SlideShare a Scribd company logo

Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure

Symantec, profile picture
Symantec

This document provides best practices for running Symantec Endpoint Protection on the Microsoft Azure platform, including: 1. Installing Symantec Endpoint Protection clients on Azure VMs using Symantec installation files, as a managed client, or unmanaged client. 2. Installing Symantec Endpoint Protection as a Microsoft Azure Security Extension. 3. Managing Symantec Endpoint Protection clients running on Azure VMs using the Symantec Endpoint Protection Manager. 4. Using Application Control and System Lockdown to restrict applications on Azure VMs for additional security.

Related topics:
Internet SecurityMobile Security Insights Internet of ThingsCloud Security Insights endpoint-security
1 of 12
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform Who should read this paperWho should read this paper Customers who are deploying Symantec™ Endpoint Protection on the Microsoft Azure Platform TECHNICALBRIEF: BESTPRACTICESGUIDEFORRUNNINGSEP ONAZURE........................................
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
Content Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Overview of Symantec™ Endpoint Protection on the Azure platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Installing a Symantec™ Endpoint Protection client using Symantec installation files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing a managed client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing an unmanaged client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing Symantec™ Endpoint Protection as a Microsoft Azure Security Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Managing Symantec™ Endpoint Protection clients running on Azure Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Advanced: Using Application Control and System Lockdown to restrict applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Restricting applications with System Lockdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Restricting applications with Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Restricting applications for system hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Known Issues when running Symantec™ Endpoint Protection on the Azure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Where to get more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Legal notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform
Introduction Microsoft Azure is a cloud computing platform that allows customers to build, deploy, and manage applications on virtual machines (VMs). Symantec™ Endpoint Protection (SEP) is certified to run on Azure Virtual Machines (VM). Symantec™ Endpoint Protection can be installed as a security extension within the Azure platform or from installation files you download from Symantec FileConnect. This document describes how to use Symantec™ Endpoint Protection to protect Microsoft Azure VMs. For more information on Microsoft Azure, identity management, roles, and security topics related to the Microsoft Azure platform, see the Microsoft website. Overview of Symantec™ Endpoint Protection on the Azure platform Symantec Endpoint Protection goes beyond antivirus to deliver multiple layers of protection for VMs on the Microsoft Azure platform. While our default settings includes virus and spyware technologies, we highly recommend that you also take advantage of other layers of protection for maximum security. • Virus and Spyware Protection: This is a core component of Symantec Endpoint Protection and is automatically installed as part of the default setting. It includes signature-based file scanning that detects known threats and threat families. • Insight™: Insight is a cloud-based reputation engine that can accurately identify file reputation upon download. By analyzing key file attributes, Insight provides guidance on whether a file is good, bad or has an unknown reputation. If your VMs can download files through portal applications such as the Internet browser, email and FTP clients, we recommend you turn on the Insight engine. • SONAR™: SONAR monitors suspicious file behaviors to determine whether the files pose a danger to your system. By conducting real-time behavior scanning, SONAR can detect and block never-before-seen threats. We recommend you turn on SONAR to detect advanced threats. • Intrusion Prevention System (IPS): IPS delivers inbound and outbound network packet scanning for malicious payloads and activity. It may reduce network speed on some high availability servers, so for Windows Azure VM roles running the Windows R2 Datacenter edition, we do not recommend you install IPS. The above technologies require updates from Symantec. Managed clients receive updates automatically from the Symantec™ Endpoint Protection Manager. Unmanaged clients receive updates from Symantec servers connected to the Internet by running LiveUpdate. Both Insight™ and SONAR™ require Internet access to leverage reputation data from the Symantec Global Intelligence Network. The following technologies provide additional protection for your VMs through rule-based policies for system hardening. They do not require updates from Symantec but you do need to enable and configure them. • Application Control: Blocks autorun.inf, file access, registry access, processes from launching, access to removable drives, loading dlls and many additional options. Symantec recommends that you leverage the advanced rule-based protection templates for VMs in a Microsoft Azure environment. • System Lockdown: Defines explicit whitelists or blacklists and that apply to a file fingerprint list. Enable System Lockdown to get the best protection. • Firewall: This is not needed if your Azure VMs are already set up to restrict network traffic using the Windows firewall. • Device Control: Blocks or allows devices by device or class ID. For example, it blocks USB sticks devices except for explicitly allowed models. Device Control is only needed if Azure VMs uses removable devices. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 1
If the virtual machine is a Windows server and falls under performance metrics for high availability servers, see the following knowledge base article for specific recommendations: Best Practices for Installing Symantec™ Endpoint Protection (SEP) on Windows Servers http://www.symantec.com/business/support/index?page=content&id=TECH92440 Installing a Symantec™ Endpoint Protection client using Symantec installation files Installing a Symantec™ Endpoint Protection client on an Azure VM is much like installing these clients on any other virtual or physical system. Installation files are available for download for customers with a valid license from FileConnect. Contact Symantec Customer Care if you need assistance. InsInstalling a managed clienttalling a managed client To install a managed client, you can create and export a client installation package from the Symantec Endpoint Protection Manager console. You then copy the exported file locally to the target Azure VM. For more information, see the following knowledge base article: How to export an install package from the Symantec Endpoint Protection Manager http://www.symantec.com/docs/TECH181666 InsInstalling an unmanaged clienttalling an unmanaged client To install an unmanaged client, download the client installation file from FileConnect to the target virtual machine and double-click setup.exe. For more information, see the following knowledge base article: Installing an unmanaged Symantec™ Endpoint Protection 12.x client http://www.symantec.com/docs/TECH104386 Installing Symantec™ Endpoint Protection as a Microsoft Azure Security Extension As part of the VM configuration in the Azure management portal, Symantec™ Endpoint Protection is listed as an available security extension. By selecting Symantec™ Endpoint Protection when you deploy a VM, Symantec™ Endpoint Protection installs automatically. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 2
The Symantec™ Endpoint Protection security extension is the same code as the client installation file. There are no code changes or alterations to the client itself to support installation on the Azure platform. The security extension is a simple wrapper that passes install parameters for use in the Azure platform. However, the Symantec™ Endpoint Protection security extension is a 60-day free trial version of the client. You must license the software by purchasing a copy of Symantec™ Endpoint Protection 12.1 or by installing your existing enterprise license. The default setting of Symantec™ Endpoint Protection when being installed from a Security Extension contains only Virus and Spyware protection. You will need to enable and configure the other protection technologies, such as Intrusion prevention, Insight™ and SONAR™ through the Control Panel under the Programs icon. Managing Symantec™ Endpoint Protection clients running on Azure Virtual Machines The Symantec Endpoint Protection Manager (SEPM) is the management console for Symantec Endpoint Protection clients. You can run the management console on your own on-premises hardware or from an Azure-hosted virtual machine. In both cases, make sure that your system meets the minimum system requirements. See the following knowledge base article for the latest system requirements: http://www.symantec.com/docs/TECH224712 Whether Symantec™ Endpoint Protection Manager is installed on an on-premises system or on an Azure-hosted virtual machine, make sure that all ports are available and open for communication between the management console and the Symantec Endpoint Protection clients in Azure. For information on what ports are needed for a managed Symantec™ Endpoint Protection client, see the following knowledge base article: Which communication ports does Symantec™ Endpoint Protection use? http://www.symantec.com/docs/TECH163787 Running LiveUpdate and performance If you configure the Symantec™ Endpoint Protection clients to run LiveUpdate to get updates, we recommend that you schedule the updates to run when the Azure VM is not running other CPU or disk-intensive activities. Advanced: Using Application Control and System Lockdown to restrict applications If you intend the Azure VM to run specific applications only, you can restrict unapproved applications using Application Control and System Lockdown. You should also use Application Control and System Lockdown for Azure VMs that do not have access to the Internet because the lack of Internet access prevents Insight™ and SONAR™ from protecting these VMs. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 3
Restricting applications with System Lockdown System lockdown enables whitelisting or blacklisting capabilities. The whitelisting mode allows you to control which applications are allowed to run on the Azure VM. These approved applications are contained in a list of file fingerprints that include the application’s checksums and file paths. Implementing system lockdown is a two-step process. First, create a file fingerprint list and then import the list into Symantec™ Endpoint Protection Manager for use in the system lockdown configuration. To generate the file fingerprint list, use the checksum tool included in the Symantec™ Endpoint Protection client installation. Symantec recommends that you create a software image that includes all of the applications to whitelist on the Azure VM, and then use this image to create a file fingerprint list. For more information on configuring system lockdown for whitelisting please visit: http://www.symantec.com/docs/HOWTO80848 ResRestricting applications with Application Controltricting applications with Application Control In addition to signature or Symantec-defined rule-based protection, you can also restrict applications from running on the endpoints by creating protection rules that you define. These rules can range from the simple task of blocking access to autorun.inf files on all removable devices, to the more complicated tasks of preventing browser helper objects from being registered, or making USB devices read only in a specific location. Configure Application Control to allow only applications specific to the Azure VM as well as the required operating system applications that the VM runs at startup. To do this you will first monitor which applications the virtual machine runs, and then create a rule that allow these applications. To restrict applications from running on the VM using Application Control: 1. Run a tool, such as Process Monitor or Process Explorer, to get a list of all applications that run on the Azure virtual machine. Keep the tool running during normal activity to find startup processes and any applications that are short-lived. 2. With a list of all the applications, create an Application Control rule set at the highest priority to allow those applications to run. Include the full path and name of each application. 3. If you are using a software management tool, such as Symantec Endpoint Management or Microsoft System Center, create a second rule set at a lower priority to allow the software management tool to run any application. Enable the Sub-processes inherit conditions option for this rule. 4. Create a third rule set at a lower priority to block any application from running. These rule sets block other applications from running, even if the other applications are valid applications. The advantage of this blocking is that attackers sometimes use valid applications that are on the Azure VM, but that are not normally used to attack the system. For example, attackers may use applications like cmd.exe, cscript.exe, or even telnet.exe. For more information, see the knowledge base article About Application and Device Control Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 4
http://www.symantec.com/docs/HOWTO80859 ResRestricting applications ftricting applications for sysor system hardeningtem hardening In addition to restricting unapproved applications, use Application Control to harden an Azure VM. Symantec offers predefined rule sets to block behavior known to be malicious. As a best practice, enable the following rule sets to block malicious application behaviors. To enable system hardening, check the following rule sets in the default Application Control policy to enable them: 1. Block programs from running from removable drives 2. Block modifications to the hosts file 3. Block access to scripts 4. Block access to Autorun.inf 5. Block File Shares 6. Prevent changes to Windows shell load points 7. Prevent changes to system using browser or office products 8. Prevent vulnerable Windows processes from writing code 9. Prevent Windows Services from using UNC paths 10. Block access to lnk and pif files Known Issues when running Symantec™ Endpoint Protection on the Azure Platform When running Symantec Endpoint Protection on Azure VMs, you should be aware of the below issues. Remove duplicate offline clients in the Symantec™ Endpoint Protection Manager If you shut down and de-allocate the Azure VM using the Azure management portal or using Azure Powershell, a new hardware ID is assigned to the VM upon restart. As a result, duplicate clients appear in Symantec™ Endpoint Protection Manager. If you use the normal process of shutting down or restarting the VM through Windows, such as when you click Start > Shutdown, you do not generate duplicate clients. For information on how to purge the duplicate offline clients, see the following knowledge base article: Purging obsolete clients from the database to make more licenses available http://www.symantec.com/docs/HOWTO81051 Disable the “Prompt before allowing applications traffic” option For an Azure VM with the Symantec™ Endpoint Protection client installed, make sure the Prompt before allowing application traffic option for the client group is disabled. This option is disabled by default, but if you enable this option, the Remote Desktop Protocol (RDP) session for the Azure VM immediately disconnects and you cannot reconnect. You may lose all data on the existing VM, and may have to recreate the VM. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 5
You can find this option in Symantec™ Endpoint Protection Manager by clicking Clients > Group > Policies > Location-specific Settings > Client User Interface Control Settings. Set the control type to mixed control. On the Client/Server Control Settings tab, click Server for the Configure unmatched IP traffic settings option. On the Client User Interface Settings tab, disable the option by unclicking Prompt before allowing applications traffic. In the Symantec™ Endpoint Protection client, click Status > Network Threat Protection > Options > Change Settings > Firewall > Unmatched IP Traffic Settings. Do not block port 80 in with a Firewall rule If you block port 80 with a Symantec™ Endpoint Protection firewall rule on the computer used to access the Azure VM, the RDP session for the Azure VM immediately disconnects and you cannot reconnect unless you open port 80 again. Where to get more information For more information about running Symantec Endpoint Protection on the Azure platform, please see the following articles. Symantec Endpoint Protection on Microsoft's Azure platform http://www.symantec.com/docs/HOWTO98414 Symantec Endpoint Protection Client best practices for Windows Azure VM Role http://www.symantec.com/docs/TECH192909 Symantec Endpoint Protection and Microsoft Azure (Symantec TV) http://www.symantec.com/tv/products/details.jsp?vid=3662995462001 Microsoft Azure Site http://azure.microsoft.com Legal notice This Symantec product may contain third-party software for which Symantec is required to provide attribution to the third party (“Third-Party Programs”). Some of the Third-Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third-Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third-Party Programs. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 6
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 7
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
About Symantec Symantec protects the world’s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our world- renowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 3/2015 Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform

More Related Content

PPTX
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
Dsunte Wilson
 
PPT
Symantec Endpoint Protection 12.1 RU6 MP6
Sarah Isaacs
 
PDF
TECHNICAL BRIEF: Using Symantec Endpoint Protection 12.1 to Protect Against A...
Symantec
 
PPTX
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
Dsunte Wilson
 
PPTX
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
Dsunte Wilson
 
PPTX
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
Dsunte Wilson
 
PDF
Netbackup intallation guide
rajan981
 
PDF
Alternatives for-securing-virtual-networks
Justin Cletus
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
Dsunte Wilson
 
Symantec Endpoint Protection 12.1 RU6 MP6
Sarah Isaacs
 
TECHNICAL BRIEF: Using Symantec Endpoint Protection 12.1 to Protect Against A...
Symantec
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
Dsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
Dsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
Dsunte Wilson
 
Netbackup intallation guide
rajan981
 
Alternatives for-securing-virtual-networks
Justin Cletus
 

What's hot (20)

PDF
Returnil 2010
Rose Banioki
 
PDF
Secure remote access in solaris 9
Tintus Ardi
 
PPTX
Virtualization security
Ahmed Nour
 
PDF
Manual Sophos
Olavo Dalcorso
 
PDF
Locking down a Hitachi ID Management Suite server
Hitachi ID Systems, Inc.
 
PDF
Using EMC VNX storage with VMware vSphereTechBook
EMC
 
DOCX
Mid term report
lokesh039
 
PPTX
Mitigating Rapid Cyberattacks
Erdem Erdogan
 
DOCX
Symantec Endpoint Encryption - Proof Of Concept Document
Iftikhar Ali Iqbal
 
PDF
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
Symantec
 
PPTX
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
Spiffy
 
PDF
Symantec Backup Exec 15 Administrator's Guide
Symantec
 
PPT
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds
 
PDF
Security in a Virtualised Environment
Peter Wood
 
PDF
Hybrid cloud availability strategy with Veeam & Microsoft Azure
Ingram Micro
 
DOC
unit5final
Jonathan Paxtor
 
PDF
Whitepaper on Installation and configuration if IBM RTC 3.0.1.2 on Windows Se...
Navneet Kumar
 
PPTX
Bangalore IT Pro Full Day Event on Intune and SCCM
Anoop Nair
 
PDF
Whitepaper Availability complete visibility service provider
S. Hanau
 
PDF
How Endpoint Encryption Works
Symantec
 
Returnil 2010
Rose Banioki
 
Secure remote access in solaris 9
Tintus Ardi
 
Virtualization security
Ahmed Nour
 
Manual Sophos
Olavo Dalcorso
 
Locking down a Hitachi ID Management Suite server
Hitachi ID Systems, Inc.
 
Using EMC VNX storage with VMware vSphereTechBook
EMC
 
Mid term report
lokesh039
 
Mitigating Rapid Cyberattacks
Erdem Erdogan
 
Symantec Endpoint Encryption - Proof Of Concept Document
Iftikhar Ali Iqbal
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
Symantec
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
Spiffy
 
Symantec Backup Exec 15 Administrator's Guide
Symantec
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds
 
Security in a Virtualised Environment
Peter Wood
 
Hybrid cloud availability strategy with Veeam & Microsoft Azure
Ingram Micro
 
unit5final
Jonathan Paxtor
 
Whitepaper on Installation and configuration if IBM RTC 3.0.1.2 on Windows Se...
Navneet Kumar
 
Bangalore IT Pro Full Day Event on Intune and SCCM
Anoop Nair
 
Whitepaper Availability complete visibility service provider
S. Hanau
 
How Endpoint Encryption Works
Symantec
 
Ad

Similar to Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure (20)

PDF
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
Symantec
 
PDF
spnt_5.58_gsg
Fernando Mashlab
 
PDF
Comodo Cloud Antivirus
karelruth
 
PDF
ESM_InstallGuide_5.6.pdf
Protect724migration
 
PDF
TECHNICAL WHITE PAPER▶ Applying Data Center Security with VMware NSX
Symantec
 
PDF
Java Security Overview
white paper
 
PDF
Safeconsole admin guide
MariusEnescu3
 
PDF
Client install
mrt Londeh
 
PDF
White Paper: EMC Compute-as-a-Service
EMC
 
PDF
Sace client guide
Arslan Saleem
 
PDF
Miercom Security Effectiveness Test Report
Kim Jensen
 
PDF
Secure Management of Access to Privileged Accounts
Hitachi ID Systems, Inc.
 
PDF
Secure Management of Privileged Passwords
Hitachi ID Systems, Inc.
 
PDF
Wm4 0 quickstartguideissue1
Advantec Distribution
 
PDF
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
EMC
 
PDF
Install
Said Chatir
 
PDF
Pda management with ibm tivoli configuration manager sg246951
Banking at Ho Chi Minh city
 
PDF
Osce 10.6 sp3_sys_req (1)
Paty Garduño
 
PDF
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
John Atchison
 
DOCX
21030241005_PlatformSecurityCaseStudy..docx
SubhabrataRoy16
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
Symantec
 
spnt_5.58_gsg
Fernando Mashlab
 
Comodo Cloud Antivirus
karelruth
 
ESM_InstallGuide_5.6.pdf
Protect724migration
 
TECHNICAL WHITE PAPER▶ Applying Data Center Security with VMware NSX
Symantec
 
Java Security Overview
white paper
 
Safeconsole admin guide
MariusEnescu3
 
Client install
mrt Londeh
 
White Paper: EMC Compute-as-a-Service
EMC
 
Sace client guide
Arslan Saleem
 
Miercom Security Effectiveness Test Report
Kim Jensen
 
Secure Management of Access to Privileged Accounts
Hitachi ID Systems, Inc.
 
Secure Management of Privileged Passwords
Hitachi ID Systems, Inc.
 
Wm4 0 quickstartguideissue1
Advantec Distribution
 
Backup and Recovery Solution for VMware vSphere on EMC Isilon Storage
EMC
 
Install
Said Chatir
 
Pda management with ibm tivoli configuration manager sg246951
Banking at Ho Chi Minh city
 
Osce 10.6 sp3_sys_req (1)
Paty Garduño
 
Integrated-Security-Solution-for-the-virtual-data-center-and-cloud
John Atchison
 
21030241005_PlatformSecurityCaseStudy..docx
SubhabrataRoy16
 
Ad

More from Symantec (20)

PDF
Symantec Enterprise Security Products are now part of Broadcom
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec
 
PDF
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
PDF
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
PDF
Symantec Mobile Security Webinar
Symantec
 
PDF
Symantec Webinar Cloud Security Threat Report
Symantec
 
PDF
Symantec Cloud Security Threat Report
Symantec
 
PDF
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
PDF
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
PDF
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
PDF
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec
 
PDF
Symantec Webinar: GDPR 1 Year On
Symantec
 
PDF
Symantec ISTR 24 Webcast 2019
Symantec
 
PDF
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec
 
PDF
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
PDF
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec
 
PDF
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec
 
Symantec Enterprise Security Products are now part of Broadcom
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Symantec Mobile Security Webinar
Symantec
 
Symantec Webinar Cloud Security Threat Report
Symantec
 
Symantec Cloud Security Threat Report
Symantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec
 
Symantec Webinar: GDPR 1 Year On
Symantec
 
Symantec ISTR 24 Webcast 2019
Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec
 

Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure

  • 1. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform Who should read this paperWho should read this paper Customers who are deploying Symantec™ Endpoint Protection on the Microsoft Azure Platform TECHNICALBRIEF: BESTPRACTICESGUIDEFORRUNNINGSEP ONAZURE........................................
  • 3. Content Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Overview of Symantec™ Endpoint Protection on the Azure platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Installing a Symantec™ Endpoint Protection client using Symantec installation files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing a managed client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing an unmanaged client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installing Symantec™ Endpoint Protection as a Microsoft Azure Security Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Managing Symantec™ Endpoint Protection clients running on Azure Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Advanced: Using Application Control and System Lockdown to restrict applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Restricting applications with System Lockdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Restricting applications with Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Restricting applications for system hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Known Issues when running Symantec™ Endpoint Protection on the Azure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Where to get more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Legal notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform
  • 4. Introduction Microsoft Azure is a cloud computing platform that allows customers to build, deploy, and manage applications on virtual machines (VMs). Symantec™ Endpoint Protection (SEP) is certified to run on Azure Virtual Machines (VM). Symantec™ Endpoint Protection can be installed as a security extension within the Azure platform or from installation files you download from Symantec FileConnect. This document describes how to use Symantec™ Endpoint Protection to protect Microsoft Azure VMs. For more information on Microsoft Azure, identity management, roles, and security topics related to the Microsoft Azure platform, see the Microsoft website. Overview of Symantec™ Endpoint Protection on the Azure platform Symantec Endpoint Protection goes beyond antivirus to deliver multiple layers of protection for VMs on the Microsoft Azure platform. While our default settings includes virus and spyware technologies, we highly recommend that you also take advantage of other layers of protection for maximum security. • Virus and Spyware Protection: This is a core component of Symantec Endpoint Protection and is automatically installed as part of the default setting. It includes signature-based file scanning that detects known threats and threat families. • Insight™: Insight is a cloud-based reputation engine that can accurately identify file reputation upon download. By analyzing key file attributes, Insight provides guidance on whether a file is good, bad or has an unknown reputation. If your VMs can download files through portal applications such as the Internet browser, email and FTP clients, we recommend you turn on the Insight engine. • SONAR™: SONAR monitors suspicious file behaviors to determine whether the files pose a danger to your system. By conducting real-time behavior scanning, SONAR can detect and block never-before-seen threats. We recommend you turn on SONAR to detect advanced threats. • Intrusion Prevention System (IPS): IPS delivers inbound and outbound network packet scanning for malicious payloads and activity. It may reduce network speed on some high availability servers, so for Windows Azure VM roles running the Windows R2 Datacenter edition, we do not recommend you install IPS. The above technologies require updates from Symantec. Managed clients receive updates automatically from the Symantec™ Endpoint Protection Manager. Unmanaged clients receive updates from Symantec servers connected to the Internet by running LiveUpdate. Both Insight™ and SONAR™ require Internet access to leverage reputation data from the Symantec Global Intelligence Network. The following technologies provide additional protection for your VMs through rule-based policies for system hardening. They do not require updates from Symantec but you do need to enable and configure them. • Application Control: Blocks autorun.inf, file access, registry access, processes from launching, access to removable drives, loading dlls and many additional options. Symantec recommends that you leverage the advanced rule-based protection templates for VMs in a Microsoft Azure environment. • System Lockdown: Defines explicit whitelists or blacklists and that apply to a file fingerprint list. Enable System Lockdown to get the best protection. • Firewall: This is not needed if your Azure VMs are already set up to restrict network traffic using the Windows firewall. • Device Control: Blocks or allows devices by device or class ID. For example, it blocks USB sticks devices except for explicitly allowed models. Device Control is only needed if Azure VMs uses removable devices. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 1
  • 5. If the virtual machine is a Windows server and falls under performance metrics for high availability servers, see the following knowledge base article for specific recommendations: Best Practices for Installing Symantec™ Endpoint Protection (SEP) on Windows Servers http://www.symantec.com/business/support/index?page=content&id=TECH92440 Installing a Symantec™ Endpoint Protection client using Symantec installation files Installing a Symantec™ Endpoint Protection client on an Azure VM is much like installing these clients on any other virtual or physical system. Installation files are available for download for customers with a valid license from FileConnect. Contact Symantec Customer Care if you need assistance. InsInstalling a managed clienttalling a managed client To install a managed client, you can create and export a client installation package from the Symantec Endpoint Protection Manager console. You then copy the exported file locally to the target Azure VM. For more information, see the following knowledge base article: How to export an install package from the Symantec Endpoint Protection Manager http://www.symantec.com/docs/TECH181666 InsInstalling an unmanaged clienttalling an unmanaged client To install an unmanaged client, download the client installation file from FileConnect to the target virtual machine and double-click setup.exe. For more information, see the following knowledge base article: Installing an unmanaged Symantec™ Endpoint Protection 12.x client http://www.symantec.com/docs/TECH104386 Installing Symantec™ Endpoint Protection as a Microsoft Azure Security Extension As part of the VM configuration in the Azure management portal, Symantec™ Endpoint Protection is listed as an available security extension. By selecting Symantec™ Endpoint Protection when you deploy a VM, Symantec™ Endpoint Protection installs automatically. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 2
  • 6. The Symantec™ Endpoint Protection security extension is the same code as the client installation file. There are no code changes or alterations to the client itself to support installation on the Azure platform. The security extension is a simple wrapper that passes install parameters for use in the Azure platform. However, the Symantec™ Endpoint Protection security extension is a 60-day free trial version of the client. You must license the software by purchasing a copy of Symantec™ Endpoint Protection 12.1 or by installing your existing enterprise license. The default setting of Symantec™ Endpoint Protection when being installed from a Security Extension contains only Virus and Spyware protection. You will need to enable and configure the other protection technologies, such as Intrusion prevention, Insight™ and SONAR™ through the Control Panel under the Programs icon. Managing Symantec™ Endpoint Protection clients running on Azure Virtual Machines The Symantec Endpoint Protection Manager (SEPM) is the management console for Symantec Endpoint Protection clients. You can run the management console on your own on-premises hardware or from an Azure-hosted virtual machine. In both cases, make sure that your system meets the minimum system requirements. See the following knowledge base article for the latest system requirements: http://www.symantec.com/docs/TECH224712 Whether Symantec™ Endpoint Protection Manager is installed on an on-premises system or on an Azure-hosted virtual machine, make sure that all ports are available and open for communication between the management console and the Symantec Endpoint Protection clients in Azure. For information on what ports are needed for a managed Symantec™ Endpoint Protection client, see the following knowledge base article: Which communication ports does Symantec™ Endpoint Protection use? http://www.symantec.com/docs/TECH163787 Running LiveUpdate and performance If you configure the Symantec™ Endpoint Protection clients to run LiveUpdate to get updates, we recommend that you schedule the updates to run when the Azure VM is not running other CPU or disk-intensive activities. Advanced: Using Application Control and System Lockdown to restrict applications If you intend the Azure VM to run specific applications only, you can restrict unapproved applications using Application Control and System Lockdown. You should also use Application Control and System Lockdown for Azure VMs that do not have access to the Internet because the lack of Internet access prevents Insight™ and SONAR™ from protecting these VMs. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 3
  • 7. Restricting applications with System Lockdown System lockdown enables whitelisting or blacklisting capabilities. The whitelisting mode allows you to control which applications are allowed to run on the Azure VM. These approved applications are contained in a list of file fingerprints that include the application’s checksums and file paths. Implementing system lockdown is a two-step process. First, create a file fingerprint list and then import the list into Symantec™ Endpoint Protection Manager for use in the system lockdown configuration. To generate the file fingerprint list, use the checksum tool included in the Symantec™ Endpoint Protection client installation. Symantec recommends that you create a software image that includes all of the applications to whitelist on the Azure VM, and then use this image to create a file fingerprint list. For more information on configuring system lockdown for whitelisting please visit: http://www.symantec.com/docs/HOWTO80848 ResRestricting applications with Application Controltricting applications with Application Control In addition to signature or Symantec-defined rule-based protection, you can also restrict applications from running on the endpoints by creating protection rules that you define. These rules can range from the simple task of blocking access to autorun.inf files on all removable devices, to the more complicated tasks of preventing browser helper objects from being registered, or making USB devices read only in a specific location. Configure Application Control to allow only applications specific to the Azure VM as well as the required operating system applications that the VM runs at startup. To do this you will first monitor which applications the virtual machine runs, and then create a rule that allow these applications. To restrict applications from running on the VM using Application Control: 1. Run a tool, such as Process Monitor or Process Explorer, to get a list of all applications that run on the Azure virtual machine. Keep the tool running during normal activity to find startup processes and any applications that are short-lived. 2. With a list of all the applications, create an Application Control rule set at the highest priority to allow those applications to run. Include the full path and name of each application. 3. If you are using a software management tool, such as Symantec Endpoint Management or Microsoft System Center, create a second rule set at a lower priority to allow the software management tool to run any application. Enable the Sub-processes inherit conditions option for this rule. 4. Create a third rule set at a lower priority to block any application from running. These rule sets block other applications from running, even if the other applications are valid applications. The advantage of this blocking is that attackers sometimes use valid applications that are on the Azure VM, but that are not normally used to attack the system. For example, attackers may use applications like cmd.exe, cscript.exe, or even telnet.exe. For more information, see the knowledge base article About Application and Device Control Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 4
  • 8. http://www.symantec.com/docs/HOWTO80859 ResRestricting applications ftricting applications for sysor system hardeningtem hardening In addition to restricting unapproved applications, use Application Control to harden an Azure VM. Symantec offers predefined rule sets to block behavior known to be malicious. As a best practice, enable the following rule sets to block malicious application behaviors. To enable system hardening, check the following rule sets in the default Application Control policy to enable them: 1. Block programs from running from removable drives 2. Block modifications to the hosts file 3. Block access to scripts 4. Block access to Autorun.inf 5. Block File Shares 6. Prevent changes to Windows shell load points 7. Prevent changes to system using browser or office products 8. Prevent vulnerable Windows processes from writing code 9. Prevent Windows Services from using UNC paths 10. Block access to lnk and pif files Known Issues when running Symantec™ Endpoint Protection on the Azure Platform When running Symantec Endpoint Protection on Azure VMs, you should be aware of the below issues. Remove duplicate offline clients in the Symantec™ Endpoint Protection Manager If you shut down and de-allocate the Azure VM using the Azure management portal or using Azure Powershell, a new hardware ID is assigned to the VM upon restart. As a result, duplicate clients appear in Symantec™ Endpoint Protection Manager. If you use the normal process of shutting down or restarting the VM through Windows, such as when you click Start > Shutdown, you do not generate duplicate clients. For information on how to purge the duplicate offline clients, see the following knowledge base article: Purging obsolete clients from the database to make more licenses available http://www.symantec.com/docs/HOWTO81051 Disable the “Prompt before allowing applications traffic” option For an Azure VM with the Symantec™ Endpoint Protection client installed, make sure the Prompt before allowing application traffic option for the client group is disabled. This option is disabled by default, but if you enable this option, the Remote Desktop Protocol (RDP) session for the Azure VM immediately disconnects and you cannot reconnect. You may lose all data on the existing VM, and may have to recreate the VM. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 5
  • 9. You can find this option in Symantec™ Endpoint Protection Manager by clicking Clients > Group > Policies > Location-specific Settings > Client User Interface Control Settings. Set the control type to mixed control. On the Client/Server Control Settings tab, click Server for the Configure unmatched IP traffic settings option. On the Client User Interface Settings tab, disable the option by unclicking Prompt before allowing applications traffic. In the Symantec™ Endpoint Protection client, click Status > Network Threat Protection > Options > Change Settings > Firewall > Unmatched IP Traffic Settings. Do not block port 80 in with a Firewall rule If you block port 80 with a Symantec™ Endpoint Protection firewall rule on the computer used to access the Azure VM, the RDP session for the Azure VM immediately disconnects and you cannot reconnect unless you open port 80 again. Where to get more information For more information about running Symantec Endpoint Protection on the Azure platform, please see the following articles. Symantec Endpoint Protection on Microsoft's Azure platform http://www.symantec.com/docs/HOWTO98414 Symantec Endpoint Protection Client best practices for Windows Azure VM Role http://www.symantec.com/docs/TECH192909 Symantec Endpoint Protection and Microsoft Azure (Symantec TV) http://www.symantec.com/tv/products/details.jsp?vid=3662995462001 Microsoft Azure Site http://azure.microsoft.com Legal notice This Symantec product may contain third-party software for which Symantec is required to provide attribution to the third party (“Third-Party Programs”). Some of the Third-Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third-Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third-Party Programs. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 6
  • 10. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform 7
  • 12. About Symantec Symantec protects the world’s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our world- renowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 3/2015 Best Practices for Running Symantec™ Endpoint Protection 12.1 on the Microsoft Azure Platform