. Shared applications residing on network file servers can be protected by setting access privileges for all users to “Read & Execute” and “Read”. Security settings for data files for these applications that may require write access for users can be configured individually. The goal is to allow users the ability to utilize shared applications without the risk of compromise by malicious threats. This problem is especially acute with network-aware file-infectors, which can render an application unusable if the application has a self-checking mechanism and the threat can successfully infect one or more files that are part of the application. In these cases a successful repair by an antivirus product may not return the previously infected files to their original byte-for-byte state, thus requiring the restoration of the affected files from a reliable backup copy. Eliminating write access for users can help avoid these situations.
Prohibit enduser activity on server systems
Servers should be reserved for server-level activity, such as running email systems and web sites. Allowing normal user activity, such as reading personal email and browsing the web, may introduce risks to the security posture of the server, thus potentially disrupting the services the server provides.
Inoculate root folders of mapped drives against autorun.inf creation 
The first option to protect against autorun.inf threats is to disable the functionality across the network. If this is not an option, one specific technique that is particularly effective against autorun-based threats is to create folders named ‘autorun.inf’ in all root folders of mapped server volumes. These folders should be marked as System and Hidden with the read-only bit set. Write access for these folders should be revoked for all users. Any threat that attempts to create the autorun.inf file in the root directory of a mapped drive will not be able to do so.
Use complex passwords on all authenticated network assets 
All authentication systems on network assets should require complex passwords to increase the level of difficulty in guessing the password. At a minimum, the password:
  • Should be at least eight characters in length (longer is better).
  • Should contain a combination of letters, numbers and at least one special character.
  • Should contain a mixture of upper case and lower case letters.
  • Should be configured to expire on a regular basis, such as every three months.
  • Should not contain repetitions or sequences of characters, such as 12345678 or zzzzzzzz.
  • Should not contain familiar words or phrases.
  • Should not contain the user name.
 Judiciously apply security patches 
Much like desktop systems, server systems should be patched as soon as possible once a critical update is available. The updating process for server systems tends to be more complex as most servers cannot be taken down for maintenance very often. Therefore the server administrator must carefully weigh the cost of server downtime versus the criticality of the security patch and the relative level of vulnerability for the affected server systems.
Network Access Policies 
Network Access Control 
Utilize network access control (NAC) to interrogate external systems that connect to the corporate network. This allows for tighter control and enforcement of security policies across all devices connected to the network. NAC not only can determine the relative level of security on a given system but it can take steps to remediate non-conforming systems, such as applying security patches or installing desktop security software.
Enforce home user/roaming user system security policies 
Systems that connect to the Internet while not connected to the corporate network can be a source of threat infections for an enterprise network. Home systems that connect to the corporate network via a VPN connection may not always have the same security posture as systems directly managed by the enterprise. A VPN connection ensures the privacy of the information transmitted over the Internet, but it does not guarantee the cleanliness of what is transferred. Thus, a malicious threat residing on a home system can use the VPN connection as a potential infection pathway to assets within the corporate network. Additionally, mobile systems that only occasionally connect to the corporate network, but frequently connect directly to the Internet, may also be at risk if those systems do not receive security content updates at the same frequency of systems connected to the corporate network. Therefore, it is important to enforce security policies for any system that might connect to the corporate network.
Physical control of network access points 
Network jacks should be positioned within a physical space in such a way that non-employees cannot access them without the knowledge of their corporate hosts. This may seem like a small detail, but live network jacks that are freely available to non-employees in public spaces can present a danger to assets on the corporate network. At minimum these network jacks should not allow access to the corporate network itself but should direct users to the public Internet.
Wireless access point management 
Wireless networks are an effective way of providing local network access to employees, but there are some risks involved that need to be managed. The first risk is allowing unauthorized users to connect to the wireless network. The most basic step a network administrator can take is to configure the wireless access point so that it does not broadcast the network name, known as the Service Set Identifier, or SSID. The default SSID should also be changed to a non-obvious name to make it more difficult to guess. Most access point manufacturers configure their hardware with a default SSID which experienced attackers can guess, thus changing the default name is imperative. These devices may also have a standard default administrator password, which should also be changed before deployment. The default authentication mode for these devices is normally “open”, meaning that no password or other secret authentication is required to connect to the device. Leaving an access point open represents a severe security risk and should never be allowed. Instead, the access point should be configured to use some level of authentication. The two most common types of authentication security available on access points are WEP and WPA. Of the two WPA is stronger. The prudent network administrator should use one of them to force some level of authentication to gain access to the network. Additional options exist to increase security above and beyond what has been listed here, such as MAC address filtering and usage of VPN tunneling. The network administrator must consider the nature of the network being managed to determine which of these options are appropriate.