Ha, exactly what I was hoping NOT to do. Thanks anyway though. Would you perhaps know if it would be at all possible to write my own Application Filter which could do something like this? I mean, before I go and invest all the time of researching such a solution, maybe you could tell me know whether I would be wasting my time or not. Cheers William R. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 06 November 2002 16:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi William, I see what you want to accomplish now. You can't do that with the mspclnt.ini file. You can audit each machine, run something like PestPatrol, and clear out the spyware and scumware. HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: Wednesday, November 06, 2002 2:43 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi Tom I fully agree with your last comment in that the FW client is not used when accessing anything defined in my LAT. However, I find that many users have funny little applications installed on their PC's (installed on purpose, or by an overzealous webmaster wanting to track visitors etc) that are now able to communicate with the Internet directly as a result of the FW Client, and I would like my best to stop these little buggers from doing that as they are filling up my logs and chewing my bandwidth. In light of this I would like a generic method of denying access to ALL applications that are not explicitly GRANTED permission within the MSPCLNT.INI. Cheers William R. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 06 November 2002 10:18 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi William, The firewall client is *not* used whenever a communicaiton to with a destination IP address on the LAT. That is to say, its never used when communicating with machines on the internal network. HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: Wednesday, November 06, 2002 1:28 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi Tom I appreciate your words of wisdom :), but I am trying to better understand the FW Client itself. Initially I never had the FW Client installed because it was not necessary, but now I have unfortunately been pushed into a situation where I definitely need to use the FW Client to get some applications working. My biggest concern though is how to control which applications are allowed to use the FW Client. My understanding is that the FW Client pretty much allows ANY application which doesn't have an explicit DISABLE=1 entry in the MSPCLNT.INI, to access the ISA Server and then to be processed further with the Protocol & S+C rules. My problem with this is that I do not know the names of all the possible applications that exist on our network, so I have no way of controlling them all, that is why I was looking for a generic way of denying access. I thought that if I added a DISABLE=1 into the [Common Configuration] section that this would work, but it doesn't seem to have done the job. Your comments? Cheers William R. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 06 November 2002 08:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi William, There's a very easy way to prevent all applications from using the Firewall client -- uninstall it. HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: Tuesday, November 05, 2002 10:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi there Please could someone comment on the following: I do not understand how the FW Client uses the MSPCLNT.INI file. This is due to the following: When installing the FW Client on users workstations, they started experiencing an INCREDIBLY long "logon time". And when trying to perform any kind of network activity it would still take immensely long. I eventually found that all of the default FW Client settings (such as LSASS=Disable(1), WINLOGON=Disable(1) etc) were causing this. As soon as I put all these default settings back, my workstations worked a lot faster. Now this is curious because that means that all the little Windows subsystems were trying to make use of the FW Client, and because the FW Client did not have any rule entry DENYING these Windows subsystems, they then tried very hard, and possibly succeeded, in using the FW Client. And yet, when I tried to get my SAP clients to work through the ISA Firewall, I had to add the SAPGUI=Disable(0) entry into the MSPCLNT.INI file before it would work. Now I'm confused! I am specifically looking for a way in which I can generically DENY ALL APPLICATIONS within the MSPCLNT.INI, instead of having to declare them all one by one (in the case of the Windows subsystems), but it seems that the FW Client only seems to let some applications through (even though they don't have a corresponding entry in the MSPCLNT.INI) and others not. Any ideas? Cheers William R. -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: 05 November 2002 07:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org Hi there Thanks for that. I have since changed my S&C rules to use Username authentication and it seems a lot better now. I do however have another question though... I have now configured my FW Client Config to have a [Master Config] section that looks like this: [Master Config] Path1=\\<ISA Server>\mspclnt\ [Common Configuration] NameResolution=L [msmsgs] Disable=0 [Internal] scp=9,10,11 (You'll notice that I have removed all the original settings in order to complete my testing) Now this works fine as the FW Client permits the Windows Messenger to connect to the ISA where it is successfully validated. But you will notice that I have NO settings for OUTLOOK in the above config, and yet when I do a SEND/RECEIVE on my external POP3 mail server, it completes successfully. Now this I do not understand as I have created a Protocol Rule & a Site & Content rule for POP3 traffic, both of which are validating according to Group Membership. Now granted, I am a member of the group that is permitted to use those rules, but surely with the abovementioned FW Client configuration, the FW Client should not permit the request through to the ISA Server because OUTLOOK is not explicitly ALLOWED within the MSPCLNT.INI? What I also tried was to add to the [Common Configuration] Section the following: Disable=1 By doing this I was hoping to add a generic rule for the FW Client to DENY access to ALL applications, except those that are specifically permitted within the MSPCLNT.INI. Any comments on this? Cheers William R. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 04 November 2002 19:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Struggling to DENY access for applications! http://www.ISAserver.org All that setting accomplishes is to deny access to the FW client for that app. It does not deny access through the ISA for the app if the client is also a SecureNAT client. You'll need to set up blocking filters and rules as dictated in Tom's article on dangerous messenger clients. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, November 03, 2002 9:03 PM Subject: [isalist] Struggling to DENY access for applications! http://www.ISAserver.org Hi there I have tried to make modifications to the Firewall Client Config (thru the MMC), but I cannot seem to get the FW Client to DENY access to certain applications. For example, I would like to be able to have the FW Client block applications such as Windows Messenger, ICQ etc. But when I add an entry to the FW Client config with the following parameters: Application: msmsgs Key: Disable Value: 1 Nothing happens. The Windows Messenger continues to get through to my ISA Server, instead of being denied by the FW Client. Another thing I have tried is to add the following: Application: Common Configuration Key: Disable Value: 1 By doing this I was hoping to DENY access to ALL applications that were not specifically ALLOWED within the FW Client config, but this also did not work. Does anybody have any idea how I can DENY access to all applications on a workstation that are not explicitly ALLOWEd by the FW Client config? Cheers William R. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. ---------------------------------------------------------------------