topic Re: Best policies for Endpoint Security on Domain Controllers in Endpoint Security

Best policies for Endpoint Security on Domain Controllers

johnmac — Thu, 03 Mar 2022 12:31:01 GMT

Hi,

I am new to Cisco Endpoint security and I would like to set up the best policy settings on my DC's, i currently have the below set up but i believe these are out of the box settings, should so many protection features be set to 'Audit'?

Any help would be greatly appreciated.

Conviction Modes

These settings control how Secure Endpoint responds to suspicious files and network activity.

Files

Quarantine

Remove and report malicious files.

Network

Audit

Report malicious network connections, but take no other action.

Malicious Activity Protection

Quarantine

End ransomware-like processes, remove their executable, and report them.

System Process Protection

Audit

Report possible malicious tampering of critical operating system processes, but take no other action.

Script Protection

Audit

Report malicious scripts when they execute, but take no other action.

Exploit Prevention

Audit

Report binary code injection attacks against some processes, but take no other action.

Exploit Prevention - Script Control

Audit

Report when an application loads certain DLLs, but take no other action.

Behavioral Protection

Audit

Report malicious activity, but take no other action.

Re: Best policies for Endpoint Security on Domain Controllers

Ken Stieers — Thu, 03 Mar 2022 17:35:20 GMT

So the default/recommended gets you visibility with no actions... they're being SUPER cautious on your domain controllers because it can break things badly if they get things wrong, and it could become difficult to fix.
You can now start turning things on, cautiously, monitoring them as you go. I'd start with Files, Exploit Prevention, and Malicious Activity Protection.

Re: Best policies for Endpoint Security on Domain Controllers

johnosn — Thu, 03 Mar 2022 17:49:32 GMT

I would refer you to pages 22 & 23 of the Secure Endpoint (formerly AMP for Endpoints) Deployment Strategy (November 30, 2021).

You will want to skip the installation of the device flow correlation (DFC) driver and disable the network portion of the policy.

From the "Secure Endpoint Best Practices Guide" section "Policy settings: Server" there is a recommendation to be careful with the deployment of Exploit Prevention. You will want to test that functionality on a test DC before deploying the functionality on the production DCs.

You will also want to add the Cisco-Maintained Exclusion list for "Domain Controllers" to your policy.

Other then those items, you should be fairly safe using the "Server" recommendations.

Files: Quarantine
Network: Disabled
Malicious Activity Protection: Disabled
System Process Protection: Disabled
Script Protection: Quarantine
Exploit Prevention: Audit
Exploit Prevention - Script Control: Audit
Behavioral Protection: Protect