Security Policy - Best Practices
Use these best practices to configure and harden the Endpoint Security policy after the initial deployment.
Endpoint Security includes Endpoint Management as a Service (EPMaaS), a cloud-based service that manages policies and deployments for Endpoint Security clients.
Threat Prevention Policy Profile - Initial Baseline
Recommendation
Select the predefined Optimized Threat Prevention policy profile.
Description
The Optimized Threat Prevention policy profile aligns with security best practices and provides a balanced baseline for endpoint protection. It enables a comprehensive set of prevention capabilities that protect against common and advanced attack techniques while maintaining operational stability.
The Optimized profile can be further hardened with additional recommendations described in this topic. The Optimized profile can be further hardened with additional recommendations described in this topic.
Operational Guidance
-
Use the Optimized profile as the baseline after initial deployment.
-
Switch from Detect or Tuning profiles to the Optimized profile.
-
Apply additional hardening steps incrementally.
Behavioral Protection - Low Memory Mode
Recommendation
Do not enable Low Memory mode (default: Disabled).
Configuration Path
Policy > Threat Prevention > Policy Capabilities > Behavioral Protection > Advanced Settings > Behavioral Guard & Anti-Ransomware
Description
Low Memory mode loads a limited subset of behavioral detection signatures optimized for environments with strict memory constraints. This mode reduces memory consumption but lowers detection coverage.
Windows clients version E89.10 and higher include performance and stability optimizations that significantly reduce CPU and memory usage. As a result, the trade-off between memory usage and detection coverage is no longer required.
Operational Guidance
-
Deploy Endpoint Security clients on Windows version E89.10 or higher.
-
Do not enable Low Memory mode in production environments.
-
Note that reduced detection coverage increases risk exposure.
-
This mode is planned for gradual deprecation in future Endpoint Security versions
Analysis & Remediation - Termination of Trusted Processes (LOLbins)
Recommendation
Enable termination of trusted processes as part of automatic attack remediation.
Configuration Path
Policy > Threat Prevention > Policy Capabilities > Analysis & Remediation > Advanced Settings > File Remediation > Trusted Files = Terminate
Description
Trusted processes include signed operating system binaries commonly present on endpoints. Attackers can abuse these processes as part of the attack chain. These processes are commonly referred to as living-off-the-land binaries (LOLbins), for example, powershell.exe, svchost.exe, and certutil.exe.
Terminating trusted processes during remediation helps sanitize the complete attack chain. This stops detected attacks effectively and prevents continued malicious activity using trusted operating system components.
When enabled, fully remediated attacks reach a Cleaned status instead of remaining Active, reducing the risk of ongoing impact.
Operational Guidance
-
This setting is enabled by default in newly created Endpoint Security cloud tenants.
-
Existing cloud and on-premises environments must be reviewed.
-
Configure this setting explicitly in each applicable rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..
Endpoint Firewall - Deployment for Remote Attack Containment
Recommendation
Deploy the Endpoint Firewall capability using Software Deployment rules.
Description
Endpoint Firewall supports endpoint self-isolation and network-level containment as part of automated and on-demand response actions. This capability is used by on-demand Push Operations, XDR response actions, and Playblocks automations.
Endpoint Firewall is also required to automatically stop remotely executed ransomware attacks over the SMB protocol.
In scenarios where file encryption is performed remotely from another compromised computer in the same network, no malicious process runs locally on the target endpoint. Behavioral Guard detects the ransomware activity, and Endpoint Firewall blocks inbound SMB connections to stop the attack and prevent further data damage.
In these cases, process termination is not applicable. Automatic self-isolation using Endpoint Firewall is the recommended response.
Operational Guidance
-
Endpoint Firewall is included in all Check Point Endpoint Security subscriptions.
-
Deploy the Endpoint Firewall capability to endpoints using Software Deployment rules.
Endpoint Firewall - Network Micro-Segmentation for Lateral Movement Prevention
Recommendation
Implement network micro-segmentation using Endpoint Firewall rules.
Description
Network micro-segmentation reduces the attack surface for lateral movement by restricting inbound network connections between endpoints.
This approach is important for preventing ransomware propagation, particularly over the SMB protocol.
To mitigate these risks:
-
Block incoming SMB connections on all workstations and servers that do not serve as file servers.
-
Consider blocking additional inbound TCP/UDP protocols commonly abused for lateral movement.
Operational Guidance
-
Block incoming SMB connections on endpoints that do not function as file servers.
-
Consider blocking additional inbound TCP/UDP protocols commonly used for lateral movement.
-
Apply rules broadly to endpoints that do not require inbound access.
-
Avoid enabling logging for high-volume protocols to prevent performance degradation.
Recommended Inbound Connections to Block with Endpoint Firewall
|
Name / Service |
Protocol |
Ports |
Description |
Associated Risk (MITRE ATT&CK) |
Enable Logging |
|---|---|---|---|---|---|
|
SMB (Direct Hosting) |
TCP |
445 |
File sharing, named pipes, IPC |
MITRE T1021.002 (SMB/Windows Admin Shares), T1486 (Data Encrypted for Impact) |
No |
|
NetBIOS Name Service |
UDP |
137 |
Legacy broadcast name resolution |
MITRE T1557 (Adversary-in-the-Middle) |
No |
|
NetBIOS Datagram Service |
UDP |
138 |
Legacy broadcast/multicast messaging |
MITRE T1557 (Adversary-in-the-Middle) |
No |
|
NetBIOS Session Service |
TCP |
139 |
Legacy SMB over NetBIOS |
MITRE T1021.002 (SMB Lateral Movement) |
No |
|
RPC Endpoint Mapper |
TCP |
135 |
RPC service discovery |
MITRE T1021.003 (RPC), T1047 (WMI) |
Yes |
|
RPC Dynamic Ports |
TCP/UDP |
49152-65535 |
Ephemeral RPC communication ports |
MITRE T1021.003 (RPC), T1047 (WMI) |
No |
|
Remote Desktop Protocol (RDP) |
TCP/UDP |
3389 |
Interactive remote login |
MITRE T1021.001 (RDP) |
Yes |
|
WinRM (HTTP) |
TCP |
5985 |
Remote management / PowerShell remoting |
MITRE T1021.006 (WinRM), T1059.001 (PowerShell) |
Yes |
|
WinRM (HTTPS) |
TCP |
5986 |
Encrypted remote management |
MITRE T1021.006 (WinRM), T1059.001 (PowerShell) |
Yes |