Security and Privacy for Endpoint Protection in Configuration Manager

 

Updated: June 26, 2015

Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1

This topic contains information about security best practices and privacy information for Endpoint Protection in System Center 2012 Configuration Manager.

Because Endpoint Protection uses software updates to deliver definition updates to client computers, make sure that you also read Security and Privacy for Software Updates in Configuration Manager.

Security Best Practices for Endpoint Protection

Use the following security best practices for Endpoint Protection.

Security best practice

More information

Use automatic deployment rules to deliver definition updates to client computers.

Use the software updates automatic deployment rules to ensure that clients automatically receive the latest definition updates.

Make sure that the site is configured to use encryption, or that all management points are configured for HTTPS client connections.

Because Endpoint Protection clients use status messages to send information about any malware that they detect, prevent others from reading this information on the network by encrypting the data.

To configure encryption for the site, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic.

For management points to support HTTPS client connections, you must deploy PKI certificates. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

If you use email notification, configure authenticated access to the SMTP mail server.

Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an account that has the least privileges.

Ensure that end users do not have local administrative privileges.

Although it is always a security best practice to grant end users the least privileges that they need and not to grant them local administrative privileges, this is especially important for Endpoint Protection. When users have local administrative rights on computers that run the Endpoint Protection client, they might be able to do the following:

  • They can delete the reported instances of malware on their computer before this information is sent to Configuration Manager. Information about malware detection is collected and sent to the Configuration Manager site every five minutes. It is possible for a local administrator to delete the information on their computer that malware was detected, and if this happens within the five minutes, Configuration Manager will have no information about the detected malware.

  • They can uninstall the Endpoint Protection client or stop dependent services. Although Configuration Manager can detect that the Endpoint Protection is no longer installed and will automatically reinstall it, and client status can restart a stopped service and set it back to automatic, this still leaves a potential window of vulnerability when the computer is unprotected by Endpoint Protection.

Security Issues for Endpoint Protection

Endpoint Protection has the following security issues:

  • Email notification uses SMTP, which is a protocol that lacks security protection.

    When you use email notification for Endpoint Protection, this can be a convenient method to quickly learn about the malware that is detected on computers so that you can take remedial action as soon as possible. However, before you enable notifications by using email, consider the advantages and disadvantages according to your security risk profile and infrastructure capacity. For example, anybody can send email from your specified sender address and tamper with the message. In addition, an attacker could flood the network and email server with spoofed emails that appear to come from Configuration Manager.

Privacy Information for Endpoint Protection

You see privacy information for Endpoint Protection when you install the Endpoint Protection point, and you can read the Microsoft System Center 2012 Endpoint Protection Privacy Statement online.