Comments on: Users always want to fight The Man

Question: Users always want to fight The Man

tracert — Fri, 29 Feb 2008 08:30:03 -0800

How do you prevent terminal services users from disabling the Firewall Client for ISA in Server 2003?

This is probably an easy one, but I don't have a lot of time to google around for the answer today. How do I prevent Server 2003 terminal services users from disabling the ISA firewall client? Currently the best solution I can find is to disable the taskbar icon, but for troubleshooting purposes I'd rather just leave that alone. This seems pretty ridiculous, there's got to be a way, right?

By: Climber

Climber — Fri, 29 Feb 2008 10:06:06 -0800

A workaround would be to see if you can hide the icon.

In the common.ini add

[TrayIcon]
TrayIconVisualState=0

It should work for 2004 and 2006.
Granted, I haven't used it in a long time. I have just gone the way of securenat clients. Easier to deal with, but not as much control.

By: purephase

purephase — Fri, 29 Feb 2008 14:22:27 -0800

You can use group policy to restrict their access to the services MMC and the task manager, I believe there is an option in the client install to not display in the system tray as well.

Granted, you could still kill the service through the command line, so use group policy to disable that. Also, if you're simply preventing browsing to certain sites then they can easily workaround the proxy by removing it in IE so use group policy to restrict the ability to manage IE settings.

So, easy answer. Learn about group policy.

By: tracert

tracert — Fri, 29 Feb 2008 17:01:18 -0800

They are locked down pretty hard, actually, with all that and then about 200 or so more things. I wrote the GPO myself. Browsing is fine, but I want ISA server to log applications traffic too. Without the firewall client, it just logs a bunch of anonymous SecureNAT connections coming from the terminal servers, when we would actually like to know which user is doing what with which app (and when! Metrics are fun).

The problem is that the icon is visible in the system tray for all users that run the FWC, and you can click on it and disable it regardless of privileges. It's not horrible if they disable it because they obviously can't change gateway settings or routes, but people will probably click it thinking that's what it will do anyway. I would like the icon to be visible, but for the users not to be able to change settings. This seems to be not very easily done, though, unless I'm missing a setting somewhere (which I think I probably am).

By: tracert

tracert — Mon, 03 Mar 2008 08:59:30 -0800

Quick and dirty solution: I used software restriction policy to prevent non admin users from running the management tool (FwcMgmt.exe). Admin users can still run it to troubleshoot, and everyone else doesn't know it's there.