Re: Struggling to DENY access for applications!

  • From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 7 Nov 2002 09:00:40 +0200

Ha, exactly what I was hoping NOT to do. Thanks anyway though.

Would you perhaps know if it would be at all possible to write my own
Application Filter which could do something like this? I mean, before I
go and invest all the time of researching such a solution, maybe you
could tell me know whether I would be wasting my time or not.

Cheers
William R.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: 06 November 2002 16:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!

http://www.ISAserver.org


Hi William,

I see what you want to accomplish now. You can't do that with the
mspclnt.ini file.

You can audit each machine, run something like PestPatrol, and clear out
the spyware and scumware.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
http://tinyurl.com/1jq1
http://tinyurl.com/1llp

 
 


-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Wednesday, November 06, 2002 2:43 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!


http://www.ISAserver.org


Hi Tom

I fully agree with your last comment in that the FW client is not used
when accessing anything defined in my LAT. However, I find that many
users have funny little applications installed on their PC's (installed
on purpose, or by an overzealous webmaster wanting to track visitors
etc) that are now able to communicate with the Internet directly as a
result of the FW Client, and I would like my best to stop these little
buggers from doing that as they are filling up my logs and chewing my
bandwidth.

In light of this I would like a generic method of denying access to ALL
applications that are not explicitly GRANTED permission within the
MSPCLNT.INI.

Cheers
William R.


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: 06 November 2002 10:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!

http://www.ISAserver.org


Hi William,

The firewall client is *not* used whenever a communicaiton to with a
destination IP address on the LAT. That is to say, its never used when
communicating with machines on the internal network.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
http://tinyurl.com/1jq1
http://tinyurl.com/1llp

 
 


-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Wednesday, November 06, 2002 1:28 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!


http://www.ISAserver.org


Hi Tom

I appreciate your words of wisdom :), but I am trying to better
understand the FW Client itself. Initially I never had the FW Client
installed because it was not necessary, but now I have unfortunately
been pushed into a situation where I definitely need to use the FW
Client to get some applications working.

My biggest concern though is how to control which applications are
allowed to use the FW Client. My understanding is that the FW Client
pretty much allows ANY application which doesn't have an explicit
DISABLE=1 entry in the MSPCLNT.INI, to access the ISA Server and then to
be processed further with the Protocol & S+C rules.

My problem with this is that I do not know the names of all the possible
applications that exist on our network, so I have no way of controlling
them all, that is why I was looking for a generic way of denying access.
I thought that if I added a DISABLE=1 into the [Common Configuration]
section that this would work, but it doesn't seem to have done the job.

Your comments?

Cheers
William R.


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: 06 November 2002 08:00 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!

http://www.ISAserver.org


Hi William,

There's a very easy way to prevent all applications from using the
Firewall client -- uninstall it.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
http://tinyurl.com/1jq1
http://tinyurl.com/1llp

 
 


-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Tuesday, November 05, 2002 10:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!


http://www.ISAserver.org


Hi there

Please could someone comment on the following:

I do not understand how the FW Client uses the MSPCLNT.INI file. This is
due to the following:
When installing the FW Client on users workstations, they started
experiencing an INCREDIBLY long "logon time". And when trying to perform
any kind of network activity it would still take immensely long. I
eventually found that all of the default FW Client settings (such as
LSASS=Disable(1), WINLOGON=Disable(1) etc) were causing this. As soon as
I put all these default settings back, my workstations worked a lot
faster.

Now this is curious because that means that all the little Windows
subsystems were trying to make use of the FW Client, and because the FW
Client did not have any rule entry DENYING these Windows subsystems,
they then tried very hard, and possibly succeeded, in using the FW
Client.

And yet, when I tried to get my SAP clients to work through the ISA
Firewall, I had to add the SAPGUI=Disable(0) entry into the MSPCLNT.INI
file before it would work.

Now I'm confused!  I am specifically looking for a way in which I can
generically DENY ALL APPLICATIONS within the MSPCLNT.INI, instead of
having to declare them all one by one (in the case of the Windows
subsystems), but it seems that the FW Client only seems to let some
applications through (even though they don't have a corresponding entry
in the MSPCLNT.INI) and others not.

Any ideas?

Cheers
William R.

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: 05 November 2002 07:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!

http://www.ISAserver.org


Hi there

Thanks for that. I have since changed my S&C rules to use Username
authentication and it seems a lot better now. I do however have another
question though...

I have now configured my FW Client Config to have a [Master Config]
section that looks like this:
[Master Config]
Path1=\\<ISA Server>\mspclnt\
[Common Configuration]
NameResolution=L
[msmsgs]
Disable=0
[Internal]
scp=9,10,11

(You'll notice that I have removed all the original settings in order to
complete my testing)
Now this works fine as the FW Client permits the Windows Messenger to
connect to the ISA where it is successfully validated. But you will
notice that I have NO settings for OUTLOOK in the above config, and yet
when I do a SEND/RECEIVE on my external POP3 mail server, it completes
successfully.

Now this I do not understand as I have created a Protocol Rule & a Site
& Content rule for POP3 traffic, both of which are validating according
to Group Membership. Now granted, I am a member of the group that is
permitted to use those rules, but surely with the abovementioned FW
Client configuration, the FW Client should not permit the request
through to the ISA Server because OUTLOOK is not explicitly ALLOWED
within the MSPCLNT.INI?

What I also tried was to add to the [Common Configuration] Section the
following:
Disable=1

By doing this I was hoping to add a generic rule for the FW Client to
DENY access to ALL applications, except those that are specifically
permitted within the MSPCLNT.INI.

Any comments on this?

Cheers
William R.


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: 04 November 2002 19:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Struggling to DENY access for applications!

http://www.ISAserver.org


All that setting accomplishes is to deny access to the FW client for
that
app.
It does not deny access through the ISA for the app if the client is
also a
SecureNAT client.
You'll need to set up blocking filters and rules as dictated in Tom's
article on dangerous messenger clients.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, November 03, 2002 9:03 PM
Subject: [isalist] Struggling to DENY access for applications!


http://www.ISAserver.org


Hi there

I have tried to make modifications to the Firewall Client Config (thru
the
MMC), but I cannot seem to get the FW Client to DENY access to certain
applications.

For example, I would like to be able to have the FW Client block
applications such as Windows Messenger, ICQ etc. But when I add an entry
to the FW Client config with the following parameters:
Application: msmsgs
Key: Disable
Value: 1

Nothing happens. The Windows Messenger continues to get through to my
ISA
Server, instead of being denied by the FW Client.

Another thing I have tried is to add the following:
Application: Common Configuration
Key: Disable
Value: 1

By doing this I was hoping to DENY access to ALL applications that were
not specifically ALLOWED within the FW Client config, but this also did
not work.

Does anybody have any idea how I can DENY access to all applications on
a
workstation that are not explicitly ALLOWEd by the FW Client config?

Cheers
William R.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------


Other related posts: