This article will advise and guide you on how to deploy the HEIMDAL Agent on servers.
1. System Requirements & Firewall Exceptions
2. Deployment methods
3. Good practices when deploying the HEIMDAL Agent on a server
System Requirements & Firewall Exceptions
The system requirements for the Heimdal agent for all the supported platforms, including Servers can be found here, the same article will tell you what exceptions you need to add to your Firewall before deploying Heimdal.
Deployment methods
Before deploying Heimdal in your environment an important thing is embedding the license key into the Heimdal installer, check this link here to see how to do it. Here are all the deployment methods supported by Heimdal:
*Please note that some of these methods will not require you to embed the license key into the installer, read the article that suits your needs to see if you need to do this step or not.
Good practices when deploying the HEIMDAL Agent on a server
1. Test environment - Consider setting up Heimdal in a testing environment before rolling it out in the production space. This approach helps in detecting and addressing any conflicts that might arise with other third-party applications.
2. Multiple modules - If you plan to deploy multiple products from the Heimdal suite on your servers, it is advised to activate them sequentially, allowing a gap of at least 3-4 days between each activation.
3. Group Policy settings:
GENERAL
- Make sure to activate the Do Not Show GUI option;
- Make sure to move the Memory Threshold % slider to at least 80%;
- Make sure to enable Real-time communication.
DNS Security ENDPOINT
- DO NOT enable the following options: Force DHCP DNS usage, Use default loopback address, Cisco Anyconnect/Fortinet compatibility mode, Use Supported VPN forwarders, and Support PPP Adapters. These options are designed to solve some compatibility issues between the HEIMDAL Agent and certain VPN products;
- If you use a certain VPN product on the server you wish to deploy the HEIMDAL Agent, please get in contact with Heimdal Support to advise you on what settings you should enable.
3RD PARTY PATCH MANAGEMENT
- DO NOT enable the Install All function for all the applications. By doing this, the HEIMDAL Agent will install all the applications that are supported by the 3rd Party Patch Management;
- We suggest you set up a scheduler for installing patches as this will give you control over the management of vulnerabilities found in the 3rd Party Applications.
OPERATING SYSTEM UPDATES
- Enable the Enhance Reboot Detection option. This will allow the HEIMDAL Agent to detect the reboots required by your server when a Windows Update is completed;
- If your server is behind a WSUS make sure the Server Source is set to Default and check this article;
- Make sure you set up an OS Updates Schedule and an OS Updates Reboot Schedule that suits your needs;
- DO NOT enable the option called Force reboot during time selection.
NEXT-GEN ANTIVIRUS
- If you will use our Next-Gen AntiVirus module on your server, please make sure to uninstall all the previous Antivirus solutions, including Microsoft Defender ATP;
- If you want to disable the USB port, please make sure the USB ports on the server will never be used;
- The Zero-Trust Execution Protection option should be enabled in Reporting mode for the first two weeks. Once these two weeks have passed, please check all the false positive detections and whitelist them;
- On the Next-Gen AV Exclusion List please make sure you whitelist the profile that fits your server type;
- Please make sure you whitelist all the crucial applications used on your server like backup tools, any type of management tools, and sync tools. Search online what the vendor of the app recommends to whitelist, then go into the Next-Gen AV Exclusion List and add them;
- DO NOT enable the option called Real-Time Scan Network Files.
RANSOMWARE ENCRYPTION PROTECTION
- Enable this module in reporting mode for the first two weeks. Once these two weeks have passed, please check all the false positive detections and whitelist them.
PRIVILEGED ACCESS MANAGEMENT
- DO NOT enable the option called Automatically close all processes started during an elevation when the session ends. This might close vital processes used by the operating system.
APPLICATION CONTROL
- Although this product can work on servers (Windows Server), it is NOT meant for servers but for regular client machines (Windows 10, Windows 11).