Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 5344 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set Policies and Permissions

Leuz

Hello everybody

I'm very new in Safeguard and need help.

i installed the Safeguard enterprise server and the modul configuration protection.

our needs:

1. we want to block all devieses over the whole Domain (USB, W-Lan, FireWire, Modem and all other)

2. we have around 10 usb sticks those we want to allow to some users.

so i'm not sure, how i have to set the options in my two policies.
Bellow i quickly explane what i did so far:

1. i made 1 Policy that blocks all devieses. (can be overwriten) so manualy i set "nearly" all the devices to block. only USB to restrict and Human Interface Device to allow., is this correct?
so my first question is if i also have to set the other options WireFire, PCMCIA and so manuali to block or leave it Not configured? Because when i put the Button "Show default value" i see the yellow one they are set to "Allow" but only when i put this Button.
otherwise they are on "Not Configured".

2. i made a Whitelist with PortAuditor for one of your USBStick (KINGSTON DL101 16GB)

3. In Active Directory i created a Group called KINGSTON DL101 16GB and added on user those can use this stick

3. i made a Policy "Kingston DL101 16 GB". there i only set the following Options

  - Physical Ports: USB = Restrict

  - Device Control: All Devices = Restrict

  - Device Types: Human Interface Devices = Allow  (do i need to set this to allow or can i leave this Not configured) i set this in the all Block policy

  - And i set the "Whithe List for District Storage Devices" There i put the WhiteList in that i configured for this stick.

than i moved the Policy (Block all and KINGSTON DL101 16GB) to the Domain

changed the Permissions for the Kingston Policy to the Kingston Security Group

is this correct so far?

my big understanding problem is, to know how i have to set the policy options.

When i block in the first policy all manualy i see in the second policy where i have the whitelist a lot of options unconfigured. and when i put the button "show default value"  the yellow entries are set to "Allow". Have i to set this also in the second Policy manualy to block?

i hope you understand my bad english :-D

many thanks for your help

:19759


This thread was automatically locked due to age.
Parents
  • 0

    Unfortunately, Configuration Protection policies apply to computers, not users.  So, even if you create a user group and apply this policy to that group, it will not work.  The policy needs to be applied to a group of computers, or an organizational unit in your domain structure.

    If you can isolate out the computers that need to use the USB flash drives, try this set of policies:

    1) Create a configuration protection policy, and under "Storage Control", select the following:

    All Storage Devices - Restrict

    Removable Media - Restrict

    External Hard Drives - Restrict

    Apply this policy to all of your computers (at the root of your domain) in the SGNMC.  This should block ALL devices.

    2) Create a second configuration protection policy, and under "Storage Control", select the following:

    All Storage Devices - Restrict

    Removable Media - Restrict

    External Hard Drives - Restrict

    White List for Distinct Storage Device - Kingston DL101 16GB

    Apply this to the group of computers or OU that needs to be able to use these USB flash drives.

    You should then be able to use the RSOP tool on those machines and see if the white list is being applied or not.

    I hope this helps.

    :19827
Reply
  • 0

    Unfortunately, Configuration Protection policies apply to computers, not users.  So, even if you create a user group and apply this policy to that group, it will not work.  The policy needs to be applied to a group of computers, or an organizational unit in your domain structure.

    If you can isolate out the computers that need to use the USB flash drives, try this set of policies:

    1) Create a configuration protection policy, and under "Storage Control", select the following:

    All Storage Devices - Restrict

    Removable Media - Restrict

    External Hard Drives - Restrict

    Apply this policy to all of your computers (at the root of your domain) in the SGNMC.  This should block ALL devices.

    2) Create a second configuration protection policy, and under "Storage Control", select the following:

    All Storage Devices - Restrict

    Removable Media - Restrict

    External Hard Drives - Restrict

    White List for Distinct Storage Device - Kingston DL101 16GB

    Apply this to the group of computers or OU that needs to be able to use these USB flash drives.

    You should then be able to use the RSOP tool on those machines and see if the white list is being applied or not.

    I hope this helps.

    :19827
Children
No Data
Unfiltered HTML