Video Screencast Help

How to Block unwanted Memory Cards

Created: 19 Feb 2012 • Updated: 21 Feb 2012 | 6 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+10 10 Votes
Login to vote

 

How to block Unwanted memory Cards

In many organizations using USB Stick is allowed as it is their business requirement. However by allowing USB Disk Storage you are allowing lot of Unwanted things too for example users connecting their mobile phones, Cameras, IPods and other Music Player devices to their production environment.

This can be a worry in regards to Data leakage or since these memory card are not protected so  Threats and Malwares entering using this route is also very common.

So our target should be to allow USB Sticks but block these memory cards.

This can be achieved in two steps:

1.       Log these devices using Application Control of SEP; analyze the ones which are not required.

2.       Block the Unwanted memory Cards using Device Control of SEP.

 

1.       i.) Monitor all the Device IDs for USB DISKs centrally from SEPM

Create a new rule set called Registry Disk Drive Monitor

Create a Registry Access Attempt rule for the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\DISK\*

For each of these key set the following actions:

Read Attempt- Continue Processing other Rule, Enable Logging and No Notification

Write, Create and Delete Attempt- Continue Processing other Rule, Enable Logging and No Notification

 

ii) Once the rule is enabled, then daily or weekly review the log files.

Go to SEPM- Monitors – Logs

Log Type: Application and Device Control

Log Content: Application Control

When reviewing the Logs we need to keep this Image as reference to identify what the Device ID is used for:

 

Application control

 

Eg: USBSTORUSBSTOR&DISK&VEN_SONYERIC&PROD__MOBILE_STORAGE&REV1.0….

USBSTORUSBSTOR&DISK&VEN_HTC&PROD_ANDROID_PHONE&REV….

USBSTOR/DISK&VEN_RIM&PROD_BLACKBERRY&REV….

 

2.       Once you have reviewed the devices removed USB and Allowed Devices and are ready with devices to block

Then go to SEPM –Policies- Policy Components- Hardware Devices and ADD the devices you want to block.

Then Edit the Device Control Policy and block the Device ID you have added to hardware devices List.

Comments 6 CommentsJump to latest comment

greg12's picture

good stuff!

0
Login to vote
AR Sharma's picture

Best part is- it seems to be not a out of box feature. It's a good work of using application control and device control together to achieve this!

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

0
Login to vote
Srikanth_Subra's picture

Good stufff

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
pkh's picture

Using this method to block devices is like King Canute trying to hold back the tide.  You got to block individual devices.  Unless you have a lot of time to spare, this method is not practical.  As soon as you block one device, there will be another.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

@Pkh -- I agree but this requirement came for one of my customer..If you have an alternate idea let me know..I went for the hard way..coz anyways i don't have to check and block. but yeah it works..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Avkash K's picture

Hi Vikram,

Thanx for the share!!

Does this works for Laptop Memory card slots also???

Regards,

Avkash K

0
Login to vote