Solved: Re: Rule to access documents on a server

firestartest · ‎01-13-2005

Hi

How would I create a rule that allows Internet Explorer to retrieve .xls and .doc files from an internal intranet site and still block it from retrieving files from any other server.

At the moment CSA keeps popping up asking do you want to allow this?

"The process 'C:\Program Files\Internet Explorer\iexplore.exe' (as user XXX\admin) tried to open/create the file 'C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\WTRRRTQZ\CompanyExpensesForm[1].xls' and the user was queried. The user responded by choosing 'Yes to All'. "

This is rule 321

Thanks for any help

tsteger1 · ‎01-20-2005

Don't know about the pickiness issue but it appears that the Office module rule 321 is allowing the downloads.

If you have the DAC working, you could add it to the Office module and change the rule 321 file access control to deny.

That would serve as the corresponding deny rule I mentioned earlier. It seems as though the Office module rule 321 supercedes your DAC and allows the downloads.

View solution in original post

tsteger1 · ‎01-13-2005

You could create a Dynamic Access Control rule that allowed the browser to download documents from internal websites defined by IP address (hard but flexible). Or you could create a file access control rule that allows iexplore.exe to open all those files by name (easier but less flexible). Of course you'd have to create a fileset with all the file names in it and keep it up to date.

firestartest · ‎01-18-2005

Thanks for that

I created a APP CLASS called "Allow browser to intranet". Dynamically defined by rules, removed after 10 secs, only this process.

Created a network access control rule. Added to APP CLASS "Allow browser to intranet", WHEN IEXPLORE.EXE acts as a CLIENT using $HTTP $FTP, communicating to INTRANET_SERVER_IP_ADDRESS using @LOCAL

Created a file access control to ALLOW and LOG when CLASS "Allow browser to intranet" attempts to READ and WRITE sny **\*.xls

So when I test the rules, the client can access all XLS files from the one intranet server located on a different subnet. Log is created on VMS server.

However, when I try and download XLS files from any Internet site some sites allow me to open the XLS files and others are stopped by CSA.

I clear internet temp files and all offline files, then clear CSA cached responses before testing each web site.

Example: if I try and download any .xls files from http://www.european-patent-office.org/inpadoc/statistics_dwld.htm CSA stops me like it should do, well it prompts me with rule 321 but default is NO. A log is made.

If I try another random site, http://psycweb.unl.edu/psylaw/information/Non-Travel%20Expense.htm and download the .xls file, CSA lets me do it without any prompt. No log is made.

Also if I run a local webserver sharing some .xls files on a PC that sits on the same network as my CLIENT, CSA lets me download the xls file. No log is made.

Is there some detection in the type of webserver you access? Or is there something more fundemental that I have missed out?

Any help would be appreciated.

tsteger1 · ‎01-18-2005

Do you have a corresponding deny rule for those file types in the same policy (I don't know what your rule 321 is). I was able to download files from our Intranet but not from those two sites.

You could also try creating a rule that logs all HTTP activity for that host to those two sites and see what it uncovers.

You may also try isolating the rules in their own policy and testing that way. It could keep any other rules from interfering.

firestartest · ‎01-20-2005

I removed all policy modules except for the new one. Tested that by accessing local intranet, works OK. Tested any other site, still works (but it would because there is no rules denying).

I added the MS Office Module back in and then tested again.

It seems the rule 321 is a File Access Control rule that Queries user if a process wants to write to ms office files.

What I don't understand is why this would be picky about some sites and not bother about others.

What would be the best method to implement a Deny rule so it only denies a user from downloading XLS and DOC files from the Internet? If I create a reverse version of my current Dynamic rule, will this just overide the allow to Intranet and deny all?

Thanks for your help.

tsteger1 · ‎01-20-2005

Don't know about the pickiness issue but it appears that the Office module rule 321 is allowing the downloads.

If you have the DAC working, you could add it to the Office module and change the rule 321 file access control to deny.

That would serve as the corresponding deny rule I mentioned earlier. It seems as though the Office module rule 321 supercedes your DAC and allows the downloads.

firestartest · ‎01-22-2005

Thanks again for the help!

tsteger1 · ‎01-22-2005

You are quite welcome, glad I could help.

bmichalek · ‎02-09-2005

I have been doing some testing with this setup today. It seems to me that the dynamic application class doesn't always clear out after the 10 second threshhold or whatever time you set on it.

After you are allowed to freely download the xls off the machine you arent supposed to, try another xls from the same site, it will then act as it is supposed to.

Another problem with this seems to be if you go to the intranet page you set up for and download files like mad after the fifth or sixth you will trigger your 321 rule. This again has to be a timing issue, it would make sense that after your threshhold has been reset it would take an additional HTTP request to readd the process to the application class.