Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
5
Helpful
2
Replies

"prevent users with limited rights from terminating the GUI." ?

ilan.drory1
Level 1
Level 1

‎08-17-2016 05:26 AM

Dear Team

On your guide here :

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#73771

You menthion that to secure the Always-On vpn its advised to restrict the users from closing the VPN UI GUI ,

"Predeploy a group policy object (GPO) for Windows users to prevent users with limited rights from terminating the GUI. Predeploy equivalent measures for Mac OS users."

can you please advise how ? as I don't think its possibale and especialy not with GPO, GPO can control system services so that couold work for the Cisco Service , but not for the VPNUI.exe . that is not a service.

for example , Can set WORD to open on startup but prevent users from closing it ?

Please advise if you know how can this be acheived .

Kind Regards

Ilan

1 person had this problem
Labels:
0 Helpful
2 Replies 2

pjain2
Cisco Employee
Cisco Employee

‎08-24-2016 10:18 PM

  • Restrict administrator rights so that users cannot terminate processes. A PC user with admin rights can bypass an always-on VPN policy by stopping the agent. If you want to ensure fully-secure always-on VPN, you must deny local admin rights to users.
  • Restrict access to the following folders or the Cisco sub-folders on Windows computers:

For Windows XP users: C:\Document and Settings\All Users

For Windows Vista and Windows 7 users: C:\ProgramData

Users with limited or standard privileges may sometimes have write access to their program data folders. They could use this access to delete the AnyConnect profile file and thereby circumvent the always-on feature.

  • Predeploy a group policy object (GPO) for Windows users to prevent users with limited rights from terminating the GUI. Predeploy equivalent measures for Mac OS users.

you just need to restrict the admin privileges for the users using GPO

0 Helpful

ilan.drory1
Level 1
Level 1
In response to pjain2

‎08-24-2016 11:22 PM

Hi

Even a restricted user without admin right can terminate the Cisco GUI , by right clicking the icon in taskbar and choose "Quit" , what GPO can prevent that ? this is not the Cisco service its the VPNUI.exe , please advise how ?

Customers Also Viewed These Support Documents