Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
10
Helpful
4
Replies

CSA Poison Pill

dkthomas
Level 1
Level 1

‎06-02-2008 02:20 PM - edited ‎03-10-2019 04:08 AM

I have to create a Poison Pill where CSA can essentially disable a system to the point that it is unusable and not recoverable.

I know there are several rules that can possibly do this by themselves, but I was wondering what would be the most effective where the system would have to be re-imaged in order to make it useable again.

I am running V5.0.0.229 agent on XP images.

I was thinking of not allowing services.exe to run anything.

What would you recommend?

Thank you,

Labels:
0 Helpful
4 Replies 4

tsteger1
Level 8
Level 8

‎06-03-2008 09:57 AM

There may be a way to do this with less drastic measures but first, a couple of questions:

How would CSA enforce security if CSA was unable to run?

Do you prevent booting into safe mode?

Tom

0 Helpful

dkthomas
Level 1
Level 1
In response to tsteger1

‎06-04-2008 03:03 PM

Well... that is a good question...

I was about to try that on a laptop just to see what happens... But as you pointed out, if the service can't start CSA... then CSA couldn't apply the rules...

But then again... would the system start CSA but stop everything else from starting after CSA started once the rules are applied?

Anyway, the answer to your second question: Booting into safe mode has not been disabled.

Which brings me back to my question: What would be the most effect method to disable a system?

Or is booting into SafeMode allows the bypassing all of the CSA rules?

0 Helpful

tsteger1
Level 8
Level 8
In response to dkthomas

‎06-05-2008 10:25 AM

I guess you should determine why you are doing this before you choose a what and how.

If you simply want to disable a system to protect other systems, the network quarantine feature should work.

If you want to make it so a system that triggers certain rules should be disabled so that no changes can be made to it, there are ways to do that too.

You would still be able to return system to a functioning state from the MC without reimaging it.

CSA needs the system functioning in order to be effective at enforcing rules.

Booting into safe mode will bypass CSA but there are ways to disable that as well.

Tom

TradeSecrets
Level 1
Level 1

‎06-26-2008 11:51 AM

Hi Dk,

Create a group that doesn't let any communication. CSA has a firewall built in.

Have the group priority deny any connection. Also play with the priority terminate.

What is the reason for this group ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card