This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard - Port control policy (Conflict resolution)

ivanwee over 13 years ago

Hi All,

Please a take a look at my design/scenario below.

Policy A - Blocks USB storage ports

Policy B - Allows USB storage ports

Policy C - Force File level Encryption to all removable storage devices

Policy A is applied to the default ".Auto Registered" OU as a "catch all". All new PCs/Notebooks when installed with Safeguard is issued Policy A to have port disabled.

Policy B is applied to a group call USB_Allow. The purpose of this group is to allow controlled group of users to have USB.

The thing is we are not using Active Directory synchronization due us having a pretty complex and ever-changing AD OU structure. So this means Computer 1 when installed with Safeguard will get Policy A by default

And computer 1 is supposed to be allowed USB usage. So it gets assigned to Group B and C.

So how do i resolve the fact that Policy A blocks, while Policy B allows? Using the priority? (Works?) Or just setting Policy B to be a no overrride?

This thread was automatically locked due to age.

Parents

0 RL over 13 years ago

Hi ivanwee,

Each storage device etc (E.g. USB stick) has a vendor code, model code and a distinct code. For example:

USB\Vid_1307&Pid_0165\1004160613f43c

Device= USB

Vendor = Vid_1307

Model = Pid_0165

Distinct = 1004160613f43c

A 'Distinct storage devices' whitelist will allow individually allowed storage devices. (checking the whole string).

A 'Storage Device Models' whitelist will allow storage devices with matching vendors and model codes that are in the list (which have been already added)

Your choice will depend on your requirements and company security policy etc, something I can't comment on. Also bear in mind that individually authorising storage devices will cause more administration overhead, but at the same time is more secure, as you're not authorising at vendor level.

Something else to consider is that the chips in USB devices change based on cost, supply and demand etc. - So if you go down the route of authorising based on models, they may not be the same model, even if they are ordered in batch and made by Kingston for example

Hope this helps,

Regards,

John

Hybrid / bridging is the ability to block WiFi and Wired etc being connected at the same time. Thus building a "bridge" between the network connections...

:18891
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 RL over 13 years ago

Hi ivanwee,

Each storage device etc (E.g. USB stick) has a vendor code, model code and a distinct code. For example:

USB\Vid_1307&Pid_0165\1004160613f43c

Device= USB

Vendor = Vid_1307

Model = Pid_0165

Distinct = 1004160613f43c

A 'Distinct storage devices' whitelist will allow individually allowed storage devices. (checking the whole string).

A 'Storage Device Models' whitelist will allow storage devices with matching vendors and model codes that are in the list (which have been already added)

Your choice will depend on your requirements and company security policy etc, something I can't comment on. Also bear in mind that individually authorising storage devices will cause more administration overhead, but at the same time is more secure, as you're not authorising at vendor level.

Something else to consider is that the chips in USB devices change based on cost, supply and demand etc. - So if you go down the route of authorising based on models, they may not be the same model, even if they are ordered in batch and made by Kingston for example

Hope this helps,

Regards,

John

Hybrid / bridging is the ability to block WiFi and Wired etc being connected at the same time. Thus building a "bridge" between the network connections...

:18891
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data