Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 1147 views
  • Users 0 members are here
Options
Suggested

Windows Homedrive - mounting fails due to delayed firewall authentication

LHerzog

When users have homedrives in Active Directory they fail to mount as network drive when the firewall rule to the sharing server has user authentication required. Also the login of the users is taking minutes, not seconds. This is because the user is not yet authenticated at the firewall when Windows tries to mount the homedrive at a very early stage of login.

The homedrive is a user attribute in AD, it would not be a workaround to use a start script with delay, because this would mount the share but will not set the attribute.

Is there a known workaround except removing the user authentication requirement?

Endpoints are Win10/11 with Intercept-X

SFOS 20.0.1

Support Case: 07464298



Edited TAGs
[edited by: Raphael Alganes at 11:21 PM (GMT -7) on 5 Aug 2024]
Parents
  • 0

    I would rather remove the authentication for this particular access to the domain for domain clients. 

    I do not see much value in accessing the domain DFS File share, as you would have a much higher data value in your DFS/Fileshare anyway. Firewalls could only pickup the general access, but the file server can pickup the particular files. 

    Generally speaking, access control on IP base for a file share would be to hard to implement based on the way, the service of heartbeat is started. If windows starts the script faster than SFOS can do the authentication, you will likely run into this issue all the time. 
    Only delaying the script would be a viable way or - as mentioned, not using user based authentication for this particular traffic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    it's a huge plus in security if you can leave out unauthenticated usesrs from your file shares in my opinion. Now you would only rely on file share ACL. Maybe one day there is some zero day in Windows SMB again that would allow anonymous access. You'd want a firewall that can stop it then.

  • 0 in reply to LHerzog

    I understand the need, but at this point, i am not sure, how we should be faster than the windows sub system. And clearly, if the sub system is not doing it "again", we are not able to build the authentication after that. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I agree and cannot see how Sophos would be able to manage this. Eventually with a cached authentication pushed to firewall before the user is fully authenticated. Not perfect but an idea.

    I hope someone has a "delay home drive mount" option for the windows side.

Reply Children
No Data
Unfiltered HTML