cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
5
Helpful
10
Replies

Suspend security on UI

teperjesi
Level 1
Level 1

Hi,

I can't suspend security (I'm administrator) on my computer via UI, however my rules for that (24) are applied for my group!

It doesn't recognize me as an administrator and terminate the action immediatelly(As is in the rule 25 defined).

Any idea?

Thx

10 Replies 10

tsteger1
Level 8
Level 8

Some questions:

Do you have another High Priority Deny rule that's preventing it?

Are you in test mode?

What version are you running?

Remember that your rule 24 and 25 may not be someone elses.

Tom S

Hi Tom

1. How can I chek, if there any High Priority Deny Rule overt these.

My CSA MC tells me the following:

An attempt was made to suspend agent security. This was denied.Details Rule 25

2. My kit is runnig in active mode, not in test mode.

3. 4.0.3.736

What does it mean "may not be someone elses"

Last question first.

Your rule 25 may not correspond with another CSAMC's rule 25. It might be better to describe the rule itself such as Agent Service Control rule with High Priority Deny.

Now the first question,

Check and see if both rules apply to the host in question. Look at the host details and scroll down to look at all the rules that apply to the host.

If there is a rule that is a high priority deny for all users to suspend the agent, it will supercede any allow rules (rule 24?) that allow a host to suspend security from the UI. If that's the case, you could try changing the deny rule from High Priority Deny to Deny or Query User (Default Deny) and see if that fixes it.

Hope this helps...

Tom

mattcooling
Level 1
Level 1

Hi,

Are you able to stop the 'Cisco Security Agent' service from Services? I had a similar problem, but it worked fine from Services.

Regards,

Matt

Hi,

first of all, thanks the clarification.

The answers:

I can stop the Agent Service, but my users want to use the Suspend Security feature too. :(

I have only one High Deny RUle for the agent, but I think, it doesnt stop these feature (I tried it)

I copy here the rule explanation for my computer:

Control agent service

The user is explicitly forbidden to modify agent configuration, irrespective of any other rules. Applications other than Virus scanner applications will be logged when trying to modify agent configuration.

An event will be logged when the rule is triggered. 26

The user is allowed to stop the agent service, if permitted by the end user and not prohibited by a high priority deny rule. Applications will be logged when trying to modify agent configuration.

An event will be logged when the rule is triggered. 24

The user is denied to suspend security from agent UI, in the absence of an allow rule. Applications will be logged when trying to modify agent configuration.

An event will be logged when the rule is triggered. 25

As I can see, it have to work!

???

Hi,

The default setting for CSA is to allow the service to be stopped, but NOT allow the security to be suspended (which appears to be the case here).

What you need to do is add an 'Agent Service Control' rule which is set to 'allow', when 'any user attempts to suspend security from agent UI'.

Generate & poll, then it should work as required.

Let me know if not

Cheers,

Matt

Oh man!

You're right!

It was the missundestood between the service stop and the suspend security feature.

I guess I can't configure my CSA, the admisitrators can suspend, but noone else! Maybe in 4.5?

Thanks!

Unless I've misunderstood it, any user can 'suspend security' if the setting is in place; the 'stop service' setting is the one that depends if you are an administrator or not.

HTH

Matt

Like Matt said:

Any user can suspend the agent from the UI if you have a rule that allows it (by default it is denied).

Any Administrator can stop the agent service (net stop csagent) if the rule allows it.

This can be done in this version....

Hi,

Are we talking about CSA 5.0 ?

This is for me clear:

"Any user can suspend the agent from the UI if you have a rule that allows it (by default it is denied). "

But untill now All local Administrators are able to start and stop the CSAgent Service - even if i try to configure something else.

Greetings

Jarle

Review Cisco Networking for a $25 gift card