Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Customizing USB storage access for end users in Symantec Endpoint protection

Created: 03 Dec 2012 • Updated: 03 Dec 2012 | 3 comments

Hi,

We have symantec Endpoint Ver 12.1.1101 installed and I have a request to implement policy to control USB storage devices access in the internal network. The details are:

1. by default, turn OFF all the USB storage device access to all the users

2, turn ON the access based on the USER level NOT on the PC level.

may I know how we can achieve this?

Thanks

Sri

Comments 3 CommentsJump to latest comment

W007's picture

HI,

The better way is to set up all computers in "User Mode".

Administration Guide for Symantec Endpoint Protection and Symantec Network Access
> Section 1. Basic Administrative Tasks
> Setting up your organizational structure
> Understanding users and computers & Managing Users and Computers

The policies are then set depending on the user that has logged into the machine

 

Check this thread

https://www-secure.symantec.com/connect/forums/sep-user-mode-can-you-explain-want-link-device-control-policy

https://www-secure.symantec.com/connect/forums/configuring-usb

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ajit Jha's picture

Change the Clients into USer Mode and The policies change, depending on which user is logged on to the client. The policy follows the user.If the client software runs in user mode, the client computer software gets the policies from the group of which the user is a member. If the client software runs in computer mode, the client gets the policies from the group of which the computer is a member.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

SMLatCST's picture

"Thumbs Up" to the above posts.  As they noted, the only way to achieve this is by switching all of your SEP clients to operate in "User mode".  Take a look at the below articles if you're unfamiliar with User Mode:

http://www.symantec.com/docs/HOWTO80734
http://www.symantec.com/docs/HOWTO27008

When in user mode, you should notice that the client records in your SEPM have a user icon instead of a computer one, and that the currently logged on user is the primary column.

You'll also need to separate the users into groups:  The normal users who are denied USB Storage Access, and a separate group containing those users who are allowed access.

Further to the groups, you'll have to create and assign the device control policies configured to provide the behaviour you want.

Soooooo, for the group whose access is blocked to USB Storage, you want to assign an "Application and Device Control" policy that does just that.  I'd recommend reviewing the below article on how to create such a policy:

http://www.symantec.com/docs/TECH175220

As per the article, I'd recommend creating a custom "Hardware Device" for the wildcard device ID below, which specifically matches USB Storage devices (in accordance with your stated requirements):

USBSTOR*

And for the group who are allowed access, don't add any blocks...

It's probably worth mentioning that, if implementing in a production envirnment, you'll want to look into the availability of your SEPM(s), and investigate Load-balancing/Fault-tolerance if not already implemented.  When in User mode, the SEP Client contacts the SEPM for the policies appropriate for the user when they log in.  If the SEPM is unavailable, then the SEP Client will revert to the policies applied by the previous user.