Endpoint Protection

 View Only
  • 1.  App Control

    Posted Jun 09, 2009 11:52 AM
     
    Looking for clarification.  In SEP when it comes to app control, when it comes to file/folder access it lumps "removable drives" into a category.  It doesn't really say what that covers.  Utlimately we are looking to make EVERYTHING read-only that can be connected to the client: USB (drives, keychains, cameras, phones, etc), CD/DVD, Firewire, Floppy, Memory Cards (SD, MMC, CF, etc), Bluetooth.  Anything that can potentially carry data off a client client and off-site.  

    Removable storage - is that only USB & Floppies?  

    What's the best attack for making things like firewire, memory cards, etc read-only?


  • 2.  RE: App Control

    Posted Jun 09, 2009 11:04 PM
    Just like I said in my reply to your other, similar post, you can block devices based on the hardware class and hardware id (GUID) and only allow what you want to allow.
    If you're lucky and only allow certain removable media flash drives, and they all get the same drive letter when attached to the machine, you can then use a file/folder access control rule to make them read-only. Alternatively, you can use host integrity policy that has built-in "make RM read-only" rule and specify a condition that it's triggered on -- this would be something you need to figure out locally, maybe presence of a reg key that gets created when RM device is plugged in?
    Much easier would be not using SEP and use a device and port control application, like Safend's Port Protector, which is built specifically for what you're trying to achieve.