AD security groups for SEP policy control
Use Active Directory security groups to assign SEP policies. This concept demonstration use's Application and Device Control for user level device management.
- Active Directory Users and Computers
- Microsoft Group Policy Management
- Windows Registry
- SEP 11 or 12
- Application and Device Control rule development
SEP Client Modes:
User Mode: SEP client intial registration with the SEPM is in User Mode with a SEP package deployed to the endpoint in User Mode.
Computer Mode: Default client installation.
Switching from computer mode to user mode after installation does not allow for the client to always retain this mode.
Active Directory Users and Computers
For test purposes to satisfy the functionality of this concept, create an OU and move a few users into the OU who will be part of the concept.
Create another OU and create three security groups which define what acess level the user will have on USB storage devices.
4 x Application and Device Control policies for USB management:
- Default - A SILVER USB flash drive is permitted for use by any user with Read/Write access.
- Restricted - all USB devices are blocked upon connection.
- Read Only - A specific BLUE USB flash drive is permitted for specific users with Read Only access.
- Read/Write - A specific BLUE USB flash drive is permitted for specific users with Read/Write access.
For both the silver and blue USB drives the Device ID should be obtained from either within Windows device manager or using the DevViewer tool which is available on the SEP media. Do not use the Class ID for reference of the device. Add both of the Device ID's into the SEPM database.
Device Control Policies:
Use a mix of device control and application control to allow silver (all users) and blue (for certain users) and block everything else at the time of connection. Device control will control the actual connection of the device and the application will grant the level of access once a device is connected successfully.
Active Directory Integration:
Active Directory integration is required. Configure your SEPM to read from the AD domain(s) as required to import your users.
Import your users OU as a client group within the SEPM client group hierarchy. Once the Users are sync'd (can be done manually by right click on the imported OU) then deploy the User Mode SEP client to their machines.
Use the security groups in AD as the mechanism to determine which group a user belongs in order to apply the correct policy set.
This is achieved by using multiple locations within a client group.
Create three additional locations.
- ADC Policy = USB Default
- ADC Policy = USB Restricted
- ADC Policy = USB Read Only
- ADC Policy = USB Read and Write
The conditions that will be required for a client (user) to use the locations and the policy set assigned to each will be a check in the registry for a value of a certain registry key.
The registry to use in this demo is HKLM\SOFTWARE\Symantec\DeviceControl\USB
The value of the key will be 0=default, 1=Read, 2=Write, 3=Restricted.
The condition created will read the registry key value when the user logs on and the SEP client starts. The client will automatically be associated with the location depending on how the registry value is set. The SEP client will then adopt the policy set assigned to that location. In this case the Application and Device Control policies that we have created.
The registry settings are applied by using Group Policy Objects. The group policy that is applied is a change to the user configuration within the group policy. When a certain group policy is applied it alters the value of the registry key used for location awareness conditions. Group policy can be scoped to be assigned to users with permissions to recieve the GPO.
Create four group polices: for Default, Read, Write and Restricted.
Each individual GPO will write a registry value on the client machine when the user logs on.
Use the GPO scope's to ensure the correct GPO is applied to the client machine at logon.
The default will be applied at the highest level with a presedence of 1. Read, Write and Restricted will be applied directly to the users OU and enforced.
The scope is set on each as follows:
Therefore if the user does not belong to any of the defined secuity groups of read, write or restricted the default GPO applied. This default GPO writes the registry key value of 0. This means that a user has read/write on the silver USB drive but all other USB devices (storage) are blocked.
The DeviceControl Read policy writes the registry value of 1, write = 2, restricted =3.
With the Read, Write and Restricted GPO's authenticated users scope have been removed. You only want to scope the GPO to the individual groups to ensure complete control of the users policy assignments within SEP.
Group Policy Settings:
Editing the GPO for DeviceControl Write. Under User Configuration -> Preferences -> Windows Settings -> Registry there is an entrie to update the USB registry key value to a value of 2.
The path of the registry key is in the HKLM hive. This is because the SEP location conditions for reading the registry are pre-set to HKLM and cannot be changed to read the HKCU hive. So the HKLM registry key is set for this reason.
Example: This is the condition for the DeviceControl Default policy.
SEP locations should be configured as follows:
The default client group will have just the single default location with the DeviceControl restricted policy applied. This will ensure that if the machine is logged on locally, because the SEP client is in User Mode and the account used is not within AD then the client will use the Default group policy settings. So even local administrators will not be able to write to any USB device.
End User Experience:
With this now in place, one of our users logs on to a workstation. The registry is referenced by SEP and the location changed appling the policies associated with the location and the level of access to the USB drives authorised for that user.
This concept can be used to apply any policy or control the SEP client in any way neccessary in your environment. This is also allows for operational overhead to be reduced significantly as helpdesk support can assist by moving users into security groups to control a 'SEP profile' associated for each user.
This can also be applied a the computer level in computer mode.
The principal functionality of this solution is to write a registry value based on a GPO which can only be applied to users within a specific security group and for SEP to reference the registry value for location conditions.
Enforcement & Monitoring:
You can run reports from within SEP and now Active Directory to establish which users have which level of access.
I also use Critical System Protection to monitor the Active Directory for changes made and schedule reports from CSP. CSP is also ideal for protecting the registry keys.
You will need to protect the registry key to only allow svchost.exe to manipulate the registry keys that you define, preventing a knowledgable end user from altering the registry key to gain temporary access to a USB device.