• No results found

Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

Symantec Endpoint Protection

(SEP) 11.0

Configuring the SEP Client for Self-Protection

(2)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Purpose of this Whitepaper: ... 3

Overview... 4

The SEP Client Interface ... 5

Changing Policy Configuration Settings ... 5

Accessing the SEP Client Interface ... 9

Disabling/Uninstalling the SEP Client from outside the Client Interface ... 11

Stopping SEP Services...11

Uninstalling the Client...12

Additional Technologies for Protecting the SEP client ... 14

Tamper Protection – Protecting SEP Processes ...14

Application Control – Protect Client files and registry keys ...15

(3)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Purpose of this Whitepaper:

(4)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Overview

There are different ways that a SEP client can be protected from intentional or unintentional changes. This Whitepaper describes three main approaches to protecting the SEP client and describes details about any limitations. This Whitepaper intends to provide guidance in protecting the SEP client from being tampered with by administrative users with administrative privileges on a system.

Throughout this paper, the assumption is that administrative users should be prevented from making changes to the SEP client. By default, a restricted user cannot make changes to the SEP client. In cases where a restricted user can make changes, this will be noted in the document.

Accessing the SEP client interface and changing policy configurations

Administrators can control which parts of the SEP client interface are accessible or whether to hide it completely. In addition, administrators can control whether or not administrative can make changes to their policy configuration.

When protecting a standard configuration from being changed, consider the following Pol icies:

 Antivirus and Antispyware policy

 Firewall Policy

 Intrusion Prevention Policy

 Application and Device Control policy

 LiveUpdate Policy

 Centralized Exceptions

Stopping SEP client services or uninstalling of the SEP Client

When the SEP client is installed, there are various ways to prevent administrative users from uninstalling the client, or stopping SEP Client Services. The following services are listed in the Microsoft Windows Services Manager:

 Symantec Endpoint Protection

 Symantec Management Client

 Symantec Event Manager

 Symantec Settings Manager

Additional Technologies for protecting the integrity of the SEP client

In addition to configuring Policies and Settings to prevent altering the SEP client, there are additional mechanisms to further protect the client from tampering.

 Application Control

(5)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

The SEP Client Interface

This section provides an overview of what settings an administrator can set with respect to what a user is allowed to change. It is broken down into two main categories, changing policies, and accessing the User Interface

Changing Policy Configuration Settings

Please see each individual policy listed here for information on default settings and what needs to be done to lock down settings so they cannot be changed by administrative users.

Antivirus and Antispyware policies

By default administrative users can change Antivirus policy settings, including disabling Auto-Protect real-time scanning. In order to prevent administrative users from changing Antivirus and Antispyware settings each individual setting in the Antivirus and Antispyware policy must be locked. This is accomplished by clicking on the lock icon next to a given setting as shown in the screenshots below.

“Enable File System Auto-Protect” unlocked (default setting)

“Enable File System Auto-Protect” locked after clicking on lock icon

A client with a locked Antivirus and Antispyware policy setting will still display the setting in the client User Interface but it will be grayed out and the user will not be able to change it. In order to lock all settings, each lock icon must be closed as shown in the screenshots above.

(6)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Truscan Proactive Threat Protection

Truscan Proactive Threat can be locked within the Antivirus and Antispyware policies. Truscan is the behavioral scanning component in Symantec Endpoint Protection. To lock administrative users from disabling Truscan Proactive, edit the Antivirus and Antispyware policy and configure as

(7)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Firewall Policies

By default, Firewall policies rules and configurations cannot be changed in the Client Interface. By default, administrative users can disable Network Threat Protection (by right-clicking the tray icon and selecting “Disable Symantec Endpoint Protection”).

In order to prevent administrative users from disabling Network Threat Protection do the following steps in the SEPM.

1. Go to the Clients page and select the Policies tab.

2. Expand “Location-specific Settings” and click “Client User Interface Control Settings.” 3. Ensure the Server-Control radio button is selected and click “Customize.”

4. Uncheck the box next to “Allow administrative users to enable or disable Network

Threat Protection” as shown below.

Note: In order for this setting to take effect, it is required to block administrative users from

(8)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Intrusion Prevention Policies

Intrusion Prevention policies cannot be changed in the Client Interface by default. By taking the above steps to prevent administrative users from disabling Network Threat Protection,

administrative users are prevented from disabling Intrusion Prevention scanning.

Application and Device Control Policies

Application and Device Control policies cannot be changed or disabled in the Client Interface by default.

LiveUpdate Policies

By default LiveUpdate policies cannot be changed in the Client Interface. Administrative users are also not allowed to run LiveUpdate manually from the user interface.

If administrative users should be allowed to run LiveUpdate manually or change the LiveUpdate schedule this is done in the LiveUpdate Settings policy under the “Advanced” dialogue.

Centralized Exceptions Policies

By default, administrative users are able to add Exceptions to exclude files, folders, or threats from being scanned.

(9)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Accessing the SEP Client Interface

Administrators can control to what extent a user has access to the SEP Client interface. It is possible to provide granular control to administrative users using Mixed Control mode, however in this paper, only the option to hide the UI and/or System Tray icon completely will be discussed. By

default a restricted user can open the SEP client interface.

To access settings to configure access to the SEP client interface do the following steps: 1. Go to the Clients Page and select the Policies Tab.

2. Expand “Location-specific Settings” and click “Client User Interface Control Settings.” 3. Ensure the “Server-Control” radio button is selected and click “Customize.”

(10)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Display the Client: By default, the SEP Client Interface will be shown if launched from the Tray

icon or from the Start>Programs group. To hide the client, uncheck the box next to “Display the

Client.”

If the user tries to launch the SEP Client from Start>Programs>Symantec Endpoint Protection, they will get the following dialogue:

Display the notification area icon: By default the System Tray icon is shown ( ). Double-clicking the icon launches the SEP User Interface.

(11)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Disabling/Uninstalling the SEP Client from outside the Client Interface

Aside from disabling the client through configurations in the interface many organizations wish to prevent the disabling of SEP via other methods (Task Manager, Services Manager., etc . . . ) or even uninstalling the client completely.

Stopping SEP Services

SEP client services can be seen in the Windows Services Control Manager. At this time the only service that can be prevented from being stopped manually is the Symantec Management Client. Although other services can be stopped, these do not disable antivirus protection because Auto-Protect is still active.

It is important to note that restricted users cannot stop Windows services. It is best practices to provide employees with restricted user access unless it is necessary to allow administrative

privileges. Administrative users can disable services within the Windows Service Control Manager because an Administrative user has root access to the Operating System.

Here is an overview of SEP client services along with descriptions as to why stopping some services does not impact Antivirus protection:

Symantec Endpoint Protection (rtvscan.exe)– User mode antivirus functions (notifications, logging). There is no way to prevent administrative users from stopping this service. However, stopping this service does not disable Auto-Protect!

Symantec Management Client (smc.exe) – Network Threat Protection and client server

communication functions. By default, it is not possible to stop this service in the Services Manager. If a user disables the service in the Services Control Manager, on shutdown the service will

automatically be reset to “Automatic.”

By default, Administrator administrative users can stop smc.exe by command line. In order to require a password for administrator administrative users to stop smc.exe by command line, do the following steps:

1. Go to the Clients page and select the Policies Tab.

2. Click “General Settings” and select the “Security Settings” tab.

(12)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Symantec Event Manager (ccsvchst.exe) – Common client component for Event Manager. There is no way to prevent administrative users from stopping this service. However, stopping this service does not affect Auto-Protect!

Symantec Settings Manager (ccsvchst.exe) – Common client component for Settings Manager. There is no way to prevent administrative users from stopping this service. However, stopping this service does not affect Auto-Protect!

Additional protection for preventing SEP client services from being disabled by malicious programs is available in Tamper Protection, and is described below.

Uninstalling the Client

To prevent an administrative user from uninstalling the SEP client it is possible to require a password when uninstalling the client. To require a password do the following steps:

1. Go to the Clients page and select the Policies Tab.

2. Click “General Settings” and select the “Security Settings” tab.

(13)

Symantec Endpoint Protection 11.0

(14)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Additional Technologies for Protecting the SEP client

In addition to the steps listed above to protect the SEP client, there are technologies that provide additional ways of protecting the SEP client. Note that both of these features currently do not support 64 bit operating systems.

Tamper Protection – Protecting SEP Processes

Tamper protection is a process that monitors SEP processes and prevents them from being shutdown forcefully from an external source, such as malicious code. By default this feature is enabled but set to “log only” and does not block processes.

In order to activate Tamper Protection to block attempts to terminate SEP client services do the following stesp:

1. Go to the Clients page and select the Policies tab. 2. Click “General Settings”.

3. On the Tamper Protection tab, select “Block it and log the event” from the drop down box. 4. Click the Lock icon to prevent administrative users from disabling Tamper Protection as

(15)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Application Control – Protect Client files and registry keys

Symantec provides a pre-configured rule in Application Control policies to protect the client files and registry keys. When this rule is enabled, administrative users cannot manually delete SEP client files and/or registry keys.

Enable this Application rule by creating an Application and Device Control policy and enabling as shown below:

Note: This Application control rule is active on the local system. It does not prevent files

(16)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Appendix A – One Page Overview

This check-list provides a summary of the components that organizations may wish to secure when hardening a client. Some options, such as hiding the Client User Interface completely, may not be a desired setting but is included here to provide an overview of available options.

Preventing Administrative users from changing policies

Lock Policies Manual Steps Required to lock policies?

Antivirus and Antisypware Yes

Firewall No

IPS No

Application and Device Control No LiveUpdate Policy No Centralized Exceptions Yes

Disabling/uninstalling the SEP Client from outside the Client Interface

Hardening Step Manual Steps Required?

Require Password to open User Interface

Yes

Require Password when uninstalling SEP Client

Yes

Require Password when stopping SEP service by command line (smc.exe –stop)

Yes

Require Password to import or export a policy

Yes

Hide System Tray Icon Yes

Prevent Administrative users from disabling SEP network threat protection in client UI

Yes

Prevent Administrative users from stopping SEP client service in Service Control Manager

No

Prevent Administrative users from stopping other SEP Services in Service Control Manager

Not possible at this time. Stopping other services does not disable Auto-Protect Antivirus protection

Additional technologies to prevent tampering with the SEP Client

Hardening Step Manual Steps Required?

Tamper Protection Yes Application Control Default

Rule to protect client files and registry keys.

(17)

Symantec Endpoint Protection 11.0

Configuring the SEP Client for Self-protection

Symantec Technology Network

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation make s no warranty as to its accuracy or use. Any use of

For specific country offices and contact numbers, please visit our Web site. For product

information in the U.S., call toll-free 800 745 6054.

Symantec Corporation World Headquarters

20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 408 517 8000

About Symantec

References

Download now ( PDF - 17 Page - 387.22 KB )

Related documents

Magic Quadrant for Endpoint Protection Platforms, 2007

• Global organizations should consider Symantec Endpoint Protection if they use Symantec Antivirus, Symantec Client Security, Sygate or WholeSecurity, or if they use a

El Gran Espectáculo - Pierre Clostermann.pdf

Pero estas alas espesas que parecen tener re­ servas de sustentación son traidoras; apenas he comenzado a tentar la palanca, el mecanismo se desengancha, caigo como

Transmission Monopole

It can be adopted for the structures where the Moment at the Base are less For Antenna adopted for the structures where the Moment at the Base are less.For Antenna Monopoles Buried

Symantec Endpoint Protection Getting Started Guide

Table 1-5 summarizes the minimum requirements for the computers on which you install the client software for either Symantec Endpoint Protection or Symantec Network Access

Symantec Endpoint Protection and Symantec Network Access Control Client Guide

Viewing the Symantec Network Access Control logs The Symantec Network Access Control client uses the following logs to monitor different aspects of its operation and the results of

Symantec Endpoint Protection End-User Guide For MacOS X

To access SEP’s quarantine, go to the Apple Menu Bar, click on the Symantec icon, choose Symantec EndPoint Protection, and then Open Symantec Endpoint Protection.. From the SEP

and Symantec Network Access Control

Table 1-6 summarizes the minimum requirements for the computers on which you install the client software for either Symantec Endpoint Protection or Symantec Network Access Control

Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 MP2

Release Notes for Symantec Endpoint Protection and Symantec Network Access Control, version 11, Release Update 7 MP2 Symantec Endpoint Protection Manager is no longer supported