Hi,
I found out, that Endpoint assign a policy by chance if the user does not exist on the portal.
Expample:
ActiveDirectory User Peter exists on the protal and is assigned by group to the policy A.
Peter is logged in on the Windows-PC and everything is working. Endpoint get the correct policy and Peter is browsing over the correct policy A.
Now: on the pc there exists some default windows-services. Some Services try to connect to the internet. The services are runnind under a internal-OS-User like "system" or "Network". The Endpoint get in this way a policy by chance and modify so the PAC-File in the Browser. So if Peter is now brwosing, he browses over the wrong PAC-File and so with a wrong Policy!!!
Only if Peter open and closes the Browser, he will get back the correct Pac-File/Policy, which is assigned to his Windows-User.
Websense should prevent this autoregistrations by chance or prevent that internatl-OS-Users can register itself over the Endpoint.
I think this is a very critical issue! It could be, that users get in this way a policy where nothing is blocked!!
A internal-OS-User looks then in this way on the protal:
| nt authority|system.local | nt authority.system.local@35719-31068-nosuchdomain.autoregistration.proxy | nt authority\system.local |
Bye