Endpoint Protection

 View Only
Expand all | Collapse all

SEP 12.1 : normal users cannot disable Firewall

ℬrίαη

ℬrίαηAug 09, 2011 07:17 AM

  • 1.  SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 05, 2011 09:34 AM

    Hi,

    I'm facing an issue after upgrading SEP from 11 to 12.1 : In version 11, normal users (without administrative privileges) were able to disable firewall when configured by the administrator via Client User Interface Control Settings -> Server Control -> Customize

     

    Since 12.1 upgrade, with a similar configuration, only users with adminitrative privileges are able to do it.

    Anyone has any idea about why and how to correct this issue ?

    Thanks a lot

    Cedric



  • 2.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 05, 2011 09:45 AM

    Hi

    Is NTP component installed on the client machines for SEP ?

    IF yes try following

    go to add remove select sep change modify custom > expand NTP >disable firewall by selecting this feature wont be available > next install ,

    reboot the client machine and then check if user are able to make changes to Windows firewall

    If NTP is installed by default it will take presidence over windows firewall

    However this policy can be withdrawn from Management console ,



  • 3.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 05, 2011 10:00 AM

    Hi,

    Thank you for your quick answer, but issue is with the SEP firewall which cannot be disabled and not the windows one. I do want to keep SEP firewall but want users without administrative privileges to be able to temporaly disable SEP firewall to connect when in a hotspot.

    Cedric



  • 4.  RE: SEP 12.1 : normal users cannot disable Firewall

    Trusted Advisor
    Posted Aug 05, 2011 11:08 AM

    Hello,

    In 12.1, Client control gives the users the most control over the client. Client control unlocks the managed settings so that users can configure them.

     

    Client control has the following characteristics:

    • Users can configure or enable firewall rules, firewall settings, application-specific settings, intrusion prevention settings, and client user interface settings.

    • The client ignores the firewall rules that you configure for the client.

    Client control is useful for employees who work in a remote location or a home location.

    In your case, could you check if this is occuring on all machines, or specific machines?

    Could you compare the policies between SEPM and Client, if they are the same and policies are being applied on the client machines?

     



  • 5.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 05, 2011 11:16 AM

    If you do not wish to keep Sep firewall enabled you can create package with out firewall .

    Or you can also withdraw NTP from client > select the group >run command on group >Disable NTP

    Also other optionis

    Select group in right pane go to Policies tab >uncheck inheritance >location specific settings>server contrl >click here> select client or mixed >customise in right pane you would find server and client >by selecting radio button againts the feature you will be able to give permission to user to disable/enable NTP



  • 6.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 04:12 AM

    Hi,

    I've switched to client control, same issue : Administrator can change settings, standard users cannot.

    Policies are well applied (version checked in client GUI vs SEPM GUI)

    This happen on all machines on which SEP 12.1 is installed

    Any idea ?

    Thank you



  • 7.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 05:36 AM

    do a search for the users in SEPM.

    do they come with with green dot on them?



  • 8.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 05:56 AM

    Hi Rafeeq,

    Machines are configured in computer mode, with the green dot on them.



  • 9.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 10:00 AM

    Hi if this is Normal/ restricted user then

    A normal/restricted user not allowed to modify AntiVirus Anti Spyware, Network Threat Protection, Proactive Threat Protection settings is as per designed behavior in Symantec Endpoint Protection

    and

    AV/AS  / PTP /NTP - Change Settings Button is not available on the SEP client, it is greyed off

    again this is by design & only applies to Normal and restricted user



  • 10.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 10:30 AM

    Thank you for your answer.

    Nevertheless, in version 11 it was feasible to allow normal users to temporarly disable the SEP firewall, and only achieve this operation. I can't understand why a so usefull feature has been removed from the product in this version.

    Is there a trick to achieve the same behaviour as before ?



  • 11.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 10:58 AM

    This should still work - normal users should be able to disable the firewall component from the client GUI as they could in SEP11 - they won't be able to disable from the system tray icon though.



  • 12.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 08, 2011 02:53 PM

    Try this:

    Open the SEP client GUI

    Under Network Threat Protection click Options and select Change Settings...

    Uncheck the Enable Firewall setting on the Firewall tab

    Click OK



  • 13.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 09, 2011 04:35 AM

    Thank you Paul. Any idea why it is not working ?

    @Brian81, thank you, but this is the problem : standard users cannot access this part of the GUI

    Cedric



  • 14.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 09, 2011 07:17 AM

    What mode are you in?

     

    Is this checked?



  • 15.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 09, 2011 07:45 AM

    I've tried the 2 different modes without success. The mode we want to use is server mode, with following settings:



  • 16.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 10, 2011 04:25 PM

    Windows 7: (admin user)

    Looks like if you have UAC turned on (default setting), you cannot right-click on the Symantec taskbar icon and disable the FW. Yet, if you open the client like Brian says above, you can disable the FW.

     

    Strange....



  • 17.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Aug 11, 2011 04:20 AM

    Thank you for your advice bjohn. I've tried disabling UAC and get same result : standard users cannot disable SEP FW, nor by tray icon, nor by GUI



  • 18.  RE: SEP 12.1 : normal users cannot disable Firewall
    Best Answer

    Posted Sep 23, 2011 11:37 AM

    Hi Cedric,

    You are correct - this capability should be restored in a future release of SEP 12.1. Here's Symantec's official article on the subject:

    Windows User Accounts without Administrative Privileges Cannot Disable the Firewall in Symantec Endpoint Protection 12.1, Even if "Allow User to enable and disable firewall" is Enabled
    Article: TECH170246
    Article URL http://www.symantec.com/docs/TECH170246  
     

    Please do subscribe to that article, so that when an update is available you will automatically be notified.

    With thanks and best regards,

    Mick



  • 19.  RE: SEP 12.1 : normal users cannot disable Firewall

    Posted Sep 26, 2011 08:00 AM

    Thank you very much for your answer Mick, this is a very good news !

    I hope this will be fixed very soon, because it is blocking our deployment.

    Best Regards