cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3935
Views
20
Helpful
5
Replies

FireAMP \ AMP for Endpoint on Domain Controllers - What's your experience?

priveqSEC
Level 1
Level 1

Was wondering if anyone has feedback on their experience running AMP for Endpoint on Domain Controllers? I have created a Domain Controller policy set with the out of box exclusions and added the recommended Windows exclusions for DC's as well, so in total it's about 40 exclusions. We are not a large firm and we do not have a non-prod environment to test on, so naturally there is nervousness by our infrastructure team about having any sort of impact on the DC's performance. Would love to get any feedback on this from the community.

5 Replies 5

david-swope
Level 1
Level 1

My question would be, why would you want to install AMP for Endpoints on a DC that will always be inline to the NGIPS (AMP for Networks)?

Or do you not have a NGFW w/ FPS running?

Remember, AMP for Endpoints is there to protect those clients that are taken offsite (e.g. Laptops) and that are no longer inline to NGIPS. 

AMP for Endpoints is not just for client machines that leave the protected network. Malware can enter the enterprise via many vectors besides the "front door" protected via the perimeter firewall. With AMP for Endpoints we can increase our coverage for those vectors (portable media, pre-existing infections, advanced threats that are not identified during initial ingress, etc.). It can also assist with endpoint compliance by identifying vulnerable software installed.

For what it's worth, I've not seen any issues with it running on servers (including Domain Controllers) in the couple of customer installations I've done.

We have been running AMP for Endpoints on multiple DCs for many months now and haven't had any issues at all. Great that the latest updates don't require a reboot.

No issues here.  Go for it.  The days to be uneasy about this type of deployment are gone.  If something flags, go and investigate.  It raises suspicion.

kwalcott
Cisco Employee
Cisco Employee

Hello priveqSEC,

You have done the baseline work by using the default base policy as well as implementing Microsoft's own AV exclusion recommendations available here: https://support.microsoft.com/en-us/kb/822158.

Another document you may want to review is the deployment strategy guide here: http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPDeploymentStrategy.pdf

In addition to the exclusions you would also want to ensure that you used the "/skipdfc 1" and "/skiptetra 1" switches when deploying the FireAMP connector on a Windows Domain Controller.

This will prevent the installation of the DFC and TETRA drivers that can hurt performance and may cause some conflicts on high availability Windows Servers.

Review Cisco Networking for a $25 gift card