How to prevent Clientless VPN users from cancelling install of Cisco Secure Desktop

Posted on 2011-10-24
Medium Priority
Last Modified: 2012-05-12
Please advise on this issue - we are testing Cisco Secure Desktop, with the intention of allowing secure access to OWA from public computers.  For this reason, we want to enforce the use of CSD (to prevent user from copying/printing/saving to the local PC from the webmail), and disallow access to the portal if the CSD does not successfully run.

Allthough there appears to be many options in DAPs, Group policies and Connection profiles, I cannot see an option to enforce.  At the moment, during the CSD install process, the user can hit the manual download button, and then cancel the download. They then get the portal login page, and can access webmail without the safety of CSD.  There is a message on the portal at that point that says that some resources may not be available because CSD did not run, so this indicates it must be possible.

Question by:support_ferret
  • 2
LVL 18

Accepted Solution

jmeggers earned 2000 total points
ID: 37025313
I don't know a way of doing what you're describing (and I really don't think it's possible, but can't say that with certainty), but I'll throw in my $.02 on a tangential issue.  

To my mind, this is more of a user-education issue than a technical issue.  CSD was not designed to be an "enforcement" tool, it was designed more as a convenience tool to prevent an unwitting user from inadvertently leaving data behind.   A user who wants to bypass controls in some way will likely find a way to do it.  I worked with a customer implementing CSD several years ago and they found that Microsoft had a package that allowed you to put certain information onto the desktop background -- IP address, computer name, etc.  Very useful in KVM environments where you're switching between computers.  This customer found that by using this tool, a CSD user could copy data out of the "secure" portion and embed it onto the desktop.  They weren't happy because they felt like CSD should block that behavior, but to me it only substantiates that a user who really is bent on getting around a system will find a way of doing so.

User education on security as a whole, and why this particular system is of benefit to the organization, is crucial.  And security has to balance risks against costs.  I think your approach of using CSD to clear browser data once the user has completed their OWA activities is good, the users just have to understand why it's beneficial to them and why they should not attempt to interfere with the process.

Again, I know it doesn't answer your question....

Author Comment

ID: 37029616
Thank you for your reply.  I have been looking more at this, and I would say you are correct.  The CSD does require some "will" on the part of the user to keep the corporate data safe.  It looks as though you can prevent access using the posture assessment, but it will be difficult to reliably allow access, if we try to enforce the CSD.  As you say, they will find a way round if you make it difficult or restrictive, which defeats the object in the first place!

I will close and award, as I don't think there is a better solution at this point.  

Author Closing Comment

ID: 37029622
closing as CSD not a practical solution to our particular problem.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question