Default Server policies (System Process Protection and Exploit Prevention)

probson55 · ‎06-18-2019

The Recommended settings under the policy suggests that System Process Protection is Disabled, by default it is enabled, in the guides there is no regarding servers and SPP or EP.

Any sources or recommendations on these settings for servers?

Thanks

Phil

Troja007 · ‎06-18-2019

Hello Phil,

for real secure testing you should start with audit mode for all engines. If you installing AMP connector in a test environment, you can also start with blocking mode for all engines. Starting with Audit mode is recommended for productive systems.

For servers with high bandwidth consumption, we recommend to install AMP without DFC. You can find the right command line here: https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118587-technote-fireamp-00.html

System Process Protection is designed to protect Windows Processes, so this Engine should be activated, also Exploit Prevention. For the first steps, you can also use the Cisco maintained Exclusion Lists, which are including many useful exclusions.

Hope this helps,

cheers,

Thorsten

probson55 · ‎06-20-2019

Hi,

Thanks for the reply, the point was that there is no guidance on the deployment docs regarding system process protection or exploit prevention for servers, i have deployed AMP across a wide variety of systems with the best practices, its just that i noticed recently the lack of info on these for the deployments, the thing that stood out was that the server policy is set to Protect for SPP but the recommended settings when opening the policy is Disabled, so a little contradiction there.

Thanks

Phil

Troja007 · ‎06-24-2019

Hello @probson55,

will forward your recommendation to our internal Team.

Anything else where we can assist you?

Greetings,

Thorsten