Endpoint Protection

Hi,

I have installed SEPM 11 in my office. I want to block the client machines from taking remote control of any other machines.

I dont have any AD setup at my end.

I want to block RDP using SEPM.

 

Regards,

Subodh

Create a firewall rule for blocking RDP port(3389)

You need to install all the components of SEP, you need to block the  port 3389 using SEPM.

open sepm

policies

firewall policy

 

Modify the   firewall rule to allow "Block Remote Administration"

enabling the rule will allow Remote Desktop connections onto the computer.

Hi,

 

Thanks a lot.

I donot want to block port 3389.

We have application installed at my end that helps you to take remote of client machine directly. All users donot use that application. We want all users to use that app.

 

When we go in Start -> Run type mstsc by default mstsc.exe file present in system32 is called. We want to block access of that file. We have create a application control but it is not working.

 

Regards,

Subodh R. Dangat

For this features to work you need to install all the features in he client.Whether it is installed?

Yes

We have installed all features at the client site.

Regards,

Subodh R. Dangat

Can you give us a screen shot of the policy?

When we go in Start -> Run type mstsc by default mstsc.exe file present in system32 is called. We want to block access of that file. We have create a application control but it is not working.

So you want to prevent people from using Microsoft's Remote Desktop Application?  You may want to double check your steps against this document.

How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies
http://www.symantec.com/docs/TECH102525

Bear in mind, Application and Device Control Policies do not work on 64-bit client computers.

sandra

I'm attaching the screen shots of the same.

Keep this rule as the first rule and try.Also assure that this policy is got applied in the client.You can use policy serial number for that...

I have done the same.

 

But it not working. I am to mstsc from client machine.

I have also enabled loggin in above rule set.

From where can i find the logs. Where are the logs stored in SEPM

Its urgent. Please help ASAP

In SEPM go to Monitors--->logs-->application and device controls-->Application control,select appropriate time range and click on view log.....

Also try by rebooting the system.It is observed that some times system required a reboot for getting the policy to work...

Whether your system is 32 bit or 64 bit?If it is 64 bit application and device control policies will not work.....

System is 32 bit

I have tried rebboting both the client and SEPM server but its not working.

Please help.

Try by block using the hash value of mstc insted of file name....

How to block hashvalue of mstc

 

Regards,

Subodh

Have a look at this thread How to block applications in SEP using MD5 https://www-secure.symantec.com/connect/forums/how-block-applications-sep-using-md5

what will be the MD5 hash value foe mstsc.exe

8148d865276c330ed47160728816bf12

 

Note:This value I found using http://virustotal.com.My file version was 5.1.2600.2180.If in your system if it is different you may use this site/similar site/tool for determining the MD5 value of the file....

Thanks a lot arvind!!!!!!

 

The link was very much helpful!!!!!!!!!!

 

thank you once again!!!!!!!!!!!!!!!!

Happy to hear your problem got solved....

Hi,

As you know that i have blocked mstsc.exe.

 

Now suppose i have process abc.exe which calls mstsc.exe. As abc.exe calls mstsc.exe abc.exe gets blocked.

Now suppose it do not want abc.exe to get blocked then what should i do?

Try by adding abc.exe in exception of that rule..

Hi,

 

I have added the exception for that rule.

I have found the fingreprint of abc.exe using checksum.exe and added the execption.

Will the above method work

the exception process will not be blocked. It should work.

NO!! My process is still getting blocked?

abc.exe is not working it is getting block because it is calling some part of mstsc.exe

Any 1 has a solution.

plz help!!!!

I think then it is not possible.abc.exe may be working like this.It will call mstsc and fining it is blocked and stopping the execution.If this is the case you may have to contact the abc.exe program developer to write in such a way that even if mstsc.exe got blocked abc.exe should not stop it's execution........

Thanks a lot.

 

I have run SEPSupport tools and saved its report.

Now that report extension is .sdbz.

How can I open that file?

You can look at the file with the Support Tool for errors.  Support can look more in depth at the collected files, though I'm not sure what we could look at that would tell us why your policy isn't working.

You would do better to use something like Process Monitor to see what's happening when abc.exe launches with the policy in place, and what happens when abc.exe is launched with the policy not in place.

sandra

abc.exe call mstsc.exe.

 

When we run abc.exe and go to Task Manager right click on abc.exe (in Application Tab) click on go to process it goes to mstsc.exe.