Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 880 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall question

Jvuz

Hello,

I'm curious about the following. In our enterprise we have pc's and notebooks. Most of the notebooks have their (windows) firewall enabled. This gives problems for us, admins, to administer their machines. The reason that their firewalls are enabled is that the users have admin rights (i know, I know, but it's not my choice). Now I was wondering if their is a way to, when we would install the sophos firewall, disable the firewall when the notebooks are connected at work, and enabled when not. Is this possible and if so, how can I do this?

Jo

:15395


This thread was automatically locked due to age.
  • 0

    Hello Jo,

    you'll have to sort out the firewall (settings) and (mis- not ab-)using admin rights in the first place.

    SCF won't turn off the Windows firewall, is not "immune" against administrators and is not yet covered by Tamper Protection. It has a dual location feature though - meaning that different settings will be applied depending on the network the computer is connected to (detectable by DNS or primary gateway MAC and also "VPN aware").

    Christian

    :15401
  • 0

    Hello Christian, I know, if I could decide, I would remove all admin rights and then I wouldn't have any problem but I don't have that kind of power to decide :(

    Jo

    :15405
  • 0

    Jo, I know this situation :smileymad:. I wanted to make it clear that you can't make an installation fool-proof and much less tamper-proof as long as your users have admin rights. While users might no longer extensively fiddle with AV a firewall won't work quietly in the background in such an environment.

    We had a similar situation and while the rank and file had only user rights many VIPs and IPs insisted they need more (especially on their notebooks). Evaluating what the extended rights were needed for it turned out that is was mostly either software installation or plugging "special" devices. With the help of the fact that some VIPs had unwittingly contracted some malware we were able to come to an agreement that access to "sensitive" parts of the network (and the applications therein) is only permitted with workstations where the user has only user rights. In case some installation is needed they get preferred treatment. Those who still insist can have administrative rights but won't get full access to the network and if they manage to botch their notebook all support they'll get is a restore with a predefined installation - and this with low priority. So far this has turned out to be an acceptable solution for all parties. Try to show them that you are aware of their concerns and what you can do for them by being able to manage the PCs (not what is does for you).

    Well, excuse the digression ...

    Christian

    :15407