We were testing one of our business applications and the login process to the application requires a script to be downloaded, which triggers a query rule in General Application Permissions because it is an "Application processing untrusted content, reading MS Script Runtime (providing scripts access to the file system)".
I tried the Event Wizard to create an exception rule, but all that suggests is to allow IEXPLORE.EXE to read scrrun.dll. I don't think this would be secure, because it gives IE basically carte blanche to run scripts. I could make it more secure by making it limited to users in my network, but let's look at that later.
My question is can CSA interpret web addresses? I'd like to somehow say, "Don't apply this rule when the website IE is accessing is <website>", but I haven't yet found a place where CSA looks at this.
Only the Data Access Control rules look at the URI, but as a server, not a client, and only with IIS and Apache.
Open your "Applications processing untrusted content" rule. Click New next to "But not in any of the following selected classes". Name your new Application Class to something appropriate, such as the Name of your business application. In the field on the right type in the path, for example @program_files\HamiltonCo\theapp.exe. Choose "This process and all its descendents". Save. Save your rule change. Generate your policy.
This simply excludes that trusted program from getting queried for this specific rule.
I appreciate the response, but that won't work. It's totally web-based (there is no exe on the client desktop). Plus, rummaging around in event details, I can't find any sort of filename (other than scrrun.dll) to use for controlling the file access.
That type of rule will probably work when we deploy to the servers, which end up housing the program files. Right now, literally the client just goes to http://hamiltonapp and that's it.
But, at least now i know I have to figure out another way. I think I'll just leave a query on for that rule and modify what it says for the user.
I looked over this rule over some more, and brainstormed workarounds in the context of web browser usage, and I can't think of any way to excempt your business application.
Personally I would shut that rule off. All its doing is restricting a site from immediately running some JScript or VBScript. Instead of using CSA to restrict that, I would shut off scripting for Internet zone in IE and add your app to the Local Intranet zone. If you're utilizing Active Directory you could deploy this with a policy.
If you still want to monitor active scripting just in case, then set the rule to Monitor so you can see it in your logs.
Yeah, I figured I would either set to monitor, or just make the query a bit more descriptive. I figure if I put in there a list of apps that cause it, the users will be able to click "Allow" well enough, and that appears to be all that application trips anyway.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...