Prevent Users from editing USERS.C

[MKoch]

Hello,

we have users and external supporters that are working via VPN with a Secure Client.

The users are no problem, they have only user-permissions, but the external supporters normally have admin rights on their workstations.

I can set up an installation package where the topology is encrypted and where the option to disable the security policy is disabled, but since they are administrators they can change these setting by editing the users.c - file since only the topology is encrypted, not the options.

Is there a possibility to be sure that even admins do not have this possibility?

The option to automatically update the policy does not make sense since this update will only occure once an hour, so it is only annoying ...

If there is no possibility, will there be one in R70 with Endpoint Security?

Regards,
Marco

[PhoneBoy]

I think even in the R71 Endpoint Security client, one can edit userc.C. Aside from just the "I don't want people editing this file" reason, what is the real reason you don't want people messing with this file? What are they editing in this file that you don't want them to edit?

[Dominik Zanolari]

If the user has local admin rights, he basically owns the system. Even if you could somehow "protect" the user.c, they could simply uncheck SecureClient in the network settings to bypass the policy, disable the services or simply deinstall the software et cetera. So all you can do is to do some "security by obscurity" - which I do not recommend.

If the external people are not meant to disable the policy, then rather solve this by an agreement they sign than trying to lockdown something you can't.

[Thorpuse]

The client itself does an integrity check on the userc.C file, which will catch some mods. The userc.C will also be updated every time a site update is done, and this is admin-configurable. There are still some elements that can't be controlled, unfortunately. The next version of Endpoint Security will move to Endpoint Connect as the VPN client. It uses a different connection profile method (as well as a bunch of other things, occasionally for better but mostly for worse) and AFAIK it's not user editable in the same way.

[MKoch]

Hi again,

the external users are owning their system but I have to give them access to my LAN and I want to control which traffic is allowed and which is not.

So I want these external users to have the security policy enabled and want to prevent them from disabling it.

I can do that but a user with admin rights can manipulate the users.c and can than work for about 1 hour without an active security policy until the policy gets pushed again.

This is an annoying workaround, but no real solution (in my opinion).

So this is why I search for a solution for this, but afaik there is no ... Right?

Marco

[PhoneBoy]

The answer is not in Secure Client, but rather in the Endpoint Security client. This handles the firewall policy a bit differently.

[Thorpuse]

Quote:

Originally Posted by PhoneBoy

The answer is not in Secure Client, but rather in the Endpoint Security client. This handles the firewall policy a bit differently.

...as well as the whole VPN process.... be aware of this product's limitations before going there. It is NOT a like/like product to SecuRemote/SecureClient.

[PhoneBoy]

Didn't mean to imply that it was the same. It offers a lot more functionality and it operates differently than SecuRemote does, so you definitely need to test it before you deploy.

[Thorpuse]

Quote:

Originally Posted by PhoneBoy

Didn't mean to imply that it was the same. It offers a lot more functionality and it operates differently than SecuRemote does, so you definitely need to test it before you deploy.

I respectfully disagree about it offering a lot more functionality. It is missing MEP, concurrent multi-site connections, SDL and a bunch more things that SR/SC had for years. I honestly believe that CP doesn't appreciate how good a product it is/was, and being blunt, the replacement product isn't in its league.

[denbesten]

Quote:

Originally Posted by MKoch

Hi again,

the external users are owning their system but I have to give them access to my LAN and I want to control which traffic is allowed and which is not.

I realize I may be stating the obvious here, but if it is the traffic to your LAN that you care about it, it is better controlled via "user access" rules in your firewall policy, rather than via client-side policy.

Controlling their access to the Internet and their home network while they are connected with your VPN client does require a client-side policy.

I treat external SecurClient users (vendors, contractors, suppliers, etc.) with the same level of access control that I treat those that connect via Internet VPNs. They get access rules in my firewall that control which internal resources they can reach.

[PhoneBoy]

Quote:

Originally Posted by Thorpuse

I respectfully disagree about it offering a lot more functionality. It is missing MEP, concurrent multi-site connections, SDL and a bunch more things that SR/SC had for years. I honestly believe that CP doesn't appreciate how good a product it is/was, and being blunt, the replacement product isn't in its league.

What I meant by "a lot more functionality" was "much more than just VPN functionality." I'll admit I haven't dug into the specifics of the differences between SecuRemote and Endpoint Connect