Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 7516 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web access policy fails if tech support runs an application as an admin on user's PC

A B6

Hello guys,

We have implemented STAS authentication in our environment. Our web policy provides Tech support employees access to browse video hosting websites e.g Youtube, but the same category has been blocked for other people. When some non tech support employee calls our tech support team and the tech support guy runs command prompt on the user's pc in admin mode (i.e tech support guy enters their credentials), the XG firewall applies "Tech Support" web policy and now even the non IT user has access to video hosting websites. 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    When a authentication request is generated from the User system towards the AD server, the STAS Agent will fetch the generated security Event ID 672 (Windows 2003) or 4768 (Windows 2008 and above) and sent it to the STAS Collector and this is further passed on to the XG firewall to successfully authenticate the User.

    In this case, ambc**@xyz is a non-Support User which is denied and when a Support User(ansh**@xyz) logs in the website is allowed because a new User authentication request is generated on AD which will follow the behavior as stated above. This is a technical behavior then a issue.

    Please correct me if I misunderstood anything from the provided information.

    Thanks,

Reply
  • 0

    Hi,

    When a authentication request is generated from the User system towards the AD server, the STAS Agent will fetch the generated security Event ID 672 (Windows 2003) or 4768 (Windows 2008 and above) and sent it to the STAS Collector and this is further passed on to the XG firewall to successfully authenticate the User.

    In this case, ambc**@xyz is a non-Support User which is denied and when a Support User(ansh**@xyz) logs in the website is allowed because a new User authentication request is generated on AD which will follow the behavior as stated above. This is a technical behavior then a issue.

    Please correct me if I misunderstood anything from the provided information.

    Thanks,

Children
  • 0 in reply to sachingurung

    Hello Sachin,

    Thank for replying.  

    In our organisation, Tech Support guys are admins of local PCs and the other employees (e.g finance dept or HR dept) are non admins of the local machine. Suppose an employee, say finance dept employee, calls the tech support. Now the tech support guy has to run a command as an admin, so he runs command prompt as an admin and executes a command. Although the finance dept employees is logged in to the PC but since tech support guy's credentials were used to run  command prompt, so Sophos thinks that the tech support is currently logged in to that PC and applies tech support policy although it should be finance firewall rule which was earlier applied and same rule should continue. 

  • 0 in reply to A B6

    I have sent you a PM to proceed further.