Endpoint Protection

 View Only

  • 1.  Setup Unmanaged Restricted SEP 12 Client

    Posted Mar 28, 2014 10:31 AM

    I have a business requirement to setup air-gap PCs that have an unmanaged SEP12 client that is severely restricted in it's functionality.  Meaning that non-administrator users can only scan USB keys and cannot change any settings.  This was done sucessfully under Windows XP but now we are migrating to Windows 7 with SEP12.

    Under SEP11 I had setup the firewall rules to ONLY allow LiveUpdate and Windows Update to run.  The LU process was LuComServer_3_3.exe.  I don't know what that process is under SEP12 but I suspect that it is ccSVCHst.exe.  Can someone point me to the right process to allow through the firewall?

    Also, I know that under SEP11 if you set DENY right to the SMCGUI.exe process for a non-admin account, the user can't make any changes to its configuration.  They can still open SEP11, but all the options to change the firewall settings/disable anti-virus is grayed out and inaccessable.  Is this still possible?

    Below is a complete list of changes to my SEP11 clients to lock them down.  Keep in mind, these machines MUST be setup to be stand alone and can't rely on a managment server.

     

    Client Firewall Settings:

    1. All firewall rules removed
    2. Added Allow LiveUpdate rule
      1. Allow outgoing traffic for all protocols for process C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.exe
    3. Added Allow Windows Update TCP rule
      1. TCP Remote Ports 80,443 and Local Ports 1-65535 for both traffic directions
      2. Processes are: svchost.exe and ntoskrnl.exe
    4. Added same rule for Windows Update but for UDP
    5. Added Block Network Traffic rule
      1. All IP Protocols for both directions

    Client File Permission Settings:

    1. Set DENY MODIFY right to basic user account on C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

    Client Registry Settings:

    1. HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
      1. Modified Schedule key with the following attributes:
        1. Basic user account has ALLOW Query Value, Enumerate Subkeys, Notify
        2. Basic user account has DENY Set Value, Create Subkey, Create Link, Delete, Write DAC, Write Owner

     

    I'd appreciate any help on finding the acutal LU process so it can be allowed through the firewall.  If there's anything in my configuration that's redundant, I'd apprecate knowing that too so I can remove it.  The whole purpose of these machines is to sit unattended and not allow people internet access.



  • 2.  RE: Setup Unmanaged Restricted SEP 12 Client

    Posted Mar 28, 2014 12:09 PM

    So the process for creating an unmanaged SEP client with custom config has pretty much remained unchanaged from SEP11:

    http://www.symantec.com/docs/TECH105320

    Setup a group in the SEPM with policies to confiigure it how you want the client to behave, then export an unmanaged client including policies from this group.

    As far as LiveUpdate goes, the old LiveUpdate Client of SEP11 has been replaced with a specialsed app called the LiveUdpate Engine in SEP12.1:

    http://www.symantec.com/docs/TECH162235



  • 3.  RE: Setup Unmanaged Restricted SEP 12 Client

    Posted Mar 28, 2014 12:10 PM

    I believe the parent process that now handles this is now ccsvchst.exe



  • 4.  RE: Setup Unmanaged Restricted SEP 12 Client

    Posted Mar 28, 2014 12:12 PM

    Oh yeah, just so you know, the LiveUpdate process is automatically allowed out past the SEP FW from what I recall.

    A specific rule does not have to be created for it.



  • 5.  RE: Setup Unmanaged Restricted SEP 12 Client

    Posted Mar 28, 2014 12:22 PM

    When you say "Unmanged"  any one who logs in to the machine has the same access

    Is it by anyway you created a package updated with policy and then made it unmanaged?

    or you installed it by running setup.exe from SEP folder