01-27-2016 01:35 PM - edited 03-10-2019 06:32 AM
Was wondering if anyone has feedback on their experience running AMP for Endpoint on Domain Controllers? I have created a Domain Controller policy set with the out of box exclusions and added the recommended Windows exclusions for DC's as well, so in total it's about 40 exclusions. We are not a large firm and we do not have a non-prod environment to test on, so naturally there is nervousness by our infrastructure team about having any sort of impact on the DC's performance. Would love to get any feedback on this from the community.
01-31-2016 04:19 PM
My question would be, why would you want to install AMP for Endpoints on a DC that will always be inline to the NGIPS (AMP for Networks)?
Or do you not have a NGFW w/ FPS running?
Remember, AMP for Endpoints is there to protect those clients that are taken offsite (e.g. Laptops) and that are no longer inline to NGIPS.
01-31-2016 06:49 PM - edited 10-24-2017 09:00 AM
AMP for Endpoints is not just for client machines that leave the protected network. Malware can enter the enterprise via many vectors besides the "front door" protected via the perimeter firewall. With AMP for Endpoints we can increase our coverage for those vectors (portable media, pre-existing infections, advanced threats that are not identified during initial ingress, etc.). It can also assist with endpoint compliance by identifying vulnerable software installed.
For what it's worth, I've not seen any issues with it running on servers (including Domain Controllers) in the couple of customer installations I've done.
02-08-2016 08:49 PM
We have been running AMP for Endpoints on multiple DCs for many months now and haven't had any issues at all. Great that the latest updates don't require a reboot.
07-27-2016 12:27 PM
No issues here. Go for it. The days to be uneasy about this type of deployment are gone. If something flags, go and investigate. It raises suspicion.
07-26-2016 04:55 PM
Hello priveqSEC,
You have done the baseline work by using the default base policy as well as implementing Microsoft's own AV exclusion recommendations available here: https://support.microsoft.com/en-us/kb/822158.
Another document you may want to review is the deployment strategy guide here: http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPDeploymentStrategy.pdf
In addition to the exclusions you would also want to ensure that you used the "/skipdfc 1" and "/skiptetra 1" switches when deploying the FireAMP connector on a Windows Domain Controller.
This will prevent the installation of the DFC and TETRA drivers that can hurt performance and may cause some conflicts on high availability Windows Servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide