Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2546
Views
35
Helpful
2
Replies

Best policies for Endpoint Security on Domain Controllers

Go to solution
johnmac
Level 1
Level 1

‎03-03-2022 04:31 AM

Hi,

 

I am new to Cisco Endpoint security and I would like to set up the best policy settings on my DC's, i currently have the below set up but i believe these are out of the box settings, should so many protection features be set to 'Audit'?

 

Any help would be greatly appreciated.

 
 

Conviction Modes

These settings control how Secure Endpoint responds to suspicious files and network activity.

 

Files
Quarantine
Remove and report malicious files.
 
Network
Audit
Report malicious network connections, but take no other action.
 
Malicious Activity Protection
Quarantine
End ransomware-like processes, remove their executable, and report them.
System Process Protection
Audit
Report possible malicious tampering of critical operating system processes, but take no other action.
 
Script Protection
Audit
Report malicious scripts when they execute, but take no other action.
 
Exploit Prevention 
Audit
Report binary code injection attacks against some processes, but take no other action.
 
Exploit Prevention - Script Control 
Audit
Report when an application loads certain DLLs, but take no other action.
 
Behavioral Protection
Audit
Report malicious activity, but take no other action.
 

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎03-03-2022 09:35 AM

So the default/recommended gets you visibility with no actions... they're being SUPER cautious on your domain controllers because it can break things badly if they get things wrong, and it could become difficult to fix.
You can now start turning things on, cautiously, monitoring them as you go. I'd start with Files, Exploit Prevention, and Malicious Activity Protection.


View solution in original post

2 Replies 2

Go to solution
Ken Stieers
VIP
VIP

‎03-03-2022 09:35 AM

So the default/recommended gets you visibility with no actions... they're being SUPER cautious on your domain controllers because it can break things badly if they get things wrong, and it could become difficult to fix.
You can now start turning things on, cautiously, monitoring them as you go. I'd start with Files, Exploit Prevention, and Malicious Activity Protection.


Go to solution
johnosn
Level 1
Level 1

‎03-03-2022 09:49 AM

I would refer you to pages 22 & 23 of the Secure Endpoint (formerly AMP for Endpoints) Deployment Strategy (November 30, 2021). 

You will want to skip the installation of the device flow correlation (DFC) driver and disable the network portion of the policy.

 

From the "Secure Endpoint Best Practices Guide" section "Policy settings: Server" there is a recommendation to be careful with the deployment of Exploit Prevention. You will want to test that functionality on a test DC before deploying the functionality on the production DCs.

 

You will also want to add the Cisco-Maintained Exclusion list for "Domain Controllers" to your policy.


Other then those items, you should be fairly safe using the "Server" recommendations.

Files: Quarantine
Network: Disabled
Malicious Activity Protection: Disabled
System Process Protection: Disabled
Script Protection: Quarantine
Exploit Prevention: Audit
Exploit Prevention - Script Control: Audit
Behavioral Protection: Protect

Customers Also Viewed These Support Documents