Loading...

Knowledge Center


Application Control security best practices
Technical Articles ID:   KB85337
Last Modified:  4/9/2017
Rated:


Environment

McAfee Application Control (MAC) 7.x, 6.x
Microsoft Windows

Summary

This article describes the best practices that Technical Support recommends to appropriately configure the security protection for Application Control.

NOTE: See the Related Information section for a list of the product guides referenced in this article for each version of Application Control.
 
The scope of this article is limited to the following key items identified as focus areas:

Customizing the McAfee default configuration
  1. Evaluate the environment
    The McAfee default configuration is optimal for most enterprise security requirements. However, Technical Support recommends that customers work with a Sales Engineer to evaluate the configuration based on the specific workflows, applications, and requirements. 
  2. Build and test a custom configuration
    After completing an analysis, Technical Support recommends that customers build the appropriate configuration and test the configuration in a staging environment before rollout. 
  3. Assess security needs against usability
    Before creating the default configuration, Technical Support recommends mapping the risk and usability of the system and applications. Customers can increase or decrease the level of security based on their business or critical needs.
Disabling unwanted applications, script interpreters, or binaries
  1. Identify unwanted applications
    Application Control provides a mechanism to pull the entire inventory of the system to the ePolicy Orchestrator (ePO) server. ePO also provides an application inventory view of all installed applications available on the endpoints. The administrator must evaluate all installed applications and then identify applications that are not required or allowed in their enterprise.

    For more information about managing inventory items using the ePO console, review the "Managing the inventory" section of the Change Control and Application Control Product Guide
     
  2. Ban or remove unwanted items
    The administrator must either ban or remove all unneeded or unsafe inventory items, such as applications, script interpreters, or binary files. This action reduces the attack surface of the environment. Application Control and ePO should be used in conjunction to bring systems to the required security posture.

    For more information about how to ban and remove items using the ePO console, review the "Allow or block a binary file" (7.x) / "Allow or ban a binary file" (6.x) section of the Change Control and Application Control Product Guide.
Using a layered approach to security protection
  1. Perimeter security
    The first level of security is the network. Customers must consider appropriate perimeter security for endpoints that are exposed to external networks to prevent unwanted attacks against these systems. For example, customers can deploy Web Gateway to protect perimeter endpoints. 
  2. Physical access security
    Customers must protect their endpoints from unauthorized physical access and against offline access of the system drive. Technical Support recommends using encryption software for protection against offline access of the system drive. If not prevented, such access can make security systems ineffective. 
  3. Administrative access control
    Preventing unauthorized administrative access to endpoints is the most critical part of securing them. You should employ the principal of least privilege and use Role Based Access Control and User Access Control where available. Only provide endpoint access to authorized users.
  4. Configure endpoint security controls
    Application Control provides protection using multiple techniques. Decisions about security posture are typically based on the security and compliance requirements of the organization. Some customers might need multiple security products to ensure that endpoints are protected and comply with the security policy of the enterprise. Collaborate with the associated Sales Engineer for information and guidance on the required level of protection and other security controls that must be used. Based on their requirements, customers can choose to deploy additional products, such as Anti-Virus, Encryption, and Data Loss Prevention.
Applying System updates and patches
  1. Critical security patches
    The presence of Application Control can mitigate risks related to delays in applying updates. The mitigation for buffer overflow that the product provides still has the potential for DoS or other attacks that can make the system unusable if the attack involves a critical system process. Customers must apply patches as soon as possible, especially critical security patches recommended by the operating system and application vendors.
Implementing configuration recommendations
  1. Memory protection (CASP, VASR, DEP)
    The memory protection features of Application Control provide a layer of defense against exploits that cause buffer overflows. Technical Support recommends enabling all memory protection features. Any decision to disable these features is discouraged and must be done only after consulting the support team. You should evaluate the potential risk for any exceptions.

    For more information about memory-protection techniques, review the "Memory-protection techniques" section of the Change Control and Application Control Product Guide
     
  2. Script authorization
    Application Control includes a default script interpreter list to whitelist script exclusions. Technical Support recommends that you update the list based on the requirements in your environment. You must evaluate script interpreters (such as PowerShell, Perl, PHP, and Java) and the extensions they support. If any script interpreters are present with no business requirement, Technical Support recommends they be removed from the system or prevented from execution using Application Control constructs.

    For more information, review the "Configuring interpreters to allow execution of additional scripts" (7.x) / "Configure interpreters to allow execution of additional scripts" (6.x) section of the Application Control Product Guide. You can issue the needed commands from the ePO console using the SC: Run Commands Client Task. 
  3. Trusted update mechanisms
    Application Control provides various trusted mechanisms for proper functioning and update of applications. Scripts or binaries that are delivered through these trusted mechanisms are allowed to execute. Technical Support provides a default list of trusted executables. You must exercise due diligence when adding new updater rules.

    For more information, review the "Designing the trust model" (7.x, 6.2) / "Design the trust model" (6.1) section of the Change Control and Application Control Product Guide.

  4. Configure alerts and notifications
    Constant monitoring is an integral part of protecting your systems. Application Control sends events to the ePO console whenever it prevents an unwanted operation. Technical Support recommends that the ePO administrator configures the required alerts and email notifications to be aware of the activities at the endpoints.

    For more information on how to add automatic responses, review the "Receive change details" (7.x, 6.2) / "Receive change details by email" (6.1) section of the Change Control and Application Control Product Guide.
     

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.