Forum
Posts 1 - 10 of 12 First | Prev. | 1 2 | Next | Last | All
Topic: «Whitelisting media "in advance"»
« Previous topic | Next topic »
|
Armin Linder
User profile Posts: 25 Joined: 01/30/2009 |
Hi all,
beeing new to Devicelock and beeing in the process of evaluating Devicelock - and admitting that I probably have missed something somewhere in the docs - my question is: * is it possible to whitelist media that do not yet exist? I look for a way to put something onto the media which - if present - does grant access to the media? In case this was not clear enough, the whole story: Many of our systems are completely isolated because they contain classified data. They are distributed all over the world, and there is no way to access these systems from outside. So I cannot add anything to the whitelist once the system has been delivered. The staff at the site is not IT trained and not allowed to configure any security settings, including, of course, Devicelock settings. On the other hand every system needs a data update from time to time. Therefore we ship a media (currently a DVD - may be a write protected USB stick soon because we run into the 4GB size limit of a single DVD)) from time to time (currently: ~every 2 months ...). The media is has to be put into the system's DVD drive, the update process is fully automatic and starts once the media is inserted. I need to ensure that the system opens its DVD drive lock only if the media inserted is the one we ship. Can this be done? Thanks, AL. |
||
| Posted: 01/30/2009 19:52:32 | |||
|
Roman Gaditskiy
Guest |
There is a way to change DeviceLock service settingst on computers that are unreachable via net, but this way implys some unsophisticated actions from the part of the users. You can create appropriate XML file containing settings with changes for Media Whitelist using one of the machines on which you have access to the media. Then sign the settings file and send it to the users to apply. See more on this in User manual, section 4.3. | ||
| Posted: 01/31/2009 16:38:09 | |||
|
Armin Linder
User profile Posts: 25 Joined: 01/30/2009 |
Thanks for your quick reply.
In other words ... it cannot be done. Sending the whitelist update to a user is no option since the user cannot import it into the machine, since all removable media devices he could potentially use are locked. So there is no way [for the user] to get the update xml into the machine. In Germany we call this "creating a cat that bites her own tail" :-) There is another way that would probably solve my problem: does Devicelock support an API that lets developers interface to the lock service and programmatically release a lock? I think that adding some code that releases the lock once a privileged user requests an update into our software could be an option. Thanks, AL. |
||
| Posted: 02/02/2009 11:14:25 | |||
|
Pavel Yusov
Technical Support Engineer Editor User profile Posts: 904 Joined: 07/02/2008 |
DL team does not provide API for DeviceLock. Is it possible to transfer xml files with settings via email? |
||
| Posted: 02/02/2009 12:08:27 | |||
|
nimral
User profile Posts: 25 Joined: 01/30/2009 |
Nope. The machines do not have *any* outside connection. They are on an isolated LAN, 1-2 servers, and a bunch of client computers in a domain.
The only reason why they have CD-ROM drives at all is ... we need them to setup/re-setup the machines, and they get the updates via DVD. The problem is to lock the DVD drives, but let pass the update DVDs. The only way I could imagine is to have kind of a "certificate" on the DVDs, that - alike your whitelist media unlock codes - is bound to a specific DVD contents. The only ones to validly sign such a media would be us, when we make the master of an update DVD. AL. |
||
| Posted: 02/02/2009 15:41:26 | |||
|
Ed Braiter
User profile Posts: 46 Joined: 10/23/2008 |
Probably may or may not work. Allow a single large USB key [maybe an encrypted one] for whitelisted USB removable media.
Assuming that once the systems in the isolated LAN are update, the data on the USB key can be wiped by yourself until needed in the future. For the USB key configure it such that in the isolated LAN, they can only read from the key. |
||
| Posted: 02/02/2009 18:01:33 | |||
|
Ashot Oganesyan
Chief Technology Officer Administrator User profile Posts: 701 Joined: 06/08/2004 |
you may also save the signed policy file to an external USB stick and then give this stick to the user. Then user can get access to this USB stick via Temporary USB White List (you don't need to have a connection with user's machine to authorize the USB stick via Temporary USB White List). With best wishes, Ashot. |
||
| Posted: 02/02/2009 23:51:58 | |||
|
nimral
User profile Posts: 25 Joined: 01/30/2009 |
Hi Ashot,
This sounds like an interesting approach. Unfortunately I don't quite understand how this is done step by step. The manual (chapter 9 specifically) describes how to maintain a temporary whitelist exchanging unlock codes via phone. I found no infos anywhere describing how to "save the signed policy file to an external USB stick". Signed policy files are only mentioned in conjunction with Enterprise Manager, but this is, as far as I understand, not what you mean. Could you please be a bit more specific, or provide a link where I can read more? Thanks, AL. P.S. assuming that I get the "save the signed policy file to an external USB stick" working -- ist there any reason why I cannot use the same approach with CD/DVD media? If it's only the presence of a signed policy file on the USB stick that matters, it could be on a DVD media as well, I guess? |
||
| Posted: 02/04/2009 19:52:37 | |||
|
Roman Gaditskiy
Guest |
You should read the section 4.3. of user manual. There you will find all the information on how to create a settings file, how to sign it, and how to apply it on the client side. | ||
| Posted: 02/04/2009 20:09:29 | |||
|
nimral
User profile Posts: 25 Joined: 01/30/2009 |
I see. My first guess that it would be possible to "sign" a media so it does automatically pass Devicelock's barriers was wrong, what you suggest is a way to deploy an updated whitelist and *then* import the media.
Unfortunately the cat is here again :-) Users cannot import the settings file (signed or not ...) since all drives they could potentially use to import the xml from are locked :-( Probably I find a way using encrypted media. I haven't used that feature so far, I'll look into it today. Maybe you put the demand to be able to "sign" media so they surpass Devicelock on the list of requested features for a future release? Thanks so far, AL. |
||
| Posted: 02/05/2009 12:18:44 |
Stay in contact with us through:
