[isapros] Re: Customizing Lockdown Policy
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 20 May 2006 14:50:09 -0500
I fell into an Andrewism there, I should have said "if I disabled a
specific System Policy Rule" . But what you say indicates that if I've
disabled the RDP System Policy Rule, and the system enters lockdown
mode, then RDP access will not be allowed.
What's interesting here is that I have a piece of internal documentation
that states:
"Lockdown policy is used by the driver to allow the necessary traffic.
The lockdown policy is stored in the registry, so it can be accessed by
the driver even when no other firewall component is running.
The lockdown policy is a *small subset* (italics mine) of the System
Policy (configurable through the UI - under Firewall Policy / Edit
System Policy). Only four rules of the system policy are effective
during lockdown mode - these exist to allow the administrator to fix
configuration errors."
However, its seems like the public docs (ISA Hardening Guide) suggest
that all System Policy Rules are enabled (OK, not enabled, but
'available' if they are already enabled in system policy), and not the
limited subset mentioned in the quote above.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Saturday, May 20, 2006 2:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Customizing Lockdown Policy
>
> Well, you can't really configure the System Policy to "deny" these
> protocols, you can only change the "to/from" (and sometimes
> only the "from"
> as in RDP) to remove any object reference. But no, there is
> no "switching"
> context for Lockdown mode. Whatever you have set in System
> Policy to/from
> for (and only for) the protocol options you have in the
> System Policy are
> what *stay* in effect. Nothing gets "enabled" if its not
> already set up.
>
> t
>
> On 5/20/06 12:32 PM, "Thomas W Shinder"
> <tshinder@xxxxxxxxxxx> spoketh to
> all:
>
> > OK, so would it be more accurate to say that even if System
> Policy is
> > configured to deny these protocols, they will be enabled
> during lockdown
> > mode to help management of the horked system?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >> Sent: Saturday, May 20, 2006 2:06 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Customizing Lockdown Policy
> >>
> >> Yep - all those (except fwengmon) are defined by the system policy.
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thomas W Shinder
> >> Sent: Saturday, May 20, 2006 12:11 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Customizing Lockdown Policy
> >>
> >> Hi Jim,
> >>
> >> I thought lockdown policy was limited to:
> >>
> >> * Allowing hosts in the Internal network element to access the
> >> Local Host network element using the firewall's
> >> administration protocol.
> >> * Allowing Remote Desktop Protocol (RDP) from Internal to Local
> >> Host.
> >> * Allowing ICMP ping from Internal to Local Host.
> >> * Allowing DHCP from any host to Local Host.
> >> * Outgoing traffic from the firewall to any destination
> >> * Traffic that already has a connection element (this allows
> >> stopping the firewall service without disrupting existing
> connections)
> >> * Traffic that is to/from the allowed range determined by using
> >> FWENGMON
> >>
> >> Thanks!
> >> Tom
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://blogs.isaserver.org/shinder/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: isapros-bounce@xxxxxxxxxxxxx
> >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >>> Sent: Saturday, May 20, 2006 1:52 PM
> >>> To: isapros@xxxxxxxxxxxxx
> >>> Subject: [isapros] Re: Customizing Lockdown Policy
> >>>
> >>> Sorta.
> >>> Lockdown allows all the system policy traffic.
> >>> Thus, if you want to change the traffic profile for lockdown,
> >>> you can do
> >>> it via system policy management.
> >>>
> >>> It's not as flexible as array policies, but it covers
> >> 99.444% of what
> >>> the ISA admin needs to bring the server back to life.
> >>>
> >>> -----Original Message-----
> >>> From: isapros-bounce@xxxxxxxxxxxxx
> >>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >>> On Behalf Of Thomas W Shinder
> >>> Sent: Saturday, May 20, 2006 11:45 AM
> >>> To: isapros@xxxxxxxxxxxxx
> >>> Subject: [isapros] Customizing Lockdown Policy
> >>>
> >>> Hey guys,
> >>>
> >>> I know there is a default lockdown policy, but I was
> wondering while
> >>> watering the flowers this morning if there was a method to
> >>> customize the
> >>> lockdown policy, other than using FWENGMON ?
> >>>
> >>> Thanks!
> >>> Tom
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org <http://www.isaserver.org/>
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> >>> MVP -- ISA Firewalls
> >>>
> >>>
> >>>
> >>> All mail to and from this domain is GFI-scanned.
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> All mail to and from this domain is GFI-scanned.
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
>
Other related posts:
