Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 5342 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set Policies and Permissions

Leuz

Hello everybody

I'm very new in Safeguard and need help.

i installed the Safeguard enterprise server and the modul configuration protection.

our needs:

1. we want to block all devieses over the whole Domain (USB, W-Lan, FireWire, Modem and all other)

2. we have around 10 usb sticks those we want to allow to some users.

so i'm not sure, how i have to set the options in my two policies.
Bellow i quickly explane what i did so far:

1. i made 1 Policy that blocks all devieses. (can be overwriten) so manualy i set "nearly" all the devices to block. only USB to restrict and Human Interface Device to allow., is this correct?
so my first question is if i also have to set the other options WireFire, PCMCIA and so manuali to block or leave it Not configured? Because when i put the Button "Show default value" i see the yellow one they are set to "Allow" but only when i put this Button.
otherwise they are on "Not Configured".

2. i made a Whitelist with PortAuditor for one of your USBStick (KINGSTON DL101 16GB)

3. In Active Directory i created a Group called KINGSTON DL101 16GB and added on user those can use this stick

3. i made a Policy "Kingston DL101 16 GB". there i only set the following Options

  - Physical Ports: USB = Restrict

  - Device Control: All Devices = Restrict

  - Device Types: Human Interface Devices = Allow  (do i need to set this to allow or can i leave this Not configured) i set this in the all Block policy

  - And i set the "Whithe List for District Storage Devices" There i put the WhiteList in that i configured for this stick.

than i moved the Policy (Block all and KINGSTON DL101 16GB) to the Domain

changed the Permissions for the Kingston Policy to the Kingston Security Group

is this correct so far?

my big understanding problem is, to know how i have to set the policy options.

When i block in the first policy all manualy i see in the second policy where i have the whitelist a lot of options unconfigured. and when i put the button "show default value"  the yellow entries are set to "Allow". Have i to set this also in the second Policy manualy to block?

i hope you understand my bad english :-D

many thanks for your help

:19759


This thread was automatically locked due to age.
Parents
  • 0

    Hello

    Many Thanks for your Support.

    We would like to block everythink like you wrote down. but then
    we schould open the USB Sticks not for different Clients but rather for
    different single Users. this because the users change there computers a lot.

    Is this not possible like this? :(

    at this time i set AD Groups with single Users to the Policies
    and it works. but when i have a new user i have to give them an certificate. it
    means that i boot my client and first log in to the Sophos Logonscreen with a
    User that has a Certificate and in this logoknscreen i have to uncheck the
    option "Pass-Through to the windows Logon". then in the Windows Logon
    i have to login with the new user.

    when i change to the MC i see the user with the new certificate.

    But my problem is that i can't log in into the sophos Login
    Screen without to be a owner from a certificate. So i always have to log in
    with „for example“ the Safeguard Admin or an other user with a certificate.

    otherwise when i change the computer and log in with a user
    those has a certificate, on the new computer he logs in with the SNG-Guast
    Account. Then i have the same situation to register a certificate. It realy
    makes me confused…

    What can i do in this situation? can i deploy user/computer
    Certificates somehow?

    Or are i completly on the wrong way?

    Thanx again for your help

    :19935
Reply
  • 0

    Hello

    Many Thanks for your Support.

    We would like to block everythink like you wrote down. but then
    we schould open the USB Sticks not for different Clients but rather for
    different single Users. this because the users change there computers a lot.

    Is this not possible like this? :(

    at this time i set AD Groups with single Users to the Policies
    and it works. but when i have a new user i have to give them an certificate. it
    means that i boot my client and first log in to the Sophos Logonscreen with a
    User that has a Certificate and in this logoknscreen i have to uncheck the
    option "Pass-Through to the windows Logon". then in the Windows Logon
    i have to login with the new user.

    when i change to the MC i see the user with the new certificate.

    But my problem is that i can't log in into the sophos Login
    Screen without to be a owner from a certificate. So i always have to log in
    with „for example“ the Safeguard Admin or an other user with a certificate.

    otherwise when i change the computer and log in with a user
    those has a certificate, on the new computer he logs in with the SNG-Guast
    Account. Then i have the same situation to register a certificate. It realy
    makes me confused…

    What can i do in this situation? can i deploy user/computer
    Certificates somehow?

    Or are i completly on the wrong way?

    Thanx again for your help

    :19935
Children
No Data
Unfiltered HTML