Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSA on SafeMode

how do does the CSA address the issue if a local administrator boots the system(windows) in SafeMode?

Is this a vulnerability? knowing that the CSA will not start if the system runs on a safemode. We are concerned on what that local admin will do to the system.

how do we solve this issue?

thanks

2 REPLIES
Blue

Re: CSA on SafeMode

There is a way to make safe mode cause the system to crash but if you're worried about local admins bypassing security, I would look for another method.

Do you have a written policy that says they are not allowed to mess with their machines?

You'll find out when it happens and the host stops reporting to the MC and then you can take corrective action.

JMTC, Tom

Silver

Re: CSA on SafeMode

I'm with Tom in that I prefer a written Security Policy and the implied threat of punitive action, rather than trying to engineer a technical fix to prevent Local Admins from bypassing security.

In my experience, there must be a buy-in from Top Management for any security system to work

effectively. In the case of CSA they must be willing to pick up the phone and call people who shut down CSA without a documented reason.

Managers will have all the proof they need by a quick glance at the Events Log to make these calls. This paper trail will keep them from being accused of harassment and if the employee continues violating the security policy will give them the grounds for termination.

In sum, let the CSA do what it does best, namely, protect assets and let management enforce the penalties for violations of policy.

Hope this helps.

135
Views
0
Helpful
2
Replies
CreatePlease to create content