Endpoint Protection

 View Only

  • 1.  Customizing USB storage access for end users in Symantec Endpoint protection

    Posted Dec 03, 2012 02:51 AM

    Hi,

    We have symantec Endpoint Ver 12.1.1101 installed and I have a request to implement policy to control USB storage devices access in the internal network. The details are:

    1. by default, turn OFF all the USB storage device access to all the users

    2, turn ON the access based on the USER level NOT on the PC level.

    may I know how we can achieve this?

    Thanks

    Sri



  • 2.  RE: Customizing USB storage access for end users in Symantec Endpoint protection

    Posted Dec 03, 2012 03:39 AM

    HI,

    The better way is to set up all computers in "User Mode".

    Administration Guide for Symantec Endpoint Protection and Symantec Network Access
    > Section 1. Basic Administrative Tasks
    > Setting up your organizational structure
    > Understanding users and computers & Managing Users and Computers

    The policies are then set depending on the user that has logged into the machine

     

    Check this thread

    https://www-secure.symantec.com/connect/forums/sep-user-mode-can-you-explain-want-link-device-control-policy

    https://www-secure.symantec.com/connect/forums/configuring-usb



  • 3.  RE: Customizing USB storage access for end users in Symantec Endpoint protection

    Posted Dec 04, 2012 01:12 AM

    Change the Clients into USer Mode and The policies change, depending on which user is logged on to the client. The policy follows the user.If the client software runs in user mode, the client computer software gets the policies from the group of which the user is a member. If the client software runs in computer mode, the client gets the policies from the group of which the computer is a member.



  • 4.  RE: Customizing USB storage access for end users in Symantec Endpoint protection

    Posted Dec 04, 2012 04:18 AM

    "Thumbs Up" to the above posts.  As they noted, the only way to achieve this is by switching all of your SEP clients to operate in "User mode".  Take a look at the below articles if you're unfamiliar with User Mode:

    http://www.symantec.com/docs/HOWTO80734
    http://www.symantec.com/docs/HOWTO27008

    When in user mode, you should notice that the client records in your SEPM have a user icon instead of a computer one, and that the currently logged on user is the primary column.

    You'll also need to separate the users into groups:  The normal users who are denied USB Storage Access, and a separate group containing those users who are allowed access.

    Further to the groups, you'll have to create and assign the device control policies configured to provide the behaviour you want.

    Soooooo, for the group whose access is blocked to USB Storage, you want to assign an "Application and Device Control" policy that does just that.  I'd recommend reviewing the below article on how to create such a policy:

    http://www.symantec.com/docs/TECH175220

    As per the article, I'd recommend creating a custom "Hardware Device" for the wildcard device ID below, which specifically matches USB Storage devices (in accordance with your stated requirements):

    USBSTOR*

    And for the group who are allowed access, don't add any blocks...

    It's probably worth mentioning that, if implementing in a production envirnment, you'll want to look into the availability of your SEPM(s), and investigate Load-balancing/Fault-tolerance if not already implemented.  When in User mode, the SEP Client contacts the SEPM for the policies appropriate for the user when they log in.  If the SEPM is unavailable, then the SEP Client will revert to the policies applied by the previous user.