Users always want to fight The Man
February 29, 2008 8:30 AM Subscribe
How do you prevent terminal services users from disabling the Firewall Client for ISA in Server 2003?
This is probably an easy one, but I don't have a lot of time to google around for the answer today. How do I prevent Server 2003 terminal services users from disabling the ISA firewall client? Currently the best solution I can find is to disable the taskbar icon, but for troubleshooting purposes I'd rather just leave that alone. This seems pretty ridiculous, there's got to be a way, right?
This is probably an easy one, but I don't have a lot of time to google around for the answer today. How do I prevent Server 2003 terminal services users from disabling the ISA firewall client? Currently the best solution I can find is to disable the taskbar icon, but for troubleshooting purposes I'd rather just leave that alone. This seems pretty ridiculous, there's got to be a way, right?
You can use group policy to restrict their access to the services MMC and the task manager, I believe there is an option in the client install to not display in the system tray as well.
Granted, you could still kill the service through the command line, so use group policy to disable that. Also, if you're simply preventing browsing to certain sites then they can easily workaround the proxy by removing it in IE so use group policy to restrict the ability to manage IE settings.
So, easy answer. Learn about group policy.
posted by purephase at 2:22 PM on February 29, 2008
Granted, you could still kill the service through the command line, so use group policy to disable that. Also, if you're simply preventing browsing to certain sites then they can easily workaround the proxy by removing it in IE so use group policy to restrict the ability to manage IE settings.
So, easy answer. Learn about group policy.
posted by purephase at 2:22 PM on February 29, 2008
Response by poster: They are locked down pretty hard, actually, with all that and then about 200 or so more things. I wrote the GPO myself. Browsing is fine, but I want ISA server to log applications traffic too. Without the firewall client, it just logs a bunch of anonymous SecureNAT connections coming from the terminal servers, when we would actually like to know which user is doing what with which app (and when! Metrics are fun).
The problem is that the icon is visible in the system tray for all users that run the FWC, and you can click on it and disable it regardless of privileges. It's not horrible if they disable it because they obviously can't change gateway settings or routes, but people will probably click it thinking that's what it will do anyway. I would like the icon to be visible, but for the users not to be able to change settings. This seems to be not very easily done, though, unless I'm missing a setting somewhere (which I think I probably am).
posted by tracert at 5:01 PM on February 29, 2008
The problem is that the icon is visible in the system tray for all users that run the FWC, and you can click on it and disable it regardless of privileges. It's not horrible if they disable it because they obviously can't change gateway settings or routes, but people will probably click it thinking that's what it will do anyway. I would like the icon to be visible, but for the users not to be able to change settings. This seems to be not very easily done, though, unless I'm missing a setting somewhere (which I think I probably am).
posted by tracert at 5:01 PM on February 29, 2008
Response by poster: Quick and dirty solution: I used software restriction policy to prevent non admin users from running the management tool (FwcMgmt.exe). Admin users can still run it to troubleshoot, and everyone else doesn't know it's there.
posted by tracert at 8:59 AM on March 3, 2008
posted by tracert at 8:59 AM on March 3, 2008
« Older Remember this quote on practicing? | 1. Great Idea 4. Profit! Help with 2 and 3, please... Newer »
This thread is closed to new comments.
In the common.ini add
[TrayIcon]
TrayIconVisualState=0
It should work for 2004 and 2006.
Granted, I haven't used it in a long time. I have just gone the way of securenat clients. Easier to deal with, but not as much control.
posted by Climber at 10:06 AM on February 29, 2008