I totally agree Ara, I have a similar policy to you, with none of the 'normal' staff operating priviledged accounts etc... And I have yet to have a virus outbreak on the current incarnation of our network (about a year and a half old). Viruses simply never reach the desktops, and if they did, they wouldn't have a hook anyway. This is all different with most VPN users though - these tend to connect more with home computers and laptops that I have less control over. > -----Original Message----- > From: Ara.A [mailto:ara@xxxxxxxxxx] > Sent: 24 October 2004 22:47 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: ISA server and secure VPN clients > > http://www.ISAserver.org > > Hello > I am not comfort for answering the vpn part, but as you know, > there are plenty of ways to prevent people getting infected > so you don't have to be worried about it later. > Don't let users run as any privileged user, run gfi download > security and make the http and ftp scan for stuff they > download of internet. Don't let them download exe or vbs or > com or bat files. Don't let them use cd drive or external USB > interface, and I think the most important part is to get > permission from your boss to apply policies based on what you > think is the best not based on what the chic in front desk is > suggesting because she can't chat on msn with her friends. I > have done this for a while and nothing has happened and we > have over 10 smart ass users here but they are locked and > they are warned that I have the right to decide what they do. > I hope someone will help you and wish you best luck. > > > -----Original Message----- > > From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] > > Sent: October 24, 2004 6:50 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: ISA server and secure VPN clients > > > > http://www.ISAserver.org > > > > How nice of you guys to respond so quickly. I am just sorry > that you > > did not take the time to think on what I wrote instead of simply > > mistaking me for a rookie. > > > > I do realize that many people have a "Microsoft cannot be secure" > > attitude, but this was in no way what I was getting at. > > I am a MS Certified consultant, and I have been working with MS > > products as a proffesional for over six years.... > > > > The point of my previos post was to investigate whether others had > > thought of and maybe solved (what I find to be) the problem > with MS VPN. > > I have been searching for a solution of controlling VPN > clients after > > the tunnel has been build. > > I have spend the several hours today digging into CMAK, > RRas policies > > and ISA firewall rules and add-ins, but have not found a > way to make > > sure that a user does not manually change the routing > information on the computer. > > > > Think of this situation: > > > > A user downloads and installs a fun little app, and with it > a trojan. > > Later the user open a MS VPN connection. > > During the establishing of the locked down (CMAK) VPN > connection the > > Quantine scripts will check the routing table, the antivirus, then > > firewall etc, but the trojan will not be detected. > > The VPN connection is established successfully. > > > > Now at this point what is stop the trojan process from adding or > > changing a route entry and thereby effectively sending > traffic around > > the VPN tunnel. (Other than making sure the user is not local admin > > :-)) This situation will actually enable a hacker to control the > > client computer and launch an attack through the vpn tunnel. > > > > If you actually do have a way to prevent this scenario, I > would very > > much like to here it, as I am encounting an increasing numbre of > > requests for MS like VPN functionallity, that third party > vendors has > > a hard time offering. > > > > A Nortel VPN implementation solves this by continuesly monitor the > > routing table and closes the VPN tunnel in case of a change > in the routing table. > > I was hoping for a somewhat semilar MS solution. > > > > I look forward to a hopefully somewhat more useful answer from you. > > > > Regards, > > > > Michael > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: > http://www.windowsnetworking.com Leading > > Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: > http://www.msexchange.org Windows > > Security Resource Site: http://www.windowsecurity.com/ Network > > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > ara@xxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: > http://www.windowsecurity.com/ Network Security Library: > http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: j.merrique@xxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx >