Gartner Blog Network

Does Protecting Desktops Require a Different Vendor/Product than Protecting Servers?

by Neil MacDonald  |  September 29, 2011  |  2 Comments

I’ve made it a point over the past 6 months to ask clients if they are combining their endpoint protection platform contracts across desktops, laptops and servers. In most cases (about 75%), the answer is yes – contracts are being combined in order to reduce complexity and costs.

Is protecting a desktop different than a laptop? Yes.

Is protecting a server different than a desktop or laptop? Yes

However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:

  • All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
  • Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
  • Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
  • Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
  • Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
  • Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
  • Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
  • Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.

The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.

Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?

How does your organization handle this?

Category: beyond-anti-virus  endpoint-protection-platform  next-generation-security-infrastructure  

Tags: adaptive-security-infrastucture  beyond-anti-virus  defense-in-depth  endpoint-protection-platform  lockdown  next-generation-security-infrastructure  reducing-complexity  reducing-cost  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Does Protecting Desktops Require a Different Vendor/Product than Protecting Servers?

  1. Kris Tuttle says:

    From what I can tell many users of desktop and laptop computers are a giant security hole thanks to the ineffectiveness of antivirus tools to block software programs like keyloggers.

    There should be way more encryption going on in these environments including keystrokes and using out-of-band methods.

    I’m not a security expert but all these breaches and the inattention to laptop and desktop keylogging leaves me baffled.

    What am I missing?

  2. Neil MacDonald says:


    Multiple issues here – one is to help shut down the vulnerability that the keystroke logger used to get installed. So the basics are important – patch management, config management, vulnerability assessment. Also, running users as standard user (not admins) helps significantly esp. with rootkits.

    There are solutions that go beyond this – e.g Blue Gem, Trusteer, even McAfee DeepSafe (just announced)…

    Another approach is to peridically reset the OS back to a known good state to remove malware (requires changes in operational processes) see this


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.