Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

User Mode: High privileged policy remains after admin loged off.

Created: 22 Feb 2010 • Updated: 21 May 2010 | 11 comments
This issue has been solved. See solution.

Hi there :)

We  want to change our Client management from Computer Mode to User Mode.

While we made some tests to get concerend with it, we came accross a problem: When the Computer is in user mode, it always gets the policy from the Client that logs on, but if this client logoff he will keep the policy from the client that loged off lastly.
In our case this often causes a problem: We have many mobile computers for external missions that are often prepared by high priviliged administrator accounts that have no restrictions to execute applications and are able to disable the firewall. When a user logs on without connection the SEPM, the last used policy will be used, which is often the administrator's one.

Limitting the adminstrator account's policy is not an option!
Is there a way, to made the client always move back to a default group when a user logs off so that this case never will appear?

Best Regards
Malte

Comments 11 CommentsJump to latest comment

P_K_'s picture

Are you using SEP11 or SEP 12?

If you have SEP 11 you can configure location awarness and this will help you to resolve the issue, But this functionality is in SEP 11 and not in SEP 12

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

sandeep_sali's picture

Best Practices for Symantec Endpoint Protection Location Awareness

http://service1.symantec.com/SUPPORT/ent-security....

Just in case you are using SEP 12 SBE the following features will not be available.

      No location awareness functionality

      Replication functionality is not there

      SEP 12 supports Only single site type of deployment with Embedded Database

      No AD integration

      No GUP functionality

      SQL is not supported.

      Client communication mode cannot be changed.

      No option to add password to stop the smc service from the SPC.

      No option to add a Management server list

      No option to add Domain

      Database configuration is hidden.

      There is no option to configure a Internal live update server .

      Firewall Rules/Policy has been scaled down.

Thanks & Regards

Sandeep C Sali

Malte's picture

Thanks for the fast repsonses :)

The way I understand it, I have to check  "Enable location awareness" and uncheck "Remeber the last location"  under Location-independent Policies and Settings\ General Settings.

The whole thing sounds promising but the problem is still the same. If the Administrator shuts down the computer, its policy remains on it. If a user logs in without connection to the SEPM, it will use the Administrator's policy.

Best Regards
Malte

P.S.: We use SEP 11.

Rafeeq's picture

I dont think its working as expected, you sep is on user mode right?
when it loses connection with SEPM it does not know when profile to use.
create a location awareness policy to the profile if its not able to connect to sepm... 

Malte's picture

Thanks Rafeeq,
your post made me investing more time in the location thing which I was not quite familiar.
What I've checked out is, that the client stores only the policies from the group where it is in (that means all policies that are associated with locations in this group) right?
If so, and it is the behavior that I observe, it will not work.
Our infrastructure needs to have seperate policies for users and administrators independant of if they are inside our networks or outside our networks.

Probably my english made it difficult to understand, but the problem is: Before we give out a laptop, we prepare it inside our networks with an administrator account that is in the SEPM-group "admins". The laptop stores all location dependent Policies from that group.
If we shut down the laptop with the admin account, the policies from the "admins"-group will remain on it.
Users that will then use the laptop beyond our networks without connection to our SEPM, will use the policies from the "admins"-group and that is the problem, users are in the SEPM-Group "users" with a much more limiting policy.

Location awareness leads towards having inside and outside our networks the same policy for users and admins but thats not what we wont to have.

Best Regards
Malte

Rafeeq's picture

you have your sep installed as user mode or computer mode
once you define it in user mode , it will store all the policies local to the box.
if its computer then the policy is for computer no matter who logs in
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101809192448
 

Malte's picture

At the moment our produktive machines are in computer mode and we wont all to switch to user mode.
I test it on few test-machines that are in user mode.

The thing is, most of our machines are shared, some more some less. Sometimes it is necessary to login with and administrator account. For the desktop machines that have always connection to the SEPM this is not a problem. But for laptops that have been used last by an administrator it is.

Machines that have been installed in user mode, stores ALL policies from the server or only form the group they are in?

Rafeeq's picture

I think thats the problem here, if they are in computer mode, there gonna be only policy for a machine.
User mode->will store all the policies specific to group, policies are applied based on who logs and in where to sepm he is reporting to.
install 2 machines in user mode, for admin full access for other user no access
try this will work , computer mode does not work for multiple users its just for one specific computer only

Malte's picture

Let me correct this: At the moment our production machines are running in computer mode and we want to switch them to user-mode.
I am testing on machines that ARE in user mode.

According to your statement there is no way to make the client able to change between "admins" and "users" policy, if it has no connection to the SEPM.
For me it means the worst case that I described above cannot be avoided?

Malte's picture

OK thanks for all :).

One last question: What possibilities offers the Enterprise Security Manager in this case?