Endpoint Security for Small Business

by Joseph Moran

Symantec targets small businesses that need big security with its Symantec Endpoint Protection Small Business Edition 12.0. We put it to the test.

A small business network doesn't seem that small when you're trying to safeguard dozens, scores or perhaps hundreds of computers against an endless cavalcade of online threats. Installing data security software on all the computers on your network is the first step to protection, but it's not the last. You need to be sure the data protection on each system remains up-to-date and functioning properly on a daily basis -- after all, as the adage says, a chain is only as strong as its weakest link.

Symantec EndPoint Protection Small Business Edition 12.0 (SEPSBE) aims to provide a high degree of network protection for Windows-based small business networks while at the same time demanding a relatively low amount of legwork to get it running and keep it humming.

Symantec Protection Center; endpoint security
The Symantec Protection Center management console provides the security status of your network at a glance.
(Click for larger image)

SEPSBE consists of two parts: 1) a security agent for PCs and servers and 2) a centralized management server that keep tabs on all the systems running the aforementioned agent. The cornerstone of SEPSBE's integrated agent software is an anti-virus/anti-spyware component, but it also includes a firewall as well as an intrusion prevention module.

This module inspects network traffic to ensure it's not trying to exploit documented security holes (the kind that -- let's face it -- you probably didn't apply the patches for) or engaged in any sketchy behavior. SEPSBE doesn't include spam or phishing protection; for that you need to step up to Symantec Protection Suite Small Business Edition

The SEPSBE agent can protect Windows XP/Vista/7 or 2003/2008 Server systems, while the management server -- called Symantec Protection Center (SPC) -- can run either on a Windows 2003/2008 server or an ordinary XP or Windows 7 desktop system. (Notably, Vista is excluded as an SPC host, but you're probably not running Vista anyway, right?)

Hardware requirements for both the agent and SPC are fairly modest -- for the former, 1 GB of RAM and either a 1 or 2 GHz Pentium 4 or equivalent CPU, depending on whether you're using the 32- or 64-bit version. The latter has similar CPU requirements but recommends 2 GB of RAM.

Server and Client Installation

SEPSBE's setup wizard keeps things extremely short and sweet; you need specify little more than the company name, an administrator account password, and the email address (plus a mail server address and port) where you want to receive alerts. The setup is arguably a bit too streamlined, because if your email server requires authentication -- as many do -- you'll need to visit the email configuration settings after finishing the wizard to provide the necessary account credentials. (Fortunately, you don't need to dig around to find the settings, as a link is helpfully provided.)

After the SPC is installed, the next step is the agent install wizard. How straightforward installing the agent on your computers will be depends a lot on how they're organized and configured (more on this in a moment), but you get three options that will allow you to install the agent on individual computers without necessarily having to visit them in person.

The agent-install options are email notification, remote push and custom. Email notification deployment lets you delegate the task of installing the client to your users (provided they have admin rights to their computers) by sending a message containing a link to the software to one or more recipients. There's no way to directly send the message to a large group of email addresses other than to type each address (separated by a comma) into the To: field, but a way around this is to email the notification to a single address and then forward it on to a distribution list.

The remote push option completely automates the client install process, letting you browse or search the network for target systems to receive the software. It works best in domain environments and when certain prerequisites have been satisfied, such as first disabling or removing any security or firewall software already on the client. Last but not least there's the custom installation, which lets you package the client software into a single setup file that you can deposit on a shared folder or distribute by other means.

Regardless of the method you choose, installing the client doesn't require any input from the user aside from initially clicking on a link or setup file (if not using remote push). SPC provides default security policies for each of the agent's security components, which are delivered to computers along with the software.

The only minor installation wrinkle we encountered on our small group of Windows XP/7 test systems was that the SPC initially listed them as "disabled" -- it turns out that while most of the modules go to work immediately upon installation, a reboot is required to activate the firewall protection, even though neither the client nor SPC provided any indication of this. (Once the agent is installed, you can reboot systems remotely from the SPC.)

Symantec Protection Agent; endpoint security
Symantec's protection agent works with Windows-based PCs and servers and includes anti-virus/anti-spyware, firewall and intrusion prevention modules.
(Click for larger image)

The agent, which normally receives security updates directly from the company's SPC server, can also obtain them directly from Symantec's servers when necessary, which allows protection to remain current even when a computer is off the corporate network for an extended period (e.g. in the case of mobile or remote workers).

As a rule, security software has an (often well-deserved) reputation for noticeably bogging down system performance. For its part, Symantec claims that the SEPSBE agent has less of an impact on system performance than competing products, and while we can't confirm that without a side-by-side comparison, we can say that the Symantec software had a negligible impact on boot time and overall responsiveness on our test systems. We think workers and admins alike will appreciate the fact that the SEPSBE's default firewall policy is unobtrusive and doesn't throw up a steady stream of cryptic (at least to the non-technical) warnings.

Management and Monitoring

Symantec Protection Center's management console does a good job of conveying important security information without requiring you to delve into lots of minutiae to figure out what's going on with your network. A comprehensive dashboard view (the Home screen) makes critical information -- including current alerts, recently detected threats, and whether endpoints are connected and up-to-date -- easy to digest at a glance with liberal use of charts and graphs.

Links to more detailed daily and weekly status reports are also provided, and the reports are automatically delivered via email as well so you don't have to visit the console to get them. The SPC management console is Java-based application that you can access from any system on your network once you've downloaded and installed it by pointing a browser to the SPC server's IP address.

Even though SPC's primary goal is to minimize the amount of configuration you have to do in order to be protected, it doesn't preclude access to advanced customization features if you want them. You can do things such as organize protected computers into groups (two group -- desktops/laptops and servers are set up by default), modify existing policies or create new ones, design custom reports and alert notifications, and even create multiple administrator accounts, including admins with limited rights which is helpful when you want to delegate some administrative tasks while keeping others off limits.


Pricing for SEPSBE with one year of basic support (phone support during business hours only) starts at $35 per protected system for up to 24 systems, and volume pricing is available for 25+, 50+, or 100+ systems wherein pricing drops to $28.13, $26.94, and $25.71, respectively. That cost actually works out to be somewhat lower than many of Symantec's competitors in this area, though some of them do include spam and/or phishing protection. (SEPSBE is available as a 30-day trial download).

Symantec Endpoint Protection Small Business Edition 12.0's simplified set up and management --thanks in large part to pre-configured policies and reports make it a good choice for small businesses that want to secure their networks without having to spend an inordinate amount of time on the task.

Price: $35 per protected computer (or lower, depending on number of systems and upgrade eligibility).

Pros: Integrated agent combines anti-virus/anti-spyware and software firewall with intrusion protection; management console pre-configured with policies, notifications, and reports.

Cons: Does not include spam or phishing protection.

Joseph Moran is a longtime technology writer and co-author of Getting StartED with Windows 7 from Friends of Ed.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

This article was originally published on Wednesday Jul 28th 2010
Mobile Site | Full Site