通过SEP禁用USB
1 Introduction
1.1 Scope
This document provides comprehensive information of the reinforcement of removable media control using Symantec Endpoint Protection, Active Directory Group Policy and Websense DLP.
1.2 Problem Statement
The latest android mobile phones, android tablets etc. are getting connected via Media transfer Protocol (MTP) even though USB ports are blocked and users are able to copy data on such devices. Data Leakage through such devices is a big concern.
2 Solution Details
There are three solutions available in TCS.
- Active Directory Group Policy (AD)
- Symantec End Point Protection (SEP)
- Websense Data Leak Prevention (DLP)
2.1.1 Symantec Endpoint Protection
Application and Device control policy of Symantec Endpoint Protection can block all removable media devices like Pen Drive, Portable Hard disk, Mobile Phones, Tablets etc. SEP Application and Device control can also block Media Transfer Protocol (MTP) mode of smart phones and tablets.
Application Control is an advanced security feature included in Symantec Endpoint Protection. Application Control provides administrators with the ability to monitor and/or control the behaviour of applications. Administrators can grant/deny access to certain registry keys, files, and folders. In addition, administrators can also define which applications are permitted to run, which applications that cannot be terminated through irregular processes, and which applications can call Dynamic Link Libraries.
With Application Control Policy we can block or write protect Mass storage mode of all Smart phones, memory card of all mobile phones, pen drives, portable hard disk etc.
Please refer below screen shot for application control policy:
With Device Control Policy we can block Media transfer mode of all smart phones and tablets.
Please refer below screen shot for device control policy:
2.1.2 Active Directory Group Policy
Where SEP is not applied, AD group policy will be applied to machines to restrict access to endpoint removable media and mobile phones.
2.1.3 Websense Data Leakage Prevention
AD policy is applied based on GUID of mobile devices. New GUIDs needs to be added after testing for new devices. Thus users are going to be monitored through websense DLP where the AD policy is applied.
Apart from this, all excluded users will be monitored through Websense DLP to prevent data leakage from Endpoint removable media as well as mobile phones.
2.2 Exclusion Process
To get USB excess or to get excluded from SEP application and device control policy user needs to raise CR under below category:
While implementing this CR Local RE or Administrator should move user asset to USB Enable group in active directory as well as USB Exclude group in SEP console as well.
2.3 Exclusion in SEP Console
USB Exclude group will be created for both Desktop and Laptop location wise.
Please refer below screen shot for Exclude group created on SEP Console:
For the Desktops, Right click on Desktop Group and search the client with the host name (Computer Name) for which you wanted to apply USB Exclusion
Please refer below screen shots for excluding a desktops:
Right Click on the Client and click on Move and select the USB Exclude group present under Desktop Group and click OK
For Laptops, Right click on Laptop Group and search for the intended client host name (Computer name) for which USB Exclusion needs to be done and move it to the USB exclude group present under Laptop Group by following the procedure as mentioned for the Desktops and navigate to USB Exclude group present under Laptop and observe the clients have been moved successfully or not.
通过SEP禁用USB的更多相关文章
- Windows Server 2008 R2域控组策略设置禁用USB
问题: Windows Server 2008 R2域控服务器如何禁用客户端使用USB移动存储(客户端操作系统需要 Windows Vista以上的操作系统,XP以下的操作系统不能禁用USB移动存储) ...
- 域策略禁用usb
文档及模板可在 http://pan.baidu.com/s/1qYTcjTy 下载 pro_usb_users.adm 此模板可禁用到 指定盘符,针对用户策略 pro_usb_computers ...
- 禁用USB存储设备(不重启)
Title:禁用USB存储设备(不重启) -- 2012-09-13 12:08 在win2003实验,USB存储禁止,无需重启! stop usbrw.reg ------------------- ...
- 启用禁用USB接口
一个小工具,功能有启用禁用外网.USB接口,可由服务端socket长链接进行操控客户端从而达到实现前边的这些功能,这里贴上核心代码,先给上启用禁用USB接口吧,这个方法可随时启用禁用,之前用过一个改u ...
- ubuntu14.04禁用USB外存储设备
ubuntu 14.04中禁用usb外存储设备: 在网上找了很多方法,大概都是下面的命令,而实际测试的时候没有什么作用. gsettings set org.gnome.desktop.media-h ...
- Windows7系统禁用USB和启用USB方法
被迫装了XX软件之后,无线网络和USB都被禁用了,XX软件还不能被卸载.只能用PE进去时候把XX软件安装目录进行删除,但是删除之后还是不能识别U盘,从网上找到办法一看是注册表的项被修改了. 注册表项为 ...
- 2008R2域控环境中 应用组策略 实现禁用USB设备使用
本文介绍如何在Windows Server 2008 AD中禁用客户端USB端口.本文使用的系统:Windows Server 2008 R2 企业版.域功能级别:Windows Server 200 ...
- 华硕主板P8H61(P8H61-M_LX3_PLUS_R2.0)成功禁用USB口
公司大批这个型号的主板,在百度上搜索了一下,其中有一篇帖子说华硕客服说这个型号的USB控制XX是集成成南桥上面没法禁止. 经过研究发现官网上的0802版可以支持禁止usb,并且可以根据需要为每一个US ...
- Android关闭USB的ADB调试和文件传输功能(禁用USB)【转】
本文转载自:https://blog.csdn.net/jun4331247/article/details/51201825 通过设置系统属性(System Property)[persist.sy ...
随机推荐
- Java for LeetCode 044 Wildcard Matching
Implement wildcard pattern matching with support for '?' and '*'. '?' Matches any single character. ...
- GLSL
变量修饰符 修饰符给出了变量的特殊含义,GLSL中有如下修饰符: ·const – 声明一个编译期常量. ·attribute– 随不同顶点变化的全局变量,由OpenGL应用程序传给顶点shader. ...
- sublime 3103liense
Sublime Text 3.x (after Build 309X) —– BEGIN LICENSE —–Michael BarnesSingle User LicenseEA7E-8213858 ...
- 转圈游戏(codevs 3285)
题目描述 Description n 个小伙伴(编号从 0 到 n-1)围坐一圈玩游戏.按照顺时针方向给 n 个位置编号,从0 到 n-1.最初,第 0 号小伙伴在第 0 号位置,第 1 号小伙伴在第 ...
- Binary Search--二分查找
Binary Search--二分查找 采用二分法查找时,数据需是排好序的. 基本思想:假设数据是按升序排序的,对于给定值x,从序列的中间位置开始比较,如果当前位置值等于x,则查找成功:若x小于当前位 ...
- Mysql 5.6.17-win64.zip配置
第一大步:下载. a.俗话说:“巧妇难为无米之炊”嘛!我这里用的是 ZIP Archive 版的,win7 64位的机器支持这个,所以我建议都用这个.因为这个简单嘛,而且还干净. 地址见图 拉倒最下面 ...
- QML入门教程
QML是Qt推出的Qt Quick技术的一部分,是一种新增的简便易学的语言.QML是一种陈述性语言,用来描述一个程序的用户界面:无论是什么样子,以及它如何表现.在QML,一个用户界面被指定为具有属性的 ...
- js call apply caller callee bind
call apply bind作用类似.即调用一个对象的一个方法,以另一个对象替换当前对象. call 语法:call([thisObj[,arg1[, arg2[, [,.argN]]]]]) ...
- Maven使用笔记(一)Maven安装及常用命令
1.Windows下安装Maven 首先去下载Maven安装包,http://maven.apache.org/download.cgi,目前最新版本是 Maven 3.2.3 . 解压到本地,可以看 ...
- 联系旭日150安装CentOS5.X版本手记
有一台旧电脑.想装个Linux.于是上网查了查.据说可以装CentOS5.3.于是我就去下载了一个. 下载地址可以到http://www.centoscn.com/去下载. 我先下载的是5.3版本的I ...