Ivanti UWM Application Network Access Control (ANAC)

[Video Transcripion]
Today we’re going to go over Application Control Application Network Access Control or ANAC. Application Network Access Control or ANAC is part of the UWM suite from Ivanti and we’re going to present a very specific use case.

You may have an older portal or some type of web site within your company that requires a particular version of Internet Explorer or some other browser. The biggest problem with using an older browser in your environment is that it’s most likely going to be unsupported and not regularly patched.

If you’re forced to use an older browser because of an incompatibility in the newer browsers, there is a way to limit your risk and we’re going to show you how to do that with application control.

First thing we’re going to do here is open up our application control console. We’ve had a brand new untitled configuration here, if you’re familiar with Application Control you know that there are different rules that you have available to you. The group rules, user rules, device rules, custom scripted, and process.

For what we are going to be doing we need a process rule. Let’s go down to process rule and we’re going to create a new process rule. We going to rename and the process itself is going to be the Internet Explorer process.

There are a couple of things that are important in this particular environment and that is that there are other versions of Internet Explorer that will need to be able to run normally while we restrict this special one.

We can’t exactly duplicate this kind of scenario on a Windows 7 machine because apparently it’s very difficult now to get the older versions of Internet Explorer installed on Windows. I’m just going to show you what the difference would be between two different versions of Internet Explorer, across two different platforms, so we’ll have a windows 7 with one version of Internet Explorer and then a slightly newer one obviously for Windows 10.

Were going to need to actually look at the file that’s on the endpoint itself. So we’re going to look at, in this case, our Windows 7 machine and we’re going to select the I explorer.exe. When we do that we’ve populated the metadata from that file.

Now what we’re going to do here is put a minimum and maximum for the metadata.

This will filter this particular rule so that it will only apply to this specific version of Internet Explorer. When we go back I can take that out we don’t want.

We’re going to click OK and now we’ve set our process rule the top-level rule for Internet Explorer and we put metadata to specify a particular version. We have to go in and put our allows and denies now by default and we want to deny access to all websites.

I’m going to go in and put a star in under host now that will block all web pages. It will only apply to this older version of Internet Explorer. I do need the user to be able to get to the portal the internal portal.

We’re going to just pretend that that internal portal is going to be Google so let’s go in we’re going to go to hostname again. This time just to make sure we catch it on both sides we’re going to do star Google.com star and we’re going to check this box here for text contains wildcard characters.

One of the basic rules that we have in Application Control is that if there is a conflict between an allow and a deny, the allow wins so we can deny broadly and allow narrowly.

Now that we’ve done that we’re going to go ahead and save this configuration into the management center. We will call this OBE Management Center and we’ll go into our packages section. We have an audit version of the config that’s deployed so we’re going to go ahead and change that configuration to old ie.

Normally in a production environment, you’re always going to use the exact revision and you don’t want these things to upgrade without your consent. We’re just going to go ahead and leave it at revision zero.

They always use the latest and greatest version for testing, but I wouldn’t use it in a production environment.

Let’s go to My Computer, I’ve already got this set for a very low poll period but I’m just going to go ahead and poll it right now.

Now that the pole is turned green we can go ahead and switch over to our Windows 7 machine. Now we’re just logged in as a regular user I’m going to go ahead and open up Internet Explorer. We’re going to see immediately that we’re going to get a lot of denies because Internet Explorer talks to a bunch of different sites being that there are all kinds of things here. Let’s go ahead and open up Internet Explorer or open up Google we’re only going to get what we’ve allowed which is Google.com.

Okay now, this is the Internet Explorer version that is on Windows 7. What I’m going to show you is that if we go over to Windows 10 we’re logged in on the same account. I’m going to go ahead and open Internet Explorer. Notice that Internet Explorer is opening up CriticalDesign.net with no problem at all and that is because this is a different version of Internet Explorer.

The file version is different and so it’s ignoring the rule for that version. Let’s go back over it to the Windows 7 machine and I’ll just show you that it is only affecting the Internet Explorer browser. We can go to other web pages here with no problem.

This is how we can block older versions of Internet Explorer or any other browser that you might use from running anything, but a very specific web page in your environment with ANAC. Thanks for joining us and I hope you found this helpful!

Ed Webster
LinkedIn Profile






<<Back to CDA Blog