Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 5317 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Prevent end user from changing firewall configuration on client

Mhaynes121

I found another post about this issue - /search?q= 27987 - but it does not help.

Here is the situation: our end users are able to open the sophos client on their machines, go to 'configure firewall', and select 'allow all traffic'. We have tamper protection turned on and those options are disabled for the user (the previously mentioned posts states that tamper protection does not cover the firewall section). We need to disable the ability for the end user to make changes at all.

The previous post states that the issue is due to the users being in sophos groups but that does not appear to be the case here. Here is a scenario I have on a test machine:

- I have a local user named IT-Helpdesk that is full admin on the box

- I have a domain user named SupportTest that is a regular user on the domain and that does not have a local account

- On the workstation I have the 4 sophos groups with the following memberships:

-- sophosadministrator: adaministrator, domain admins, IT-Helpdesk

-- sophosonaccess: no members

-- sophospoweruser: no members

-- sophosuser: domain users, authenticated users

- If I log into the SupportTest user, which is just part of the domain users group and does not have a local user, I am able to configure the firewall on the client.

So, any ideas?

:53415


This thread was automatically locked due to age.
Parents
  • 0

    Hello Mhaynes121,

    can only speak about SCF 2.9.x (i.e. up to Windows 7). A member of only the SophosUser group should not have the Allow all traffic available. You can see view Current user rights from the View product information link (bottom item in the Help and information pane on the left). Other unavailable parts are the Location Detection and Log settings tabs as well as Import, Export and Restore Defaults..But (and this is somewhat surprising) a SophosUser seems to be able to add and delete Checksums and configure certain items for the Primary Location: Global Rules, Applications and Processes

    Is this what you observe?

    Christian

    :53431
Reply
  • 0

    Hello Mhaynes121,

    can only speak about SCF 2.9.x (i.e. up to Windows 7). A member of only the SophosUser group should not have the Allow all traffic available. You can see view Current user rights from the View product information link (bottom item in the Help and information pane on the left). Other unavailable parts are the Location Detection and Log settings tabs as well as Import, Export and Restore Defaults..But (and this is somewhat surprising) a SophosUser seems to be able to add and delete Checksums and configure certain items for the Primary Location: Global Rules, Applications and Processes

    Is this what you observe?

    Christian

    :53431
Children
No Data
Cookie Information Banner