Transcription

Best Practices GuideMcAfee ePolicy Orchestrator 5.1.0Software

COPYRIGHTCopyright 2014 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.comTRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.2McAfee ePolicy Orchestrator 5.1.0 SoftwareBest Practices Guide

Contents1Preface7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7778Introduction11Using McAfee ePO software in your network . . . . . . . . . . . . . . . . . . . . . . . 11Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Installing and configuring your McAfee ePO software2Configuring your hardware17What affects McAfee ePO performance . . . . . . . . . . . . . . . . . . . . . . . . .Server hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .Planning your hardware configuration . . . . . . . . . . . . . . . . . . . . . . . . .Using one server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing your server in a virtual environment . . . . . . . . . . . . . . . . . . .Sharing the SQL database hardware . . . . . . . . . . . . . . . . . . . . . . .Planning your hard disk configuration . . . . . . . . . . . . . . . . . . . . . . . . .Using a SAN with your SQL database . . . . . . . . . . . . . . . . . . . . . . . . . .3Installing and upgrading McAfee ePO software29Installing McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Upgrading an existing McAfee ePO server . . . . . . . . . . . . . . . . . . . . . . . .Using product version numbers . . . . . . . . . . . . . . . . . . . . . . . . .Determining the best upgrade strategy . . . . . . . . . . . . . . . . . . . . . .Moving the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Moving agents between servers . . . . . . . . . . . . . . . . . . . . . . . . . . .Using the Transfer Systems task . . . . . . . . . . . . . . . . . . . . . . . .4Using the McAfee Agent and your System Tree2929313232343437How the McAfee Agent works . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Deploying agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating the McAfee Agent file . . . . . . . . . . . . . . . . . . . . . . . . .Deploying agents from the McAfee ePO server . . . . . . . . . . . . . . . . . . .Using the Active Directory to synchronize McAfee Agent deployment . . . . . . . . . .Deploy the McAfee Agent using a URL . . . . . . . . . . . . . . . . . . . . . .Adding the McAfee Agent to your image . . . . . . . . . . . . . . . . . . . . .Deploying the McAfee Agent using third-party tools . . . . . . . . . . . . . . . . .What the System Tree does . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using Active Directory synchronization . . . . . . . . . . . . . . . . . . . . . .Sorting your systems dynamically . . . . . . . . . . . . . . . . . . . . . . . .McAfee ePolicy Orchestrator 5.1.0 Software17182424242525283739404142444445464646Best Practices Guide3

ContentsManaging and reporting551Managing endpoint security with policies and packagesManaging policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee Agent policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure an agent-server communication interval . . . . . . . . . . . . . . . . .Send a policy change immediately . . . . . . . . . . . . . . . . . . . . . . . .Deploy packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Using client and server tasks in your managed environment55How client tasks deploy products . . . . . . . . . . . . . . . . . . . . . . . . . . .Product deployment workflows . . . . . . . . . . . . . . . . . . . . . . . . .Configure product updates . . . . . . . . . . . . . . . . . . . . . . . . . . .Modifying McAfee ePO with server tasks . . . . . . . . . . . . . . . . . . . . . . . .7Reporting with queries5556586163Reporting features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How to use custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create custom event queries . . . . . . . . . . . . . . . . . . . . . . . . . .How event summary queries work . . . . . . . . . . . . . . . . . . . . . . . .Create custom table queries . . . . . . . . . . . . . . . . . . . . . . . . . .85152535354Running reports with the web API636465707681Using the web URL API or the McAfee ePO user interface . . . . . . . . . . . . . . . . . . 81McAfee ePO command framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Using the web URL Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Using S-Expressions in web URL queries . . . . . . . . . . . . . . . . . . . . . . . . 89Parsing query export data to create web URL queries . . . . . . . . . . . . . . . . . . . 92Web URL query examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Query with ID number . . . . . . . . . . . . . . . . . . . . . . . . . . . .95Query with XML data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Query using table objects, commands, and arguments . . . . . . . . . . . . . . . 101Scaling your managed network9Using repositories107What repositories do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Repository types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .FTP repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .HTTP repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .UNC share repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . .SuperAgent repositories . . . . . . . . . . . . . . . . . . . . . . . . . . .Where to place repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How many repositories do you need? . . . . . . . . . . . . . . . . . . . . . . . . .Disable server Master Repository . . . . . . . . . . . . . . . . . . . . . . . .Global Updating restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Using Agent Handlers119Introducing Agent Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Agent Handler basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Agent Handlers eliminate multiple McAfee ePO servers . . . . . . . . . . . . . . .Agent Handler functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Providing scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Failover protection with Agent Handlers . . . . . . . . . . . . . . . . . . . . .Network topology and deployment considerations . . . . . . . . . . . . . . . . .4McAfee ePolicy Orchestrator 5.1.0 123124126Best Practices Guide

ContentsAgent Handler installation and configuration . . . . . . . . . . . . . . . . . . . . . .Deployment considerations . . . . . . . . . . . . . . . . . . . . . . . . . .Agent Handler configuration overview . . . . . . . . . . . . . . . . . . . . . .Configure Agent Handlers list . . . . . . . . . . . . . . . . . . . . . . . . .Configure Agent Handlers groups and virtual groups . . . . . . . . . . . . . . . .Configure Agent Handlers priority . . . . . . . . . . . . . . . . . . . . . . .Configure assignments for Agent Handlers . . . . . . . . . . . . . . . . . . . .Adding an Agent Handler in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . .Configure hardware, operating system, and ports . . . . . . . . . . . . . . . . .Install software and configure the Agent Handler . . . . . . . . . . . . . . . . .Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129129129131131132132133134135138Maintaining and optimizing your McAfee ePO software11Maintaining your McAfee ePO server143Monitoring server performance . . . . . . . . . . . . . . . . . . . . . . . . . . . .Finding and using Performance Monitor . . . . . . . . . . . . . . . . . . . . .Use "perfmon" with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . .Check event processing . . . . . . . . . . . . . . . . . . . . . . . . . . .Estimating and adjusting the ASCI . . . . . . . . . . . . . . . . . . . . . . . . . .Estimating the best ASCI . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the ASCI setting . . . . . . . . . . . . . . . . . . . . . . . . . .Maintaining your SQL database . . . . . . . . . . . . . . . . . . . . . . . . . . .Maintaining the McAfee ePO SQL database . . . . . . . . . . . . . . . . . . . .Recommended tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Recommended daily tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .Recommended weekly tasks . . . . . . . . . . . . . . . . . . . . . . . . . .Recommended monthly tasks . . . . . . . . . . . . . . . . . . . . . . . . .Periodic tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Bandwidth usage161Agent deployment and bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . .Calculating client updates bandwidth . . . . . . . . . . . . . . . . . . . . . .Bandwidth required to deploy managed products . . . . . . . . . . . . . . . . . . . .Bandwidth recommendations for repository distribution . . . . . . . . . . . . . . . . . .Calculating bandwidth for repository replication and product updates . . . . . . . . .13Automating and optimizing McAfee ePO workflow161162163164166169Find systems with the same GUID . . . . . . . . . . . . . . . . . . . . . . . . . .Purging events automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a purge events server task . . . . . . . . . . . . . . . . . . . . . . .Purge events by query . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating an automatic content pull and replication . . . . . . . . . . . . . . . . . . .Pull content automatically . . . . . . . . . . . . . . . . . . . . . . . . . . .Filtering 1051 and 1059 events . . . . . . . . . . . . . . . . . . . . . . . . . . .Filter 1051 and 1059 events . . . . . . . . . . . . . . . . . . . . . . . . .Finding systems that need a new agent . . . . . . . . . . . . . . . . . . . . . . . .Create a new Agent Version Summary query . . . . . . . . . . . . . . . . . . .Update the McAfee Agents with a product deployment project . . . . . . . . . . . .Finding inactive systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Change the Inactive Agents query . . . . . . . . . . . . . . . . . . . . . . .Delete inactive systems . . . . . . . . . . . . . . . . . . . . . . . . . . .Measuring malware events . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a query that counts systems cleaned per week . . . . . . . . . . . . . . .Finding malware events per subnet . . . . . . . . . . . . . . . . . . . . . . . . . .Create a query to find malware events per subnet . . . . . . . . . . . . . . . . .McAfee ePolicy Orchestrator 5.1.0 2182Best Practices Guide5

ContentsAutomating DAT file testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Pull and copy DAT updates from McAfee . . . . . . . . . . . . . . . . . . . . .Create a test group of systems . . . . . . . . . . . . . . . . . . . . . . . . .Configure an agent policy for the test group . . . . . . . . . . . . . . . . . . .Configure an on-demand scan of the test group . . . . . . . . . . . . . . . . . .Schedule an on-demand scan of the test group . . . . . . . . . . . . . . . . . .Configure an Automatic Response for malware detection . . . . . . . . . . . . . .Create an automatic compliance query and report . . . . . . . . . . . . . . . . . . . .Create a server task to run compliance queries . . . . . . . . . . . . . . . . . .Create a report to include query output . . . . . . . . . . . . . . . . . . . . .Create a server task to run and deliver a report . . . . . . . . . . . . . . . . . .14Plan your disaster recoveryUseUseUseUseADisaster Recovery . . . . . . . . . .server clusters for disaster recovery . . .cold and hot spares on one physical site .cold and hot spares on two physical sites .Additional Information183184187188188189190191193194194197. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .