Forum
Posts 1 - 11 of 11 First | Prev. | 1 | Next | Last | Paged
Topic: «Allow 1 encrypted USB stick and don't allow the rest»
« Previous topic | Next topic »
|
Joeri Boeree
User profile Posts: 9 Joined: 03/20/2008 |
Seems so simple but we can't get it implemented. We use version 5.73 and have about 2300 clients. We tested a white list with only one stick in there. Device is allowed with VID and PID and not serial number so every stick from this manufacturer and specific type should be able to get access.
We test with a Sandisk Cruzer Enterprise which is an encrypted stick. Client computer has allow on removable and USB right on the specific user account. In the device database we connected the user to the specific device. What happens?  Every stick is allowed. So white list is not working.
Any tips are welcome... Thanks!  |
||
| Posted: 03/20/2008 15:01:55 | |||
|
Ekaterina Vavilova
Technical Support Engineer Editor User profile Posts: 568 Joined: 06/27/2007 |
It depends on flash disk manufacturer, if it provides a serial number to a device- then you'll be able to add it as a Unique device (i.e. only specific flash drive). If not, only as Device Model. |
||
| Posted: 03/20/2008 15:30:19 | |||
|
Joeri
User profile Posts: 9 Joined: 03/20/2008 |
We added it as a device model. But it looks like everything in the white list is just ignored. Every other stick is just working... | ||
| Posted: 03/20/2008 16:01:52 | |||
|
Ekaterina Vavilova
Technical Support Engineer Editor User profile Posts: 568 Joined: 06/27/2007 |
Of the same model? If the WL was ignored,- then vice versa, all the flash drives would not work :) (on condition that USB is blocked). |
||
| Posted: 03/20/2008 17:00:20 | |||
|
Joeri
User profile Posts: 9 Joined: 03/20/2008 |
All flash drives will work. No one is blocked. | ||
| Posted: 03/20/2008 17:02:18 | |||
|
Roman Gaditskiy
Guest |
You shouold set e.g, Everyone:no access for USB. Then WhiteList becom usefull - that's why it is called Whitelist: it is only usefull in case you've blocked everything and want to exclude something... | ||
| Posted: 03/20/2008 18:24:21 | |||
|
Joeri
User profile Posts: 9 Joined: 03/20/2008 |
Your answer seems a bit strange because this is not about user rights, all is tested with the same user, it's about allowing devices. But I tested it and if I add "all users - No access" and the "test user - full access" no drives are allowed at all... | ||
| Posted: 03/26/2008 10:30:11 | |||
|
Ekaterina Vavilova
Technical Support Engineer Editor User profile Posts: 568 Joined: 06/27/2007 |
This is because Restriction have priority over Permitting. If you add Everyone: No Access, everybody will be blocked. Even if you add separately User1:Full Access. To avoid such situations, it's recommended to add only those users, whom you'd like to give access to. Other not listed accounts will be blocked by default. In your case you need to add "Test user: Full Access" and "System: Full access". Mention, System account should always has Full access for all ports/devices. |
||
| Posted: 03/26/2008 11:28:09 | |||
|
Joeri
User profile Posts: 9 Joined: 03/20/2008 |
Thanks, the settings you describe are exactly how we configured it. But we still have a problem with the white list config. The device model we would like to allow is in the white list and is connected to the mentioned test user. So my simple thought is that from now this should be the only device which is allowed. But that's still not the case, all USB disk (stick) devices are allowed.
Is this because I don't understand the white list configuration??? If everything is configured in the right way I think the next step is to open a support case. |
||
| Posted: 03/26/2008 12:03:01 | |||
|
Ekaterina Vavilova
Technical Support Engineer Editor User profile Posts: 568 Joined: 06/27/2007 |
I guess it would be effective to create a support ticket for this.
|
||
| Posted: 03/26/2008 12:07:52 | |||
|
davidm
Editor User profile Posts: 77 Joined: 06/30/2006 |
Config should be:
Security Settings 1) USB Storage Devices = Access Control ENABLED. 2) USB HID Access Control = DISABLED (to allow all USB keyboards/mice) USB Port - Allow SYSTEM Full Control, Add Domain Admins with Full Control (optional), Remove all other user/group entries that should not have generic USB access. REMOVABLE - Same as USB Port. This above will block all USB devices except devices those classes in Security Settings that are DISABLED, for Domain Admins, and for anything properly configured/assigned in the USB White List. In the white list, some USB drives (especially encrypted ones) require multiple entries to be white listed to work. Start with the Unique Device options first for better security, but Device Model may be needed in some cases. Also, with this configuration make sure that the "Control As Type" flag is UNCHECKED for the white list assignment entries. Otherwise, the strict REMOVABLE permissions will block access for non-Domain Admins. |
||
| Posted: 06/04/2008 22:41:06 |
Posts 1 - 11 of 11 First | Prev. | 1 | Next | Last | Paged
Stay in contact with us through:
