Endpoint protection of usb-devices on Thin client
Updated: 26 Sep 2010 | 12 comments
We want to use Symantec Endpoint Protections 11.05 to controll usb-devices on a terminal server. We want to use SEP in combination with 2X Thin Clients.
But the 2X Thin Client software represent the usb-devices as fixed drives and not as removable drives. For us it is very important to protect the usb-devices. We want to block the starting of applications from only that devices.
Is there a solution that makes it possible to do this? Thanks!!
Discussion Filed Under:
Comments
How to prevent programs from
How to prevent programs from running by blocking the file extension types from removable drives.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009020313373948?Open&seg=ent
DevViewer - a tool for finding hardware device ID for Device Blocking in SEP 11.x / 5.x
http://service1.symantec.com/support/ent-security.nsf/docid/2007511906325898?Open&seg=ent
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Thanks. But the problem is
Thanks. But the problem is that the 2X Thin Client software represents the usb devices as fixed drives and not as a removable usb-devices. So it won't work.
As per the
As per the doc
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009020313373948?Open&seg=ent
After : Click : Add a hardware device
Select
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
I've tried already you
I've tried already you sugested. But it 'doesn't work. The only thing that works is: when on the page "Add process definition" I fill in "*" at "Process name to match" and NOT enable "Only match prosesses running from the following drive types" . The result then is that it is impossible to start any application from any of the drive types.
All other possibilities don't work. For example: when I instead of "*" I fill in "*.exe" or "c:\temp\*.exe" it has totally no effect. I don't know what to do now. Do you have any suggestions? Thanks
Due to the limitation of them
Due to the limitation of them appearing as a fixed drive, perhaps a group policy style software restriciton policy would work better?
technet.microsoft.com/en-us/library/bb457006.aspx
Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa
Enter subject (optional)
Create a policy to block executable from all drives and give exception to the original fixed drivesYou can use below method also.
Start using our DevViewer utility on CD2, you can see device ID's and Class ID's from that. For more information on Device ID's see here: http://msdn.microsoft.com/en-us/library/ms791083.aspx
Suffice to say, you can use wildcards in the device ID to match based on device type, manufacturer, etc.
For example, I have a USB device (Apple iPhone) which is recognised as:
\USB\Vid_05ac&Pid_1292\9f5bce6ec6831ba6c2520874ebca5f1ce17ac5c6
If I wanted to block that single device I could use the above string.
If I wanted to block all Apple iPhones, I could use the following:
\USB\Vid_05ac&Pid_1292\*
If I wanted to block all Apple USB devices, I could use this:
\USB\Vid_05ac*
If I wanted to block all Apple devices, I could try this
\*\Vid_05ac*
In the above example,
Vid_05ac - Vendor ID 05ac - Apple
Pid_1292 - Product ID
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Thanks. I think that could be
Thanks. I think that could be the solution. I know how to block the executables from all drives, but how/where can you give exeption to the original fixed drive?
Sorry for the late
Sorry for the late replay.
Fist you have to add the device for that do as follows
· Open the Symantec Endpoint Protection Manager
Click on Policies
· Expand Policy Components
· Click on Hardware Devices
· Click Add a Hardware Device...
· In the Device Name: field chose a name for your custom device identifier <Note: This can be anything>
· Click the radio button next to Device ID:
· Type the following in the Device ID: field: (Here you can give the device ID of your fixed drives .you can find it using devviewer in the cd2 .In this field if you are having more drives you can use wild cards as I mentioned in the earlier post.)
Create policy for blocking executable from all drives.For creating exception refer below figure.(click on add button of exceptions and follow this.)
·
Note:I recommended you to do in an test environment first..
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Also try by keeping the
Also try by keeping the client in user mode.For this in SEPM fin out the client ,right click on it and click on switch to user mode..
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Login the Symantec Endpoint
Login the Symantec Endpoint Protection Manager Console.
Select the Policies option from the left-hand column.
Select Centralized Exceptions from the "View Policies" section.
Select the Add a Centralized Exception Policy... from the "Tasks" section.
After naming the policy, select the Centralized Exceptions tab on the left-hand portion of the screen.
Select Add and select the desired exclusion type and enter in your exclusion (Note: You will be able to create exclusions for Security Risk Exceptions, TruScan Proactive Threat Scan Exceptions, and Tamper Protection Exceptions.)
Once your exclusion is set, select OK and then follow through the prompts for assigning the Exclusion policy to your groups
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
I don't think this is the way
I don't think this is the way to make an exeption for the whole original fixed drive of blocking applications. I've tried and it doesn't work. So is there an other way to do this!
blocking applications from all drives except the c:(system)drive
Hello
I want to block the applications of all drives, but not from the C: (system) drive. Is there a possibility to make the exclusion for the C: drive at once, so without making exception for all the (sub)directories? Regards, Jos
Would you like to reply?
Login or Register to post your comment.