Best Practices — Post-Deployment Tips for Endpoint Security
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
WatchGuard Endpoint Security products provide network administrators with a set of tools and features to reduce the attack surface, to monitor and prevent threats, and to strengthen the security of the network. After you deploy the endpoint software, review the tips in this document.
Features available differ by product. Not all Endpoint Security products have the features described in this topic. For more information, go to Supported Features by Endpoint Security Product.
Monitor Threats
Check the security status of the network for a specific period through dashboards and detailed lists. You can use this information to monitor threats to the computers and devices on your network.
Check Dashboards
The WatchGuard Endpoint Security product dashboard shows an overview of the security status of the network for a specific period. Several tiles show important information and provide links to more details. For more information, see:
- WatchGuard EDR Core Security Dashboard
- WatchGuard EPP Security Dashboard
- WatchGuard EDR Security Dashboard
- WatchGuard EDR Core Security DashboardWatchGuard EPDR Security Dashboard
- WatchGuard Advanced EPDR Security Dashboard
Review Lists
Cybercriminals can take advantage of a single vulnerable endpoint to carry out lateral movements that can compromise the security of the whole network, so it is critical to make sure every endpoint is protected. The My Lists section of the Status page provides quick links to detailed lists filtered to show specific information that helps you monitor the health and security of your network. Most dashboard tiles have an associated list, so you can quickly see information graphically in the tile and then get more detail from the list. For more information, go to About My Lists in WatchGuard Endpoint Security.
We recommend that you use predefined or new lists to monitor unprotected or outdated protection endpoints to prevent attack, such as:
- Outdated Protection
- Offline Computers
- Pending Critical Patches
- Installation Errors
- Outdated Software
Settings
Use the Settings page to configure security, productivity, and connectivity parameters for the computers and devices you manage. You can configure security settings profiles to reduce the attack surface. This section provides recommendations for initial deployment and setting configuration.
For more information on security settings profiles, go to Manage Settings Profiles.
Restrict Access to Specific Website Categories
Configure the categories of websites accessible to users to reduce the number of dubious sites, pages with many ads, and innocent-looking but dangerous download portals (such as for ebooks or pirate software) that might infect user computers. For more information, go to Configure Web Access Control.
Block Access to USB Drives and Other External Devices
Another commonly-used infection vector is the USB drives and modems that users bring from home. Limit or totally block the use of these devices to prevent malware infections. For more information, go to Configure Device Control (Windows Computers).
Restrict Communications (Firewall and IDS)
To minimize exposure to threats, a firewall prevents communications to and from programs that are not malicious in nature but might leave the door open to malware. If malware has infected the network through a chat or P2P application, configured firewall rules can prevent communication from the programs to the outside world. For more information, go to Configure Firewall Settings (Windows Computers).
Security
Follow these recommendations to strengthen the security of your network:
Reinforce Authentication Methods
Apply multi-factor authentication methods and require the use of robust passwords across your network.
Patch Vulnerable Systems and Update Out-of-Date Applications
Update vulnerable systems and out-of-date applications to prevent attacks that try to exploit security holes. For more information, go to Patch Management Best Practices.
Uninstall or Update End-of-Life (EOL) Programs
EOL software is more likely to have unpatched vulnerabilities that malware could exploit. Use lists to view the computers in EOL or near EOL and plan to remove or update the software. For more information, go to Patch Management Best Practices.
Encrypt Information on Internal Storage Devices
Use WatchGuard Full Encryption to minimize the exposure of the data stored on computers in the event of loss or theft, to prevent access to confidential data, and to use recovery tools to retrieve files from removed drives. For more information, go to About Full Encryption.
Additionally, we recommend that you use the TPM module included on computer motherboards or update their hardware to support this tool. The TPM module prevents the use of hard disks on computers other than those used to encrypt them and detects changes to a computer boot sequence. For more information, go to About Trusted Platform Module Technology (Windows Computers).
Isolate At-Risk Computers and Devices
You can isolate an at-risk computer to block communication to and from the computer. When you isolate a computer, WatchGuard Endpoint Security blocks all communications, except for those it requires. For more information, go to Isolate a Computer.
Limit RDP Connections
Identify computers that require Remote Desktop Protocol (RDP) connections and restrict RDP use to the bare minimum. For more information, go to Configure RDP Attack Settings.
Schedule Scans
You can configure scan tasks to run immediately or later. Tasks can run once or repeatedly at specified time intervals. For more information, go to Create a Scheduled Scan Task.
Configure Alerts and Reporting
Configure alerts, reports, and charts to stay informed about the security status of your network.
Enable Alerts
Configure alerts to send to the network administrator by email. You define alerts for each management UI user. The content of an alert email varies based on the managed computers that are visible to the recipient. For more information, go to Configure Email Alerts.
Schedule Reports
You can email a report of security information from the computers protected by WatchGuard Endpoint Security. You can schedule reports to send daily, weekly, or monthly on specific days and at specific times. This enables you to closely monitor the security status without the need to access the management UI. For more information, go to Manage Scheduled Reports.
Audit User Actions
You can see log information for user sessions and actions, as well as system events. For more information, go to Activity Logs.