Securing Your Server

Implement Secure Sockets Layer (SSL) to secure all Ivanti Endpoint Security communication.

SSL is a protocol which is designed to provide secure data transmission over the Internet. SSL support is included in Web browsers, Web servers, and operating systems.

Ivanti Endpoint Security uses SSL when downloading vulnerability data and packages from the Global Subscription Service.

In addition, SSL can be used for transmitting data between the Ivanti Endpoint Security server and Ivanti Endpoint Security Agent by enabling SSL during the installation of Ivanti Endpoint Security. The installation process requires obtaining a SSL certificate (.CER). For details regarding installing with SSL enabled, refer to the Ivanti Endpoint Security: Server Installation Guide.

When setting passwords for Ivanti Endpoint Security, using secure passwords significantly lowers the probability that your server can be compromised.

Worm attacks, which attempt to install malicious software on a target endpoint, frequently test log ins with weak and commonly used passwords. For secure passwords, Ivanti recommends a 12 character password that combines mixed-case alpha characters, numeric characters, and punctuation characters.

When installing Ivanti Endpoint Security, you should disable the File and Printer Sharing for Microsoft Networks protocol on the target server. If this protocol is left active, it creates a security risk that intruders can exploit: a Windows networking share. Therefore, File and Printer Sharing for Microsoft Networks should be disabled.

Ivanti recommends placing your Ivanti Endpoint Security server behind a firewall. This procedure is considered best-practice.

Since the Ivanti Endpoint Security (Ivanti Endpoint Security server receives content updates from the Global Subscription Service (GSS), allowing the Ivanti Endpoint Security server specific Internet access is unnecessary. However, access to the GSS must be specified in your firewall configuration.

For details regarding install requirements, refer to the Ivanti Endpoint Security: Server Installation Guide.

Ivanti Endpoint Security only requires several essential services to operate. Disabling services that are not critical to its operation reduces security risks.

The default installation of Microsoft Windows sets most features and services to active. Therefore, there may be a number of services that can be disabled (e.g.: RPC, Remote Registry, etc.) to reduce security compromises. Ivanti does not encourage a lock down by disabling Windows services. However, it can be an effective method to reduce the risk of hacker attacks.

The following services are required to run Ivanti Endpoint Security:

• World Wide Web Publishing Service
• IIS Admin Service
• SQL Server
• Replication Service
• STATEngine
• EDS Server
• EDS Installer Service

Prior to disabling non-essential services, contact Ivanti Self Service Support to ensure disabling services does not impact your server performance.

Unused ports within the Windows Server operating system pose a security risk to Ivanti Endpoint Security Servers. Therefore, these ports should be closed.

Use a firewall to prevent network traffic on various unused and vulnerable TCP and UDP ports. However, if a firewall is not available or additional server-level disablement is desired, TCP and UDP ports can be disabled as a function of the network connection.

The Ivanti Endpoint Security server should have the most recent security patches installed.

Apply all applicable Microsoft Security Patches to ensure that the server remains protected against all known security threats. Be sure to apply the most recent patches for Internet Information Services, SQL Server, and the version of Windows server in use.