This article describes the best practices that Technical Support recommends to appropriately configure the security protection for ACC.
NOTE: See the "Related Information" section for a list of the product guides referenced in this article for each version of ACC.
The scope of this article is limited to the following key items identified as focus areas:
Customizing our default configuration
- Evaluate the environment
Our default configuration is optimal for most enterprise security requirements. Technical Support recommends that customers work with a Sales Engineer to evaluate the configuration based on the specific workflows, applications, and requirements.
- Build and test a custom configuration
After completing an analysis, Technical Support recommends that customers build the appropriate configuration and test it in a staging environment before rollout.
- Assess security needs against usability
Before creating the default configuration, Technical Support recommends mapping the risk and usability of the system and applications. Customers can increase or decrease the level of security based on their business or critical needs.
Disabling unwanted applications, script interpreters, or binaries
- Identify unwanted applications
Application Control provides a mechanism to pull the entire inventory of the system to the ePolicy Orchestrator (ePO) server. ePO also provides an application inventory view of all installed applications available on the endpoints. The administrator must evaluate all installed applications and then identify applications that aren't needed or allowed in their enterprise.
For more information about managing inventory items using the ePO console, see the Change Control and Application Control Product Guide for your product version.
- Ban or remove unwanted items
The administrator must ban or remove all unnecessary or unsafe inventory items. These items include applications, script interpreters, or binary files. This action reduces the attack surface of the environment. Application Control and ePO should be used together to bring systems into the correct security posture.
For more information, see the appropriate ACC Product Guide for your version.
Using a layered approach to security protection
- Perimeter security
The first level of security is the network. Customers must consider appropriate perimeter security for endpoints that are exposed to external networks to prevent unwanted attacks against these systems. For example, customers can deploy Web Gateway to protect perimeter endpoints.
- Physical access security
Customers must protect their endpoints from unauthorized physical access and against offline access of the system drive. Technical Support recommends using encryption software for protection against offline access of the system drive. If not prevented, such access can make security systems ineffective.
- Administrative access control
Preventing unauthorized administrative access to endpoints is the most critical part of securing them. Employ the principal of least privilege and use role-based access control and User Access Control where available. Only provide endpoint access to authorized users.
- Configure endpoint security controls
Application Control provides protection using multiple techniques. Decisions about security posture are typically based on the security and compliance requirements of the organization. Some customers might need multiple security products to make sure that endpoints are protected and comply with the security policy of the enterprise. For Information and guidance on the level of protection and other security controls, collaborate with a Sales Engineer. Based on their requirements, customers can choose to deploy more products, such as antivirus, Encryption, and Data Loss Prevention.
Applying system updates
Critical security updates
The presence of Application Control can mitigate risks related to delays in applying updates. The mitigation for buffer overflow that the product provides still has the potential for DoS or other attacks. These attacks can make the system unusable if the attack involves a critical system process. Customers must apply updates as soon as possible, especially critical security updates recommended by the operating system and application vendors.
Implementing configuration recommendations
- Memory protection (CASP, VASR, DEP)
The memory protection features of Application Control provide a layer of defense against exploits that cause buffer overflows. Technical Support recommends enabling all memory protection features. Any decision to disable these features is discouraged and must be done only after consulting the Support team. Always evaluate the potential risk for any exceptions.
For more information about memory-protection techniques, see the Change Control and Application Control Product Guide for your product version.
- Script authorization
Application Control includes a default script interpreter list to allow list script exclusions. Technical Support recommends that you update the list based on the requirements in your environment. You must evaluate script interpreters (such as PowerShell, Perl, PHP, and Java) and the extensions they support. Technical Support recommends removing all unnecessary script interpreters from the system. If removal isn’t an option, you can prevent their execution using Application Control constructs.
For more information, review the "Configuring interpreters to allow execution of additional scripts" (7.x) / "Configure interpreters to allow execution of additional scripts" (6.x) section of the Application Control Product Guide. You can issue the necessary commands from the ePO console using the SC: Run Commands Client Task.
- Trusted update mechanisms
Application Control provides trusted mechanisms for proper functioning and update of applications. Scripts or binaries that are delivered through these trusted mechanisms are allowed to execute. Technical Support provides a default list of trusted executables. You must exercise due diligence when adding new updater rules.
For more information, see the Change Control and Application Control Product Guide for your product version.
- Configure alerts and notifications
Constant monitoring is an integral part of protecting your systems. Application Control sends events to the ePO console when it prevents an unwanted operation. Technical Support recommends that the ePO administrator configures the alerts and email notifications needed to be kept informed of the activities at the endpoints.
For more information about how to add automatic responses, see the Change Control and Application Control Product Guide for your product version.