Video Screencast Help

User-based USB stick control

Created: 19 Jan 2010 • Updated: 21 May 2010 | 8 comments
This issue has been solved. See solution.

I have a simple question: is it possible to create a rule to allow a USB stick from a certain maker (identified through serial number) based on the user currently logged on on the workstation? Most solutions only allow rule creation based on the workstation itself, but what I want to accomplish is: whatever workstation the user logs on, the rule will be applied and the USB stick will be allowed.

Thank you in advance.

Comments 8 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

 This can be done via Symantec Endpoint Protection -Device Control for sure..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Rafeeq's picture

yes it can be done

when you instal sep you have 2 options
1 user mode
2 computer mode
you can trun the workstation to user mode
right click and user mode
policy will be applied just for the user (where ever he logs in )

check this
How to create a rule that will allow only specific USB’s on to your network.

http://service1.symantec.com/support/ent-security.nsf/docid/2009031809381448

https://www-secure.symantec.com/connect/forums/computer-mode-vs-user-mode-0

SOLUTION
Naor Penso's picture

Device Control is a part of Symantec Endpoint Protection.
Symantec DLP (version 10)  Could enforce rules of whom could copy what do a DOK, but the system cannot enforce rules on which type of DOK.

Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Andre Alves's picture

In short, it's possible through SEP, but not through Vontu. Is that correct?

Thank you all for the answers.

jjesse's picture

through SEP yes, Vontu no

Jonathan Jesse Practice Principal ITS Partners

Visu310's picture

As was already told, Yes it's quite possible with SEP... :) ... Here is a small suggestion from me..

* Create a new group in the SEPM which would basically have the block policy ...
* Right click on the group and choose Import AD or LDAP users...  and that would give you the list of AD users..
* Import or add the users for which you would like to apply this "Block USB" policy...

Active directory users and computers always have a high priority than the customer groups, so.. basically when anyone of the restricted user logs into any one of the computer in your network, the client would automatcially communicate with this "Block USB group" and take those policies... and if anyone else logs in, it will refer to the custom group...

And as far as blocking specific device, you can use the device ID to block any piece of h/w ... This can be obtained by running the Device Viewer from CD2 ...

Correct me If have gone wrong somwhere ... :)

Cheers,
Visu.

Cheers,
Visu.

I came, I saw, I err ;)

Andre Alves's picture

Thank you all for the help. Much appreciated.

Regards,
Andre.