Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSA 5.2 245 and EFS

When attempting to encrypt folders in windows that contain .exe's and scripts the following CSA rule fires and blocks access:

Configuration > Rule Modules > Windows Rule Modules > Windows LSASS Security Module [V5.2 r245] > Rules File access control [137]

We don't want to fully disable this rule. Is there a workaround that will allow EFS to work without fully disabling the rule?

I haven't been able to decypher the difference between EFS encrypting a file and any other type of lsass.exe file writes..

Any suggestions?

Thanks!

Jennifer

1 REPLY
Bronze

Re: CSA 5.2 245 and EFS

Here's the process to create the rule for administrators:

1. Configuration> Rule Modules> Windows Rule Modules> [New]

2. Enter {Name} & {Description}

3. Under "State Conditions"

select "Apply this rule module only if the following state conditions are met"

check "User State Conditions"

select "Administrators"

4. Click on [Save]

5. Click on [Modify rules]

6. Click on [Add rule] and then [Agent Service Control]

7. Enter {Description}

8. Under "Query Settings" Select "Agent Service Control - Disable agent security"

9. Under "when" check "attempt to disable the agent security"

10. Click on [Save]

169
Views
0
Helpful
1
Replies
CreatePlease to create content