RE: access policies--

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 25 Jan 2003 12:00:45 -0600

Hi Jill,

You don't need to create explicit deny rules. Just don't allow them
access. If you don't explicitly allow a user/group access, they will not
be able to access external resources. 

Its just like with NTFS permissions. DENY rules are processed first
(with the exception of the Web Proxy client that has access to an
anonymous access rule), then allow rules.

So, you can think of the default config as an implicit deny rule, for
which you will have to create allow rules to allow outbound access to
protocols.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
http://tinyurl.com/1jq1
http://tinyurl.com/1llp

 
 


-----Original Message-----
From: Jill Ray [mailto:jill@xxxxxxxxxxxxxxx] 
Sent: Friday, January 24, 2003 3:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: access policies--


http://www.ISAserver.org


Why wouldn't I have complete control over who gets access if I denied
first?  
I'm still learning here...

~Jill

-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) [mailto:Shawn.Quillman@xxxxxxxxxxxx] 
Sent: Friday, January 24, 2003 12:12 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: access policies--

http://www.ISAserver.org



Best thing is to allow by user\group.  That way you have complete
control
over who gets access.  (That on top of the fact that you do have to
specifically allow something with policy in order to grant access.)

-Shawn

-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI  48331
(248) 553-1164 (P)     (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx


-----Original Message-----
From: Jill Ray [mailto:jill@xxxxxxxxxxxxxxx]
Sent: Friday, January 24, 2003 12:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] access policies--


http://www.ISAserver.org


When authenticating by user, it is better to assign policies by 
1.  denying all first, then allowing by user/group
2.  allowing all first, then denying by user/group

Is one trickier than the other?

Thanks in advance for your help,
Jill

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2003