• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Restrict .exe, .com, etc. from everyone EXCEPT admins

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Restrict .exe, .com, etc. from everyone EXCEPT admins Page: [1]
Login
Message << Older Topic   Newer Topic >>
Restrict .exe, .com, etc. from everyone EXCEPT admins - 19.Jan.2005 9:48:00 PM   
sm00ter

 

Posts: 21
Joined: 19.Jan.2005
From: Ohio
Status: offline
I have successfully configured the ISA 2004 server to prevent executable content from beind downloaded.

However, I want the administrators/IT staff to be able to do so.

Is there a way to allow a subset of users to be able to download even though the restrictions have been set?

I have attempted to create a rule that allows the IT computers to download anything, and I have also modified my existing rule to exclude the IT machines. Still doesn't work.

Thanks,

sm00ter
Post #: 1
RE: Restrict .exe, .com, etc. from everyone EXCEPT admins - 20.Jan.2005 3:04:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Smoot,

Check out the Access Rule you created. You'll see that you can create an exception to the users/groups to which the rule applies. Then, you can configure an allow rule for those users you want to allow access to those files.

HTH,
Tom

(in reply to sm00ter)
Post #: 2
RE: Restrict .exe, .com, etc. from everyone EXCEPT admins - 20.Jan.2005 9:11:00 PM   
sm00ter

 

Posts: 21
Joined: 19.Jan.2005
From: Ohio
Status: offline
I am a bit confused, I have to create both an exception (for the users I want to allow the access to the .exe downloads) on the Policy rule that denies the traffic, as well as a new Access Rule that specifically allows these type of downloads?

Thanks for your help!

sm00ter

(in reply to sm00ter)
Post #: 3
RE: Restrict .exe, .com, etc. from everyone EXCEPT admins - 5.Feb.2005 12:13:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
quote:
Originally posted by sm00ter:
I am a bit confused, I have to create both an exception (for the users I want to allow the access to the .exe downloads) on the Policy rule that denies the traffic, as well as a new Access Rule that specifically allows these type of downloads?sm00ter

Hello,

I've recently accomplished this as well, here is what i did:
Firstly the rules apply to users and not the "IT computers".

1) Create allow HTTP download access rule with HTTP filtering rule to block executables:
a) Apply rule to authenticated users
b) Exclude the rule to apply to admin users
Beneath that access rule:
2) Create allow HTTP download access rule without checking the 'block executables' box in HTTP filtering:
a) Apply that rule to only admin users.

Thats about it, and if there is a better method that someone knows please notify [Smile]

Thanks!
Edgardo

[ February 05, 2005, 12:14 AM: Message edited by: grinn253 ]

(in reply to sm00ter)
Post #: 4
RE: Restrict .exe, .com, etc. from everyone EXCEPT admins - 10.Feb.2005 12:49:00 AM   
grinn253

 

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline
Hello,

Okay I've also just realized/noticed that the method provided above - in addition to denying executable downloads for 'authenticated users,' it also denies the .exe downloads for 'domain computers.' Which results in failures when attempting to update my machine via "windowsupdate"

Apparently, windowsupdate has IE download the updates with the domain computer account. A resolution was to add "domain computers" group in the same areas where i added 'admin users.' Thus excluding/including the domain computers to download executable files.

Again if there is another method, I'm listening [Smile] Thanks!

Edgardo

Would creating a 'direct connection,' to the windowsupdate site help in this situation, so as to not implement rules with the 'domain computers' account group?

Thanks!

[ February 10, 2005, 12:50 AM: Message edited by: grinn253 ]

(in reply to sm00ter)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Restrict .exe, .com, etc. from everyone EXCEPT admins Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts