Critical System Protection

,Hello

.I have few questions about SCSP 5.2.9 and would appreciate it when somebody can help

?How to block devices on windows and linux

?How to block accessing to specific folder for example windows folder or program files

?How to block service from running and not one of the built-in services in SCSP manager

.Thanks

 

th epolicies are set on scsp server and the agents take it. so it will be effective for windows and linux agents.

some helpful link

https://www-secure.symantec.com/connect/articles/deny-application-execution-using-scsp-policy

https://www-secure.symantec.com/connect/articles/how-use-application-control-policy-critical-system-protection

Thanks for that,

and what about the two other questions? have you anybody an idea?

Your other two requests are difficult to handle. For controlling devices, you MAY be able to contorl USB devices, but it's something I've never tried. When you connect a USB device, certain registry keys are written to denote the connection. If you prevent access to those keys and/or prevent them from being created, it should prevent the USB device from being accessible. You would need to do some research into it and then test it to ensure you don't cause more problems than you solve. Symantec Endpoint Protection is much better equipped to handle device control.

Services are somewhat easier, but still have some "gotchas." To prevent a service from starting, you can prevent access to the executable responsible for starting the service. for example, to prevent the Print Spooler from launching, you would place the following entry in the "Global File No Access" portion of the policy:

*spoolsv.exe"

The "gotcha" with this is that many of the built-in Windows services run under "svchost.exe," so preventing access to this file will have many far-reaching consequences. Your better option here may be to secure those services through Group Policy.

Chris Tyrrell

Conventus Corp

ctyrrell@conventus-sei.com

You dont need to block USB devices if you use a strict or no_priv policy.  This is because any executables will be placed into the default bucket and blocked from harming the system.  And if you have locked down directories, data will not be able to be copied from the machine to the USB device.

Thanks for the question and for the answers! I'm relatively new to this branch and face the same problems. Thank you again for the posts!

What Chuck said.  You don't need to worry about anyone putting viruses onto the PC via a USB, or taking data on, because SCSP will not allow it to run, expecially with the Strict policy in place.

There could be 1000 viruses on that machine, but they wouldn't be able to do a single thing, all because SCSP will not let it

One word of caution to what Alex_CST mentions above. If you have an infected machine, the malware will be contained from harming the system as long as prevention is enabled. If your administrators disable prevention to perform troubleshooting or for other maintenance tasks, that protection goes out the window. There is no substitute for a layered, comprehensive security strategy. An event review process absolutely needs to be part of your overall solution. Good luck with your deployment(s)!

Chris Tyrrell

Compliance Practice Lead

Conventus Corp

ctyrrell@conventus-sei.com

Excellent point Chris!  

Also...blocking USB is not only to prevent introduction of code to a server but also to prevent exfiltration of data from the servers....