Client Management Suite

 View Only

  • 1.  Log and or prevent disk media from loading

    Posted Dec 03, 2009 03:34 PM
    Is there a way to track or block USB or CD media being inserted or run on a machine with Altiris? I thought during my sales pitch many years ago I was told this was possible.


  • 2.  RE: Log and or prevent disk media from loading

    Posted Dec 03, 2009 05:14 PM

    You were probably fed something like this:
    http://www.altiris.com/upload/wp_bestpracticesformanagingusbsecurity.pdf

    Or this:
    http://www.altirigos.com/vbulletin/endpoint-security-solution-ess/6379-altiris-endpoint-security-your-thoughts.html

    I've never looked into the current way to do this -- it hasn't been an organizational priority for us.  At a deeper, more complete level, I'm sure it's Symantec DLP: http://www.symantec.com/business/data-loss-prevention
     



  • 3.  RE: Log and or prevent disk media from loading

    Posted Dec 03, 2009 06:04 PM
    Yep thats what I was force fed 2 years ago.....:-)

    Right now we just want to log it. Can monitoring solution handle that?


  • 4.  RE: Log and or prevent disk media from loading

    Posted Dec 07, 2009 10:39 PM

    Hi NoodleNT

    We are doing something like this now, using the Dell Client Management Solution (which is Free)

    Basically what we do is we have a policy in DCM which detects if the disk count goes up, and then upon this action email to both our IT Security people and the End-user

    The email is very direct and says that under the employment guidelines you won't to and that it breaches the code of conduct.

    This has greatly discouraged staff from doing it.

    In addition to this I also run a weekly report which shows all the users and who’s computers have registered attached USB devices.
    I get this info form the Inv_AeX_HW_Physical_Disk table and just omit results for known devices.
    Let me know if you’d like the query.
    This will enable logging of the device for you..



    Mick.
     


  • 5.  RE: Log and or prevent disk media from loading

    Posted Dec 08, 2009 11:29 AM
    I can't use that because we are all Lenovo laptops here.


  • 6.  RE: Log and or prevent disk media from loading

    Posted Dec 08, 2009 09:32 PM
    There is a HP Verison as well, I just checked and its avalibule in NS6 & 7


  • 7.  RE: Log and or prevent disk media from loading

    Posted Dec 08, 2009 10:37 PM
    offers some detailed device control options. I believe the Altiris product is end of lifed, (pulling from the EOL policy page).
                                                                                                                          
                                                                                                                          Version              Release Date                                     Engineering Support Date (Updates)        Technical Support Date

    Endpoint Security Solution 6.0 27 Sept. 2006 28 Mar. 2009 28 Mar. 2010

    Removable Storage Security Solution 6.0 14 Dec. 2006 28 Mar. 2009 28 Mar 2010


    I think the option Mick is offering (triggering a notification policy off Inv_AeX_HW_Physical_Disk table) would be a good (and less expensive) option.


  • 8.  RE: Log and or prevent disk media from loading

    Posted Dec 08, 2009 11:02 PM


    Doh.. I just realised I got Lenovo confused with HP..  sorry bout that.

    Obviously you need to customise it for your own environment, this one is from our Dell environment.

    Here is my query anyway


    SELECT vComputer.Name AS 'WorkStation', vUser.[Display Name] AS 'User', vUser.[Job Title], vUser.[Department], t1.[description], t1.[Size (MB)], t1.[Drive Letters] FROM vComputer JOIN Inv_AeX_HW_Physical_Disk t1 ON t1._ResourceGuid = vComputer.Guid JOIN vUser ON vUser.Name = vComputer.[User] 
    WHERE (t1.[description] != 'HDS728040PLA320') AND 
    (t1.[description] != '\\.\PHYSICALDRIVE0') AND 
    (t1.[description] != 'DELL PERC 5/i SCSI Disk Device') AND 
    (t1.[description] != 'DELL PERC 5/i SCSI Disk Device') AND 
    (t1.[description] != 'DELL VIRTUAL DISK  IM SCSI Disk Device') AND 
    (t1.[description] != 'HDS728040PLA320') AND 
    (t1.[description] != 'Hitachi HTS541040G9AT00') AND 
    (t1.[description] != 'WDC WD800JD-75MSA3') AND 
    (t1.[description] != 'ST380815AS') AND 
    (t1.[description] != 'ST340212AS') AND 
    (t1.[description] != 'WDC WD400BD-75MRA1') AND 
    (t1.[description] != 'HDS728040PLA320') AND 
    (t1.[description] != 'WDC WD400BD-75MRA3') AND 
    (t1.[description] != 'PERC  LD  0 PERCRAID SCSI Disk Device') AND 
    (t1.[description] != 'SAMSUNG HD040GJ') AND 
    (t1.[description] != 'ST3402111AS') AND 
    (t1.[description] != 'ST340014A') AND 
    (t1.[description] != 'VMware Virtual disk SCSI Disk Device') AND 
    (t1.[description] NOT LIKE 'WDC WD%') AND 
    (t1.[description] NOT LIKE 'ST%') AND 
    (t1.[description] NOT LIKE 'VMWare%') AND 
    (t1.[description] != 'ST340014AS') AND 
    (t1.[description] != 'Hitachi HDS721680PLA380') AND 
    (t1.[description] != 'IronKey Secure Drive USB Device') AND 
    (t1.[description] != 'ST3500641AS')  
    ORDER BY vUser.[Department] ASC


  • 9.  RE: Log and or prevent disk media from loading

    Posted Dec 08, 2009 11:51 PM
    You could probably also use the "AeX HW Logical Disk Changes" dataclass which should be collected daily by default.  This one lists out all added/removed disks, including the volume serial number, size, type, etc.  Maybe something like:
    SELECT vc.Name, vc.[User], vc.Domain, ldc.[Last Modified],
ldc.Status, ldc.[Description], ldc.[Size in MBytes], ldc.[Device ID],
ldc.[Volume SerialNumber]
FROM vComputer vc
JOIN Inv_Aex_HW_Logical_Disk_Changes ldc
on vc.Guid = ldc._ResourceGuid
WHERE ldc.Description = 'Local Disk'
AND ldc.Status IN ('Added', 'Changed', 'Removed')
AND ldc.[Size in MBytes] > 0
AND DATEDIFF(dd, ldc.[Last Modified], GETDATE()) < 7
ORDER BY vc.Name ASC, ldc.[Last Modified] DESC

    If I did that right, it should show any local disk which was added, removed, or changed in the last 7 days.  Seems to work on my NS...