I'm pretty much stuck with Epicor, so I need to make the most of it. Or maybe it's the least of it.
Can't see any attempts at getting to Verisign until I get logged in so I can fire up the app. But it's fairly obvious that turning on/off that one setting makes a difference except when I'm not in the child domain. We have these "special workstations" all over the state, and they have to connect to the main office. There's a share plus of course the Epicor server. Not a great security model. I'm continuing to do some testing. -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Monday, October 31, 2011 1:04 PM To: NT System Admin Issues Subject: Re: PC going to Verisign On Mon, Oct 31, 2011 at 11:02, Ray <[email protected]> wrote: > We are an Epicor shop. I'm sorry to hear that. Truly. > I have a number of people residing on a VLAN that has no internet > connectivity. They also logon locally (no domain account). On a PC > with no internet, from clicking on the icon to getting the Epicor > login screen would take 90+ seconds. On a PC with an internet, this > takes maybe 10 seconds. I loaded a program called "ShowTraffic" to > see what kind of traffic was happening on the PC. I noticed there > were attempts to go to Verisign. This would happen several times > before the logon screen would finally come up. > > I managed to figure out that if I unchecked the Check for Publishers > Certificate Revocation under IE Advanced Settings, Epicor would load > just as fast as a workstation with internet connectivity. I came up > with a reghack and made sure these PC's were now unchecked. > > I'm guessing most of you cringed above when I said that people were > logging on locally. Not really. It depends on the other measures in place - in particular, if they don't have Internet access, it's probably just fine. Locking down and monitoring a PC doesn't exactly depend on having a machine a member of a domain, but it does make it a little harder. > The security is of course unacceptable, and I'm finally able to do > something about it. A child domain has been created which will give > these people domain accounts, and as such allow me to lock down and > monitor their PC's. Unfortunately, even with the above box unchecked, > I'm back to > 90+ seconds and "ShowTraffic" shows these PC's going back out to Verisign. > > Any idea how I can figure out why these pc's are behaving differently > on this child domain? Are the machines still trying to talk with Verisign during login? If so, can you figure out what they're really looking for? I'm guessing here, but if they're trying to talk with Verisign, something in your environment is probably handing them a cert whose root is at Verisign. Do you have any idea what that would be? For instance, is there a cert installed on the server running the Epicor product? Do you have a CA in your environment and can you use an internal cert for whatever application is being sought, vs. one from Verisign? Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
