How to prevent Clientless VPN users from cancelling install of Cisco Secure Desktop

Posted on 2011-10-24
Last Modified: 2012-05-12
Please advise on this issue - we are testing Cisco Secure Desktop, with the intention of allowing secure access to OWA from public computers.  For this reason, we want to enforce the use of CSD (to prevent user from copying/printing/saving to the local PC from the webmail), and disallow access to the portal if the CSD does not successfully run.

Allthough there appears to be many options in DAPs, Group policies and Connection profiles, I cannot see an option to enforce.  At the moment, during the CSD install process, the user can hit the manual download button, and then cancel the download. They then get the portal login page, and can access webmail without the safety of CSD.  There is a message on the portal at that point that says that some resources may not be available because CSD did not run, so this indicates it must be possible.

Question by:support_ferret
    LVL 18

    Accepted Solution

    I don't know a way of doing what you're describing (and I really don't think it's possible, but can't say that with certainty), but I'll throw in my $.02 on a tangential issue.  

    To my mind, this is more of a user-education issue than a technical issue.  CSD was not designed to be an "enforcement" tool, it was designed more as a convenience tool to prevent an unwitting user from inadvertently leaving data behind.   A user who wants to bypass controls in some way will likely find a way to do it.  I worked with a customer implementing CSD several years ago and they found that Microsoft had a package that allowed you to put certain information onto the desktop background -- IP address, computer name, etc.  Very useful in KVM environments where you're switching between computers.  This customer found that by using this tool, a CSD user could copy data out of the "secure" portion and embed it onto the desktop.  They weren't happy because they felt like CSD should block that behavior, but to me it only substantiates that a user who really is bent on getting around a system will find a way of doing so.

    User education on security as a whole, and why this particular system is of benefit to the organization, is crucial.  And security has to balance risks against costs.  I think your approach of using CSD to clear browser data once the user has completed their OWA activities is good, the users just have to understand why it's beneficial to them and why they should not attempt to interfere with the process.

    Again, I know it doesn't answer your question....
    LVL 1

    Author Comment

    Thank you for your reply.  I have been looking more at this, and I would say you are correct.  The CSD does require some "will" on the part of the user to keep the corporate data safe.  It looks as though you can prevent access using the posture assessment, but it will be difficult to reliably allow access, if we try to enforce the CSD.  As you say, they will find a way round if you make it difficult or restrictive, which defeats the object in the first place!

    I will close and award, as I don't think there is a better solution at this point.  
    LVL 1

    Author Closing Comment

    closing as CSD not a practical solution to our particular problem.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now