ā04-26-2018 07:10 PM
Hi,
Since AnyConnect ISE posture is the agent for compliance check, so it is important that process/service of this posture module is not allowed to kill/stop by users. I know we may rely on AD user permission so that normal AD users have not enough permission to do that. But besides that, is there a way to make it by the setting of AnyConnect itself, not rely on AD permission.
I found below possible solution of windows lockdown. But it does not explicitly mention that if ISE posture module supports lockdown.
1. Has anyone made it before? If we are able to use setting windows lockdown for ise posture module, could anyone provide details of how to do that(probably a Microsoft guide)
2. What is the cisco recommended solution for this requirement?
Setting Windows LockdownāCisco recommends that end users be given limited rights to the Cisco AnyConnect Secure Mobility Client on their device. If an end user warrants additional rights, installers can provide a lockdown capability that prevents users and local administrators from switching off or stopping the AnyConnect services. You can also stop the services from the command prompt with the service password.
The MSI installers for VPN, Network Access Manager, Web Security, Network Visibility Module, and Umbrella Roaming Security Module support a common property (LOCKDOWN). When LOCKDOWN is set to a non-zero value, Windows service(s) associated with that installer cannot be controlled by users or local administrators on the endpoint device. We recommend using the sample transform that we provide to set this property, and apply the transform to each MSI installer that you want to have locked down. You can download the sample transforms from the Cisco AnyConnect Secure Mobility Client software download page.
many thanks in advance.
ā05-05-2018 01:12 AM
Moved to Anyconnect.
Windows Pre-Deployment Security Options from AnyConnect 4.6 Administrator Guide says,
...
Windows Lockdown Property
Each MSI installer supports a common property (LOCKDOWN) which, when set to a non-zero value, prevents the Windows service(s) associated with that installer from being controlled by users or local administrators on the endpoint device. We recommend that you use the sample transform (anyconnect-vpn-transforms-X.X.xxxxx.zip) provided at the time of install to set this property and apply the transform to each MSI installer that you want to have locked down. The lockdown option is also a check box within the ISO Install Utility.
...
So, it does not appear specific to other modules only.
pcarco and I discussed this and it appears to us that most deployments require ISE posture module to assess and report the compliance status before granting full access so stopping the service does not benefit the users much other than for the continual checks, such as preventing accesses to USB mass storage.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide