通过SEP禁用USB
1 Introduction
1.1 Scope
This document provides comprehensive information of the reinforcement of removable media control using Symantec Endpoint Protection, Active Directory Group Policy and Websense DLP.
1.2 Problem Statement
The latest android mobile phones, android tablets etc. are getting connected via Media transfer Protocol (MTP) even though USB ports are blocked and users are able to copy data on such devices. Data Leakage through such devices is a big concern.
2 Solution Details
There are three solutions available in TCS.
-
Active Directory Group Policy (AD)
-
Symantec End Point Protection (SEP)
-
Websense Data Leak Prevention (DLP)
2.1.1 Symantec Endpoint Protection
Application and Device control policy of Symantec Endpoint Protection can block all removable media devices like Pen Drive, Portable Hard disk, Mobile Phones, Tablets etc. SEP Application and Device control can also block Media Transfer Protocol (MTP) mode of smart phones and tablets.
Application Control is an advanced security feature included in Symantec Endpoint Protection. Application Control provides administrators with the ability to monitor and/or control the behaviour of applications. Administrators can grant/deny access to certain registry keys, files, and folders. In addition, administrators can also define which applications are permitted to run, which applications that cannot be terminated through irregular processes, and which applications can call Dynamic Link Libraries.
With Application Control Policy we can block or write protect Mass storage mode of all Smart phones, memory card of all mobile phones, pen drives, portable hard disk etc.
Please refer below screen shot for application control policy:
With Device Control Policy we can block Media transfer mode of all smart phones and tablets.
Please refer below screen shot for device control policy:
2.1.2 Active Directory Group Policy
Where SEP is not applied, AD group policy will be applied to machines to restrict access to endpoint removable media and mobile phones.
2.1.3 Websense Data Leakage Prevention
AD policy is applied based on GUID of mobile devices. New GUIDs needs to be added after testing for new devices. Thus users are going to be monitored through websense DLP where the AD policy is applied.
Apart from this, all excluded users will be monitored through Websense DLP to prevent data leakage from Endpoint removable media as well as mobile phones.
2.2 Exclusion Process
To get USB excess or to get excluded from SEP application and device control policy user needs to raise CR under below category:
While implementing this CR Local RE or Administrator should move user asset to USB Enable group in active directory as well as USB Exclude group in SEP console as well.
2.3 Exclusion in SEP Console
USB Exclude group will be created for both Desktop and Laptop location wise.
Please refer below screen shot for Exclude group created on SEP Console:
For the Desktops, Right click on Desktop Group and search the client with the host name (Computer Name) for which you wanted to apply USB Exclusion
Please refer below screen shots for excluding a desktops:
Right Click on the Client and click on Move and select the USB Exclude group present under Desktop Group and click OK
For Laptops, Right click on Laptop Group and search for the intended client host name (Computer name) for which USB Exclusion needs to be done and move it to the USB exclude group present under Laptop Group by following the procedure as mentioned for the Desktops and navigate to USB Exclude group present under Laptop and observe the clients have been moved successfully or not.