Posture Check for Domain Machine
Hi,
i am setting up an ISE for dot1x and posture checking, I am unable to find a way to check for a policy whereby the laptop/workstation is a domain machine. So far, the rules and config guides are looking at ExternalGroups member of, but these are the log in credentials of the user and they can still pass the rule eventhough the machine is not a domain machine.
There is a registry key for domain machine, but this check is too easy to spoof. Is there any more effcient and "better" way to check for domain machine for posture check?
Thanks and regards,
WK Peck
Hello Aditya,
Configure WSUS Remediation
This example shows how to ensure that all employee computers with Windows 7 have the latest critical patches installed. Windows Server Update Services (WSUS) are internally managed.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc17
Similar Messages
-
Cisco ISE posture check for VPN
Hello community,
first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this?
Thank you!The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html -
Posture check for Windows Update
Hi All,
I am constructing Posture conditions in ISE, which check Windows Update are not more than 7 days old.
Can you guys help me in formulating this condition.
Thanking in advance,
Thank You,
AdityaHello Aditya,
Configure WSUS Remediation
This example shows how to ensure that all employee computers with Windows 7 have the latest critical patches installed. Windows Server Update Services (WSUS) are internally managed.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc17 -
Condition to check Domain Machine
Hi guys,
please, wich is the best solution to know if a machine is member of the Microsoft AD Domain?
I am looking for something in ISE conditions but i couldn't see anything related.
thanks a lotThis can be accomplished in 2 ways:
Check whether the machine was authenticated. I agree with Jatin, he has provided helpful information
For more information follow this location
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_auth_pol.html#wp1063457
OR
Configure Profiling condition based on IP:FQDN attribte CONTAINS "ad-domain.com"
Review the following link:
https://supportforums.cisco.com/message/3940928#3940928 -
Checking for running applications on remote machines
I am trying to check for application running on remote machine - it could be LV or some other application.
I have Server and Client applications (developed in LV) running as .exe on separate computers. Only LV-Runtime is installed. They exchange data via Datasockets. The problem I have is that if Client is launched before the server the (Client) takes ownership of certain sockets which causes Server to fail on startup. All the remote Clients have to be shotdown before Server can be started again properly.
I was wondering if anyone has run into a similar problem.Hi Slawek,
I would suggest using Remote Front Panels in LabVIEW. Remote front panels allow you to view and control a VI front panel remotely, either from within LabVIEW or from within a web browser, by connecting to the LabVIEW built-in web server. There is a tutorial Developer Zone: Remote Panels in LabVIEW -- Distributed Application Development that will provide you with more information.
Also, there are example programs in LabVIEW that walk you through how to programmatically connect to a remote front panel. Go to LabVIEW >> Help >> Find Examples >> Networking >> General >> RemotePanelMethods-Client/Server.vi.
Hope
this helps and good luck!
Kileen C.
Applications Engineer
National Instruments -
How to check for cookies on user machine?
Hi there,
what is the correct method to check for cookies on user machine?
I've tried the following:
Cookie[] cookies;
boolean cookiesFound = false;
if (request.getCookies() != null) {
cookiesFound = true;
String name=null, birthMonth=null, birthDay=null;
cookies = request.getCookies();
However, the problem is that the if statement will pass to be true even when there is no cookies on my machine. How come?
Pls advice.
thanks.cuz if there are any cookies, you're setting it to true. getCookies will return a list of cookies, you have to loop thru to find the one you want.
-
episodes do not auto-download even though I receive email confirmation they are ready. 'Check For Available Downloads' says all available are already downloaded. Signed in properly on an authorized machine. Can anyone explain this? Give directions to fix?
Thank you for the reply. These are not, however, past purchases; these are fresh episodes of purchased seasons. For instance, I receive an email that a new episode of Elementary is ready for me to download. When I check for available downloads, though, I am told there are none. So these are not previous purchases that I am trying to re-view or download again. These are fresh items for which I have paid but which I appear unable to access unless, perhaps, I were to re-purchase them. Grrrrrr.
-
Check a target machine (Windows only) for Vision RTE
How do I check a target machine (Windows only) to see if the Vision RTE is installed? When installing a machine vision program, I have to download and run two LV RTEs (8.5 and Vision 8.5). I'd like to make the process as painless as possible. And I don't want to install the RTEs if they're already on the machine. Is there a registry setting that I can check as part of the install? I'm not using the LV deployment engine.
Hi ST1
a think what you want is available under this registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall"
Here is a script for a batch file which list all entries from this registry key. i found it on this web page:
http://forum.fachinformatiker.de/windows-betriebssysteme/61021-installierte-software-auflisten.html.
Script:
"@Echo Off
Start /Wait Regedit /E %TEMP%.\Tmp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Find "DisplayName" < %TEMP%.\Tmp | Find /V "QuietDisplayName"
Del %TEMP%.\Tmp
pause"
I hope this helps you.
Mike -
Upgraded new iPad to iOS 5 after successfully using the machine for two weeks. The apps I downloaded are still here, checked for updates, all okay. However, when I try to use iBooks app or even USA Today, icon shakes, settles down then nothing else happens. Several tries, settings appear correct. Suggestions? Safari operates correctly, music icon matches (not from iTunes, simply music on my MacPro and iPod). Is Cloud the issue, perhaps? But everything worked before the upgrade. Using my home network. Hope this info suffices. Appreciate any guidance.
Problem solved. Saw the solution in a more recent post. Downloaded a free app, then all my other apps started to work again.
-
Checking for purchases on second machine
My dad had some strange event with his WINDOWS PC (traitor...) and now it says his hard drive is having a read error (strange thing is, my PC did the same thing... I'm not a traitor though... my Mac mini can't handle parallels.)
Anyways, the hard drive is shot. My dad thinks that PC is a thing of the gods and that it CAN'T have problems (like the hard drive 'disappearing' or whatever...) so he didn't back up the music from iTunes.
My mom also recently got her first iPod, so I have been working that for her from my computer, so we figured that we could put my dads music on my computer and my moms iPod (my dad doesn't have one) until his computer is fixed.
We don't know yet if his hard drive is completely destroyed and everything is gone forever or not.
If it IS destroyed forever, how do we get the music back? Do we have to repurchase it?
I tried authoriing his account on my computer, but 'check for purchases' won't let me do anything...
any pointers?Just got the message the iTunes Store is not currently availabe after an hour of doing the same! AAHHHH
-
Cannot install Mountain Lion as installer sys the target drive I have selected is using Time Machine. The target drive I selected is my internal drive. I have an external drive that I use for Time Machine backup. When I go to System Preferences and look at the Time Machine set up it shows my target disk is the external drive. What to do?
Yes, you’ll be able to do that.
(116841) -
Can't find "Check for updates" option in Help menu
Hello
I am planning to update several adobe reader installations over a windows domain. First of all, I tried to do it in one particular machine without administrative privileges (not being Local Administrator).
I am surprised of not finding the "Check for updates" option. What is more, there is no topic in the forums about this issue (?).
Please, could anyone tell me what am I missing?
Thanks in advance.Yes I'm afraid that update must be run with administrative privileges... But there must be another way of updating a product across a network of 400+ clients without login in all of them ...
I'm trying with adobeupdatechecker, to see if it is possible some kind of automation. -
Hi
We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.
subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
\\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
Mapping file contains : Domain Users=NewDomain_Users
But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
will not be processed."Hello,
how in detail is DNS set up in each domain?
Any problems when using nslookup to verify?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Acrobat X Pro: Check for Updates Error 1007 Updates have been disabled by your system policy
Because of another Acrobat problem (I won't go into here), today I uninstalled Acrobat Pro 10.1.9 and re-installed Acrobat 10.0.0. I thought I could get back to 10.1.9 by selecting "Check for Updates" after installation. My system is Win7x64 and I'm running as a named user with Administrator rights on a machine that is not part of domain.
When I select "Check for Updates", I receive a window titled "Adobe Acrobat Updater" that says "Update failed Updates have been disabled by your system policy. Error: 1007 <Close>" About ten seconds later, Acrobat X terminates, leaving this window hanging around.
What do I do to enable checking for updates?Thanks Bill@VT and LeoAdobeX. It's still not working though.
Over the last few days, Windows System Restore says I have done 4 (four) Remove/Install Pairs. I tried the helpful cleaner you suggested. I knew I probably had some Acrobat9 cruft, so I ran the Acrobat9 and Reader9 cleaners, then the AcrobatX cleaner (I never had ReaderX). I also uninstalled absolutely every Adobe program from my system: Flash Player (three versions), iFilter, Adobe AIR, Amazon Music Importer (relies on Adobe AIR).
I tried it both as 10.0.0, and installing 10.0.0 and then the 10.1.9 MSP you pointed me to at the "update link" above. I installed as "Trial" mostly, but once with my registration key.
Starting up Acrobat X still fails epically. Also, every time I've looked, it hasn't solved the "other Acrobat problem" that initiated all of this.
The most that I've received from Acrobat X today is the splash screen came up once. Only once. Even after a restart of Windows 7, launching AcrobatX from the Start Menu, Desktop or even directly from the EXE under "Program Files (x86) does nothing. I thought it might just be slow the last time, so I took a 15 minute coffee break after attempting to launch. Nothing.
Ergo, I am looking at Windows System Restore. I miss two days of not being able to read PDF's even if the "other Acrobat problem" remains.
However, I got a whiff that I have another problem headed my way. I bought update version of Acrobat9 and AcrobatX. I've now wiped all traces of Acrobat9 (and will shortly do another wipe of AcrobatX). The Cleaner log reports "** Info : Installed product not found for upgrade code". The MyAdobe website has all my install codes back to Acrobat4, but I'm not sure I could locate my Adobe 4 CDROM or the intervening CDROM's that would be required to source me back to a full version (maybe Acrobat6?).
As I understand it, System Restore will do many things but not actually install the program files that I've been writing and deleting from my disk over the last two days. So, I'm going to have to do some install of AcrobatX after I do the System Restore and I now have little hope that even that installation will work to "just put things back the way they were".
Is AcrobatX supported on Windows7x64 Ultimate? Is there some place to track down what may be the "issues due to the 64-bit system"?
I have checked the policies under Control Panel->Administrator and there is more to check there. My account is a member of Administrators, which I would think would give me the rights to do just about anything, but when I click on the "Local Security Policy" shortcut, I get a "Group Policy Error: Failed to open the Group Policy Object on this computer. You may not have the appropriate rights. <Close> Details: Unspecified error". I'll chase this down if the System Restore does not make this error go away, but this part is clearly not a problem with Adobe software. All of the Other Admin/MMC Tools like Computer Management open fine.
Thank you very much for the responses. I found them to be very helpful but I still feel I've got a big problem ahead. -
Windows Server 2008 - Group policy for domain client to start/stop services installed on it
Hello Experts
I am a newbie to windows server administration , though did a Google , but ended up with these question with my requirements
I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
domain ADMIN account .
&& now i am want to start/stop/restart services enabled for domain users !! How do i achieve this !!
basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
what is the easiest way to achieve the same , (if not using GPO)???
similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
it ask for ADMIN credentials)
Thanks
Mike~EdControlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
If my answer helped you, check out my blog:
Deploy Happiness
Maybe you are looking for
-
Updated to iOS 5 and tried sending a message with a phot to an iPhone that has not been updated. My message shows as sent, but neither the text or photo are received. Text alone works fine.
-
How do i get the skimmer to follow the frame on imovie 2013/14?
so i can see exactly where im at in a long segment, because i can't see where it's at it goes past the the timeline and theres no time display as well i need to know so i can edit at that second.
-
Comcast cannot be TRUSTED!
slamming is an illegal telecommunications practice, in which a subscriber's service is changed without their consent. I recently discovered that Comcast had "slammed" my account starting back in 2008 by billing me $5.99 per month for "insurance" I ha
-
How to change decimal point in Rotate Tool.
Hi, I use the rotate tool to design gauges, like clocks, a lot. I hold the ALT button and click on the center of my drawing and then a window pops up to enter in what degree I want my object to be. Currently the decimal point only allows for hundredt
-
Jboss help!!!!
I want to configure Jboss in my eclipse. I'm currently using eclipse version 3.1.1 and jdk 1.4.1_01 version. I copied JbossIDE and Easie Plugins (com.genuitec.eclipse.easie.jboss , com.genuitec.eclipse.easie.core). I then tried to configure as given