Endpoint Protection

Hello all,

I'm trying to find a way to have SEP 12 block all external web browsing if the client OS is not up to Windows 7 w/SP1.

I've looked at ADC, NAC and various firewall options, but nothing is clicking for me.

I've thought of two options using NAC or the firewall:

1) Clear the proxy server on the client (NAC)

2) Block port 80, etc...(Firewall)

But don't know how to query the OS in a firewall rule.

Anyone have any suggestions on how any of this might be accomplished?

Thanks,

-Mike

This could prove challenging with SEP.

For NAC, you can choose the OS and minimum SP they need to be on otherwise there a few remediation options if they're not. Blocking browsing isn't one of them

I've never seen an option to do this using the firewall as well.

You could do some sort of location awareness policy using the registry key type to check for the existence of a reg key, key name, or value and if it doesn't exist than apply a different fw policy where 80,443 (whatever port you browse out on) are blocked.

Thanks for the reply Brian...yeah, I thought this may be a toughie.

I really like your suggestion of creating a new location based on a registry key, I think that could work.

If I query: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber

And then throw in rules for all versions of the os that should be restricted, then yes...a custom firewall policy should do it. Have to play a bit and see if it does what I expect.

Thanks for the creative suggestion!!

-Mike

Using NAC to detect the OS, and then blanking the proxy in the registry is the easiest method I can think of...but sadly not all browsers rely on the registry for proxy settings. Thanks Firefox.

I'l keep poking at it.

Again, thank you!

-Mike

Lemme know how it goes. Be cool to see it in action and if it does what you need.