Welcome to ISAserver.org

Restrict Access to FWC

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> Restrict Access to FWC

Page: [1]

Message

<< Older Topic Newer Topic >>

Restrict Access to FWC - 13.Oct.2006 1:40:53 PM

Guest

I observed recently that people get stuck in how to restrict access to FWC in order that users to not modify its settings.
There is a very simple solution to this:
use a software restriction policy and enforce this policy to apply to all users except admins.
How: very simple:
You can choose to do this for user groups or for users.
Here I will show how to create this restriction for users in User configuration so this will apply to users regardless of the computer they are using.
Let's make it very simple: put in a OU the users(if this is possible) you want to restrict access. create a new group policy object or edit one(this depends on the other policies you may have), click edit.
Go to User Configuration/Windows Settings/Software Restrictions. Right Click on it and choose New Software Restriction Policies in order to enable it if you didn't already do that.
Now click on it and double click on the right panel Enforcement. Here choose the users that will be affected by it and select All users except local admins.
Ok. Click on the Additional Rules and choose new path rule. The path is :
C:\Program Files\Microsoft Firewall Client 2004\Fwcmgmt.exe
this is were the FWC is installed by default on all computers.
The Security level is: Disallowed.
Click OK.
That will do it.
This will disable the FWC icon and restrict access to FWC.
So install FWC through Group Policy.
I did this and used AutoDiscovery with Wpad in DNS.
when the computers boot the FWC is installed automatically and it is enabled, configured for automatically detect ISA and has web browser automatic configuration(this will set your web browser as you choose from ISA Management Console. You can leave all blanks in ISA and choose to configure your IE proxy settings with another group policy).
The only problem I've observed when I installed it from start with group policy and have the software restriction in place was that the first user(not an admin as admin have access to it) who logged for the first time had access to the icon of FWC as it was not enable and he could play with the settings. But he did not have access through the shotcut from program files.
However if I leave it untouched and logg off and logg on again the icon dissapears and the FWC works as I said above. Even if the users makes some changes to the FWC at the next boot the FWC will be set right.
There is no problem if an admin loggs on for the first time as then when a simple user loggs on he will not see the FWC icon and will not be able to access it from program files.
I must said that this issue is in vmware because in real I had enabled the software restriction policy after I have had install the FWC client and logged onto computers for different settings.
However this should not be a real problem because a network admin must check all computers in order to see that everything is running fine and maybe do some other things. This depends. If you have many computers, probably you have many admins.
I'll do a test on a real network as soon as it will be possible and further investigate this.
Please post it back if you observed anny issues or you have the same problem on a real network.

< Message edited by adrian_dimcev -- 13.Oct.2006 1:54:15 PM >

Post #: 1