Endpoint Protection Policy best practices

Default Endpoint Protection Policies should be considered generic baseline Policies that need to be modified to meet the specific needs of the Groups that the Policy will be assigned to. Your specific requirements should always prevail.

Consider the following when determining which Policies you need to create:

• Naming. Make sure that your Policy names can be easily understood. When you have multiple Policies, use descriptive names that quickly identify the type of settings that are enabled in each Policy. You might want to also specify any applications or websites that are blocked.

• Logical Groups and special circumstances. What are your main logical Groups? Do some need to be broken down into smaller Groups? What functions require different Policy settings? Do you need to have different Policies for machines that you want to allow to be shut down versus those that cannot be shut down? Do you need to block applications or websites for some of your logical Groups?

• People and computers. You may need different Policies for executives and non-executives, workstations and servers, different departments, or even different roles within a department.

The following are best practice suggestions for different types of Entities. Again, your specific requirements should always prevail.

• Workstations. When creating a Policy for workstations, make a copy of the Recommended Defaults Policy and then modify each of the following settings:

  • Scan Settings

    • Turning Automatically remove threats found on the learning scan to On removes found threats during the learning scan and creates a clean baseline. Once a machine is clean, Endpoint Protection can quickly check only the things that have changed.

• Servers. When creating a Policy for servers that will not be directly accessed, make a copy of the Recommended Server Defaults Policy and then modify each of the following settings:

  • Scan Settings

    • Turning Automatically remove threats found on the learning scan to On removes found threats during the learning scan and creates a clean baseline. Once a machine is clean, Endpoint Protection can quickly check only the things that have changed.

  • Realtime Shield

    • Turn the Scan files when written or modified option to On. This option prevents the injection of threats, especially back door threats, such as a malicious macro embedded in what appears to be a safe document file.

• RDS/Terminal Servers. When creating a Policy for servers that will be directly accessed, make a copy of the Recommended Server Defaults Policy and then modify each of the following settings:

  • Basic Configuration

    • Turn Show SecureAnywhere in the Start Menu to Off. Disabling this option provides more protection from Endpoint Protection being accessed from the Start menu. This is especially important if multiple people have access to the server.

    • Turn Show SecureAnywhere in Add/Remove Programs to Off. Disabling this option provides more protection from Endpoint Protection being uninstalled. This is especially important if multiple people have access to the server.

  • Scan Settings

    • Turn Scan archived files to On. This provides more thorough protection of the server.

    • Turning Automatically remove threats found on the learning scan to On removes found threats during the learning scan and creates a clean baseline. Once a machine is clean, Endpoint Protection can quickly check only the things that have changed.

  • Realtime Shield

    • Turn the Scan files when written or modified option to On. This option prevents the injection of threats, especially back door threats, such as a malicious macro embedded in what appears to be a safe document file.