Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 3344 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Override in Authorized website setting in Endpoint - client computer?

DMFischer

We have Enterprise Console 10 and a Web appliance.

I have policies set up in the Ent Console and the Web appliance is working well.

I found the Authorization section under 'Configure Anti-virus / HIPS' and was concerned that my end-users would be able to modify these settings and gain access to sites that are 'warned' in the appliance.  Not to mention by-passing scans and other things we control from the Ent Console.  When I entered a test website from my machine in the Website tab I then see my machine in the Ent Console as 'Differs from Policy'

New to Sophos so I wanted to see others take on this.

I know I can control who gains access to the agent on each of the machines on our network by changing the local Sophos groups that are created.

thanks,

Dave

:36041


This thread was automatically locked due to age.
  • 0

    Hello Dave,

    SophosAdministrators as well as SophosPowerUsers have access to the Authorization Manager. It is even accessible when Tamper Protection is on. But - this setting applies to malicious sites ("Web protection") and is AFAIK not related to the appliance at all. Do you also use Web Control (which does interact with the appliance if configured)? Don't have an appliance but in the client-only mode you can not bypass it by authorizing a site (and I'd be surprised if this would be possible with the WA).

    Apart from this - most other AV settings are only available to SophosAdministrators (which includes only users with admin rights).

    Christian 

    :36059
  • 0

    Hi Christian,

    Thanks for the reply.  The verbage on the Website tab of the Authorization Manager states, "If you want to allow access to a specific website, add its domain name or IP address to the list of authorized websites by clicking "Add"

    So it seems like it is an allow.  Like I said we're new to the product and I'm making sure there are no loopholes for users to get through.  We do have Web Control working in conjunction with the WA so I'm banking that they will override this section.  My initial test proves that.

    What concerned me initially was that I 'found' this section, and that after putting in a site I new should be blocked I saw my machine as 'Differs from policy'

    thanks,

    Dave

    :36081
  • 0

    Hello Dave,

    Differs from policy means what it says - that the policy in effect does not comply with that in SEC. This could be due to a local modification (policies are not completely locked in for users with "higher" privileges) or some issue (e.g. program infrastructure error or a failed service).  

    allow access to a specific website

    IIRC in the Beta it also applied to Web Control (without a WA) but AFAIK this has been changed (perhaps in response to feedback). Anyway, I assume the WA has the last word (unless the user can bypass it). As said, the authorization applies to Web Protection (i.e. sites blocked because a threat has been detected, not because it belongs to a particular category). Users with sufficient privileges could instead turn off Web Protection (and Web Control alike) unless you also use Tamper Protection. Even with TP the Authorization Manager is still accessible though. The bottom line is that if you don't want your users to make any changes you shouldn't give them more than User rights in the first place.      

    Christian

    :36093