https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974045#M79870 <HTML><HEAD></HEAD><BODY><P>I guess you should determine why you are doing this before you choose a what and how.</P><P></P><P>If you simply want to disable a system to protect other systems, the network quarantine feature should work.</P><P></P><P>If you want to make it so a system that triggers certain rules should be disabled so that no changes can be made to it, there are ways to do that too.</P><P></P><P>You would still be able to return system to a functioning state from the MC without reimaging it.</P><P></P><P>CSA needs the system functioning in order to be effective at enforcing rules.</P><P></P><P>Booting into safe mode will bypass CSA but there are ways to disable that as well.</P><P></P><P>Tom</P></BODY></HTML> Thu, 05 Jun 2008 17:25:55 GMT tsteger1 2008-06-05T17:25:55Z https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974042#M79867 <P>I have to create a Poison Pill where CSA can essentially disable a system to the point that it is unusable and not recoverable. </P><P></P><P>I know there are several rules that can possibly do this by themselves, but I was wondering what would be the most effective where the system would have to be re-imaged in order to make it useable again. </P><P></P><P>I am running V5.0.0.229 agent on XP images. </P><P></P><P>I was thinking of not allowing services.exe to run anything.</P><P></P><P>What would you recommend? </P><P></P><P>Thank you, </P><P></P> Sun, 10 Mar 2019 11:08:05 GMT https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974042#M79867 dkthomas 2019-03-10T11:08:05Z https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974043#M79868 <HTML><HEAD></HEAD><BODY><P>There may be a way to do this with less drastic measures but first, a couple of questions:</P><P></P><P>How would CSA enforce security if CSA was unable to run?</P><P></P><P>Do you prevent booting into safe mode?</P><P></P><P>Tom</P></BODY></HTML> Tue, 03 Jun 2008 16:57:51 GMT https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974043#M79868 tsteger1 2008-06-03T16:57:51Z https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974044#M79869 <HTML><HEAD></HEAD><BODY><P>Well... that is a good question... </P><P></P><P>I was about to try that on a laptop just to see what happens... But as you pointed out, if the service can't start CSA... then CSA couldn't apply the rules...</P><P></P><P>But then again... would the system start CSA but stop everything else from starting after CSA started once the rules are applied? </P><P></P><P>Anyway, the answer to your second question: Booting into safe mode has not been disabled.</P><P></P><P>Which brings me back to my question: What would be the most effect method to disable a system? </P><P></P><P>Or is booting into SafeMode allows the bypassing all of the CSA rules?</P><P></P><P></P><P></P></BODY></HTML> Wed, 04 Jun 2008 22:03:29 GMT https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974044#M79869 dkthomas 2008-06-04T22:03:29Z https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974045#M79870 <HTML><HEAD></HEAD><BODY><P>I guess you should determine why you are doing this before you choose a what and how.</P><P></P><P>If you simply want to disable a system to protect other systems, the network quarantine feature should work.</P><P></P><P>If you want to make it so a system that triggers certain rules should be disabled so that no changes can be made to it, there are ways to do that too.</P><P></P><P>You would still be able to return system to a functioning state from the MC without reimaging it.</P><P></P><P>CSA needs the system functioning in order to be effective at enforcing rules.</P><P></P><P>Booting into safe mode will bypass CSA but there are ways to disable that as well.</P><P></P><P>Tom</P></BODY></HTML> Thu, 05 Jun 2008 17:25:55 GMT https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974045#M79870 tsteger1 2008-06-05T17:25:55Z https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974046#M79871 <HTML><HEAD></HEAD><BODY><P>Hi Dk,</P><P></P><P>Create a group that doesn't let any communication. CSA has a firewall built in.</P><P>Have the group priority deny any connection. Also play with the priority terminate.</P><P></P><P>What is the reason for this group ?</P></BODY></HTML> Thu, 26 Jun 2008 18:51:06 GMT https://community.cisco.com/t5/network-security/csa-poison-pill/m-p/974046#M79871 TradeSecrets 2008-06-26T18:51:06Z