Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3673
Views
20
Helpful
5
Replies

FireAMP \ AMP for Endpoint on Domain Controllers - What's your experience?

priveqSEC
Level 1
Level 1

‎01-27-2016 01:35 PM - edited ‎03-10-2019 06:32 AM

Was wondering if anyone has feedback on their experience running AMP for Endpoint on Domain Controllers? I have created a Domain Controller policy set with the out of box exclusions and added the recommended Windows exclusions for DC's as well, so in total it's about 40 exclusions. We are not a large firm and we do not have a non-prod environment to test on, so naturally there is nervousness by our infrastructure team about having any sort of impact on the DC's performance. Would love to get any feedback on this from the community.

Labels:
0 Helpful
5 Replies 5

david-swope
Level 1
Level 1

‎01-31-2016 04:19 PM

My question would be, why would you want to install AMP for Endpoints on a DC that will always be inline to the NGIPS (AMP for Networks)?

Or do you not have a NGFW w/ FPS running?

Remember, AMP for Endpoints is there to protect those clients that are taken offsite (e.g. Laptops) and that are no longer inline to NGIPS. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to david-swope

‎01-31-2016 06:49 PM - edited ‎10-24-2017 09:00 AM

AMP for Endpoints is not just for client machines that leave the protected network. Malware can enter the enterprise via many vectors besides the "front door" protected via the perimeter firewall. With AMP for Endpoints we can increase our coverage for those vectors (portable media, pre-existing infections, advanced threats that are not identified during initial ingress, etc.). It can also assist with endpoint compliance by identifying vulnerable software installed.

For what it's worth, I've not seen any issues with it running on servers (including Domain Controllers) in the couple of customer installations I've done.

STUART RUSSELL
Level 1
Level 1
In response to Marvin Rhoads

‎02-08-2016 08:49 PM

We have been running AMP for Endpoints on multiple DCs for many months now and haven't had any issues at all. Great that the latest updates don't require a reboot.

Ed Padilla Jr
Level 1
Level 1
In response to david-swope

‎07-27-2016 12:27 PM

No issues here.  Go for it.  The days to be uneasy about this type of deployment are gone.  If something flags, go and investigate.  It raises suspicion.

0 Helpful

kwalcott
Cisco Employee
Cisco Employee

‎07-26-2016 04:55 PM

Hello priveqSEC,

You have done the baseline work by using the default base policy as well as implementing Microsoft's own AV exclusion recommendations available here: https://support.microsoft.com/en-us/kb/822158.

Another document you may want to review is the deployment strategy guide here: http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPDeploymentStrategy.pdf

In addition to the exclusions you would also want to ensure that you used the "/skipdfc 1" and "/skiptetra 1" switches when deploying the FireAMP connector on a Windows Domain Controller.

This will prevent the installation of the DFC and TETRA drivers that can hurt performance and may cause some conflicts on high availability Windows Servers.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card