Video Screencast Help

SEP 12 - Restrict external web browsing if Win7 SP1 is not installed?

Created: 22 Jul 2013 • Updated: 22 Jul 2013 | 5 comments
This issue has been solved. See solution.

Hello all,

I'm trying to find a way to have SEP 12 block all external web browsing if the client OS is not up to Windows 7 w/SP1.

I've looked at ADC, NAC and various firewall options, but nothing is clicking for me.

I've thought of two options using NAC or the firewall:

1) Clear the proxy server on the client (NAC)

2) Block port 80, etc...(Firewall)

But don't know how to query the OS in a firewall rule.

Anyone have any suggestions on how any of this might be accomplished?

Thanks,

-Mike

Operating Systems:

Comments 5 CommentsJump to latest comment

.Brian's picture

This could prove challenging with SEP.

For NAC, you can choose the OS and minimum SP they need to be on otherwise there a few remediation options if they're not. Blocking browsing isn't one of them

I've never seen an option to do this using the firewall as well.

You could do some sort of location awareness policy using the registry key type to check for the existence of a reg key, key name, or value and if it doesn't exist than apply a different fw policy where 80,443 (whatever port you browse out on) are blocked.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
iamadmin's picture

Thanks for the reply Brian...yeah, I thought this may be a toughie.

I really like your suggestion of creating a new location based on a registry key, I think that could work.

If I query: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber

And then throw in rules for all versions of the os that should be restricted, then yes...a custom firewall policy should do it. Have to play a bit and see if it does what I expect.

Thanks for the creative suggestion!!

-Mike

.Brian's picture

I haven't tested it but in theory it should work ;)

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

iamadmin's picture

Using NAC to detect the OS, and then blanking the proxy in the registry is the easiest method I can think of...but sadly not all browsers rely on the registry for proxy settings. Thanks Firefox. frown

I'l keep poking at it. wink

Again, thank you!

-Mike

 

.Brian's picture

Lemme know how it goes. Be cool to see it in action and if it does what you need.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.