8 Replies Latest reply on Feb 27, 2008 11:05 AM by kellerjd

    Policy Exclusions

      In your server farms, do you have different policies with different exclusions for different server types. For example, different policies for SQL, Exchange, SMS, Citrix and Clusters...etc? Or do you have 1 policy for all servers with a long exclusion list?

      What is considered a best practice?
        • 1. RE: Policy Exclusions
          metalhead
          Check the McAfee KB. There are different exclusions to set for oracle, sql database servers, exchange servers, san mountpoints, AD controllers ...
          • 2. RE: Policy Exclusions
            Thats not what I mean. I know what exclusions I need. My question is, should I create a different policy with the needed exclusions for each type of server or a single policy with ALL servers?

            For example, if I have 10 SQL Boxes...Should I create a EPO 3.6.1 group for them and then apply a policy that only pertains to SQL Exclusions. Or do I create a SERVER GROUP that all servers are a member of with a policy for all Exclusions.

            Right now I am only controlling 200 servers but that will increase to approx 1500 servers in 12 months.

            I'm looking for a best practice in regards to server policy.

            Does this make more sense?
            • 3. RE: Policy Exclusions
              metalhead
              I would create a group for e.g. all SQL Servers and create one policy which I assign to the SQL server group.

              But generally it depends on your structure and the type of exlusion. E.g. if you have exlusions based on file extension like mdf, ldf etc for a sql server it is no problem to "group" them with one policy.

              From a security standpoint if you must configure exlusions based on folders (e.g. C:\program files\exchsrvr for an Exchange Server) it would be better to create a policy for each server with different folder names - e.g. if you have on Exchange server installed on drive D: and one on dirve C: then you would create two policies with the definite folder names.

              When it comes to manageability (like it is in your case with 1200 servers) I would probably go with a "less" secure policy and create in the case of the Exchange servers above a policy for all Exhange servers with an exclusion of ?:\Program Files\exchsrvr.

              Generally more wildcards in an exclusions means more unnecessary exclusion leading to a more insecure configuration. So it always is necessary to find the best way between manageability and security.
              • 4. RE: Policy Exclusions
                Thanks to give you and idea of what I am looking at.....I am currently part of a team that is consolidating 12 State Government Agencies into 1 huge IT Structure. I have 8 EPO Servers that are managing approx 30k boxes and 4 Symantec(Yuck) servers managing approx 15k boxes. So when completed, I will have between 40k and 50k boxes.

                Since I am building this from the ground level I am really wanting to use as many best practices as possible.

                I have searched for best practices documents but have come up empty. Are they any out there that I just can not find?
                • 5. RE: Policy Exclusions
                  tonyb99
                  For that kind of business I'm suprised Mcafee corporate support arent falling over themselves to give you the earth, have you asked them for third lines best practice advice on the issue?
                  • 6. RE: Policy Exclusions
                    Never thought about it. I have been scanning KB Articles, reading the forums, reading Documentation, and asking questions. My experience with Tech Support in general has not been positive.

                    How do I go about asking for Tier 3 best practices support?
                    • 7. RE: Policy Exclusions
                      hey,

                      i am involved in something similar at the mo - when rollout is completed, it will be an infrastructure of about 150k machines globally.

                      the stance i am taking is a role based one - AD is organised by role ( SQL, DCs Exchange etc) so for ease of configuration i have tried to make one size fits all policies that can be pinned to the parent group, and that will allow easy scaling of more Exchange servers,etc.

                      if course all server types follow a common build structure, drive letters, etc so in that respect it is easier to make a common policy

                      in this way, there will be a SQL policy, a DC policy, etc - each has documented change control and version history.

                      in my case i need to justify anything i dont scan, and i can supply performance metrics to back up my stance. by having one policy per server type, i am not excluding anything i dont need to,
                      • 8. RE: Policy Exclusions
                        I've decided that I will create a separate policy for each server type. I think in the long run it will be easier to manage. In fact, I am creating a exclusions document for our change management team to consider. Once approved it will become our documented standard.

                        I wish I could tie into our AD structure, but that is evolving as well. In many cases right now, I am taking over AV on machines that are not currently part of our AD Structure. Many agencies have a huge installed Novell base...So it is a very slow migration. There isn't an easy way to accomplish what we are trying to do. It just takes alot of time and analysis.