cancel
Showing results for 
Search instead for 
Did you mean: 

Windows OS Checks --> Deny action missing

Highlighted
Occasional Contributor

Windows OS Checks --> Deny action missing

Hello everybody,

Because we met even more end-user with Linux or MAC clients, we want to check that the operating system used by the client is NOT a Microsoft Operating System. After some investigation I didn't find any proper solution to configure that.

It exists already the possibility to check that the operating system is really a Microsoft OS (and we can specify which OS version).

A good idea behind this Windows OS Checks could be the same possibility as we have behind a "Process" check: we can trigger for a specific running process, but we can choose to "Require" this process or to "Deny" the connection if this process is running. In this way, we have a simple solution to check & validate that the client running OS is NOT a Windows OS (present in the list that we checked).

Or is there something else planned in this way ?

Thanks for your feedback.

Cheers

Fabien

4 REPLIES 4
Highlighted
Occasional Contributor

Re: Windows OS Checks --> Deny action missing

This is certainly something we can keep in mind for a future revision. In the mean time, you're suggestion might be the best one. Craft a check for a process which you know would only be there for the specific OS. "Explorer.exe" for Windows and perhaps something related to "init" on Linux/Mac OS. You will note we have different Host Check policies in the Admin UI, however, I will remind you these only define which clients get which executables/policies, it does not change the checking per se. These are based on user-agent and thusly, a more refined host check as I specified above, would be a more reliable way to do this enforcement. Regards, Kevin
Highlighted
Valued Contributor

Re: Windows OS Checks --> Deny action missing

Hey Fabien - I am not sure if you have had a chance to search the SSL Forum in regards to this issue. There have been several threads that talk about nice, clean ways to deal with this. Some very creative ideas on how to validate that only Windows or only MAC's connect, or don't as the case may be.

Highlighted
New Contributor

Re: Windows OS Checks --> Deny action missing

How about taking the opposite approach and looking for something you know doesn't exist on a Windows workstation?

For example, check the registry for HKLM|Software\this\key\does\not\exist

Since no Windows machine is going to have this key, the check will always fail and go to remediation. This isn't the same thing as being able to deny a single process, but it may get you to the end result you're looking for.

There was a writeup on doing this same thing for other operating systems somewhere out on the Juniper site, but I don't recall what it was for. The example checked for a bogus file path which also wouldn't exist, but it accomplished the same thing and could be used to deny if it would never evaluate to true.

Highlighted
Contributor

Re: Windows OS Checks --> Deny action missing

Another way you can do this is to do create a Host Checker policy that checks for all Windows operating systems. From there....

 

Role Mapping with Custom Expressions:

Create a role mapping rule based on Custom Expressions:

Users-->Users Realm--><realm>-->Role Mapping-->New Rule

Change "Rule based on" to Custom Expression-->Updated-->Expressions

 

Create two Host Check Policy custom expressions as follows:

 

 

hostCheckerPolicy = ("Windows OS Checks")

 

hostCheckerPolicy != ("Windows OS Checks")

 

This will allow you to create role mapping rules based on the expressions.  This way you can force users into different roles depending on whether or not they have passed the host check.  Alternatively, you can deny them access to a role if that's your desire.