Endpoint Protection

Ok, not sure if this is possible so hopefully someone here will have the answer...

I want to disable USB drives on all systems.  I know how to do this and it works well.  However, I want I.T. to retain the use of USB drives.  So basically I want IT to be able to logon to a PC and have full USB drive access, while a normal user who logs on to the same PC has no USB access.

This possible?

Thanks

There are two ways that come to mind.

1. Login to client, run smc -stop and enter your password to stop the agent. USB drives will now be functional.
The issue with this is now your AV/AS/FW will be disabled.

2. The better way is to set up all computers in "User Mode".

Administration Guide for Symantec Endpoint Protection and Symantec Network Access
> Section 1. Basic Administrative Tasks
> Setting up your organizational structure
> Understanding users and computers & Managing Users and Computers

The policies are then set depending on the user that has logged into the machine.

Cheers,
Thomas

Cycletech

Thanks for the info.  Will probably have to use option #1 since I cannot switch a PC to User mode will SEP is syncing with AD.  Our AD is setup by computer name in different OUs....not by logon name.

THanks

The only issue that you would have is that USB tends to be a big source of virus infections. If you have a smaller organization, you might make these computers that are frequently used by your IT into one client group. Then you just have to move the client (computer) to the IT group if an IT guy would be using it.. else leave it to the high security client group...

At least the Av would still function...

thanks...

or another idea is this.
you can block all USB drives with application and device policy but you can write exception. you can allow access your Flash disk. we are doing like this. We block all usb drivers with application and device policy (device policy) but we write our flash disk ID's to exceptions. and when i go to one client machine i  can use my Flash disk but he cannot use another flask disks.
This is very very good ability..
Have a nice day.
Best Regards.

Why don't you try thiis using Group Policy??

u can do this with the application device control polices.

I prefer Fatih's method - we allow only encrypted USB devices (*state policy/rule) and only IT staff has the correct brand, etc. so we allow those as exceptions. All others are blocked.
You can get as granular as you want.

I haven tested this method since way back in the previous versions and then it did not work very well.

How does that work nowadays with the new release?

We had a major major major issue a few weeks back.
I put in the exclusion for USB printers - allow all printers and the class. I even excluded using wild cards, etc.
I then blocked USB devices and also excluded HID, cameras, and so on.
What happened was every USB printer in the agency suddenly went offline and stayed! Didn't matter what I excluded, and I even took the "block USB" out of the policy, the printers simply stopped working all at once in every office, every location.
I was sweating bullets.
I had to create a group that was wide open, excluded everything, blocked nothing, drag the computers into that group, refresh/update content, wait a few minutes, then move them back into their original group. That solved all but a couple, and I had to keep moving them back and forth until they started working.
IT's like the policy was REALLY messed up and no matter what I excluded, no one in 40+ offices, over 300 people, no one could print to a USB printer anywhere.
Let's just say the visit with the boss was tense.
In this case, it blocked USB printing even though it was specifically in the exclusions, AND I excluded *USB\Print* or something like that, so no matter what, if it had the string "print" or "printer" in it, it should have been EXCLUDED from blocking. Like once it got "block USB" in its head  it would not let go.
Things have settled now, but I'm totally paranoid about blocking USB generically and add one device at a time to blocking as I discover they are being used. Not secure or sound management, but SEP left me little choice, IMO.

That is really a cliff hanger...
Better test on a smaller group first before implementing that on the whole network...
That is our first rule...

or put the the policy on test first before puting in production...

If your company generously gives out sameUSB storage for IT then it would be good..
What if you use your own USB storage devices for office work?
then you would be getting the device/ instance ID and puting that in the exclusion...

 

Here's the kicker, Nel - I added that to the main policy because it worked PERFECTLY in a small ground of 10 computers with a similar setup!!
That's why I just simply "made the jump"
Because it's worked flawlessly in testing for many months, under ALL revisions of SEP.
But when I did the exact same thing in the big group - BANG!
In fact, I use that test group if we have a non-employee wanting to use a computer, and use those settings for clients using our computers - ALL USB is blocked on those groups except printing and HID.
So why did it blow up on the big group?
No one knows weeks later..............

By the way When i install new USB printer for ex: HP and it have got card reader or flash disk reader SEP block it too. When i  open Device Viewer USB Printer was blocked.thats why i cannot install it.
All Flash Disk's ID Start with USBSTOR
But this printer (HP Color LaserJet CM1312) have another ID.
I exclude Printing Device. but class is diffrent.
well thats why i take device id again like "USB\VID_06BC&PID_002D\4&8AD8962&0&2" and write it exclude page.

We also use a test group with a few users and this works well but when launching it widely to more people the problems start.

It could be that the test group is not really representative for the majority of users behavior I do not know but it is frustrating when you do not see the sam result that you did during testing.

I am waiting a bit longer with the USB block feature.

 We tested with a small group but over time all USB devices stopped working including mice and keyboards.  We also added exceptions for out IT departments USB drives.

I contacted support and they were not able to find a solution for this in a domain environment.

If you want to block USB storage devices, do not botherwith blocking the complete USB class and trying to list down all the exceptions.
Just create a new Device ID under the policy components -> hardware devices as such USBSTOR* and call it USB Storage. Block it in the Device Control. Then use Fatih's way to allow specific USB drives. Nothing else to allow :)

Best regards.

Why does Symantec policy on USB somehow got locked after applying USB no permit and then replacing it with several exemptions for other USB printers and devices...
Sometimes it would take the new changes instantaneously after updating the policy...
just not sure why this is happening..
Any explanations Symantec?
Thanks...  

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument

Hope this will help you.

Try to set location specific settings & see if that helps.

Ok, if I set the policy to only allow a certain brand of drives, cant anyone who has the same model flash drive still be able to access the drive??

The only solution for this is install your clients or switch your clients in User mode rather than computer mode and divide your groups according to Users. 

I would switch to User Mode, but it wont let me when I have SEPM synced with AD.

If you have already synched to AD then you will have to remove it and import USers from AD 

Yea, I got that part.  Unfortunately we have several locations and they are all in different OUs but PC/Host name.  All of our users are grouped in on OU.  All of our AD policys are set by PC name, not user. 

If your SEPM groups and policies are already set-up and working perfectly..then I think re-doing it all is too much to ask just for this requirement.
But that is the only way for acheiving what you want.
Everything else would be a workaround which you might have to adjust with.. 

Yea, I hear ya.  Oh well, I dont have any control over the AD setup and it would me pita to switch over.  Thanks for all the help.

Yes, that would be a big task to undertake.
USB disable policy on superceedes an admin account... so if you set up the policy correctly, agents/ users would not be using this... Just have issues with a few admins in your company...
thanks...

User mode is impossible in our environment - AD is a mess, it's been hijacked and rebuilt/reorganized to fit a specific in-house application and users are all over the place in dozens and dozens of containers, and not grouped logically the way I'd run security.
So we can't even DREAM of user mode. I've also found most application that perport to synch with AD and use your AD structure - really can't do it that well. RAXCO perfect disk gets so far then hangs due to our convaluted AD structure.
So that's not even a player here.
It's GOT to be done via machine, not user.
If we need an exception, I can move the computer to a different group, NO problem there. And you can get pretty granular as far as allowing specific devices. Besides, the chances of someone going out and buying the EXACT same ENCRYPTED usb stick that IT here uses are a million to 1. There's too many much cheaper sticks that are NOT encrypted, and that's the issue - the users here are lazy as all get out and won't deal with the hassle of an encrypted device, which is good for us - blocked!
We have a specific brand and model for IT, I'd bet in 5 years no one will match that here.

bekirdur has an idea................ worth a look and looks similar to something I'm doing in one test group now.

I suggest to get the file fingerprint of the usb utilized by your IT group, register on the SEPM application and device control then configure it to allow all those devices.

What I will do...eventually.  For now, I am going to deny all USB drives.

@ lkalista_uo

peterpan was right use a tool to get the machine number or the fingerprint of the device/s which you wanted to allow or disallow, then put it on the policy of the SEPM, that's it voila!!! (works for me)

that's what I offered a week ago :) I deserve the solution :p

 Let the owner (teckbeck) decide which workaround he want to go with and he will mark the solution on that post..

surely, I was just kidding.

This is an example of when testing before you deploy is very important. After my initial tests, I try to use test groups (one or two users from each department) before deploying.

It's amazing what happens when you keep reading the forum. I see you did a Test group.

i want to block usb drive , i applied all the process to block usb, it's also working.
but after coming the desktop pc going to restart every time.

i checked that the device id of usb and HDD device id of PC is same.

so my question is how to block only USB.

Try creating registry files (.reg) and check if it works for you

To disable set the Usbstor value to 4

+ Enable the Pen Drive if disabled.
Enable the Pen Drive if disabled.
To enable Pen Drive in Windows, edit under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor. In the right pane, Modify Start and type 4 in the Value data box (Hexadecimal). To enable the USB storage devices, change the Start value back to 3. 

+ Writeprotect the USB Drive so that nothing can be written on device attached to USB port.
Writeprotect the USB Drive so that nothing can be written on device attached to USB port.
Edit under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies. Add a new DWORD called WriteProtect and put the value as 0 to disable write privileges to the USB port. To reverse the step, either delete the WriteProtect REG_DWORD or toggle the value to 1 which will enable the port.

One can disable usb by running a start up script during logon in domain environment .
all you need to do is to add the following  start up script using gpmc for normal user:

const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
'Set StdOut = WScript.StdOut

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SYSTEM\CurrentControlSet\Services\USBSTOR"
strValueName = "Start"
dwValue = 4
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

for I.T personal use the following startup script:
strComputer = "."
'Set StdOut = WScript.StdOut

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SYSTEM\CurrentControlSet\Services\USBSTOR"
strValueName = "Start"
dwValue = 1
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

That's an old trick well published on the web, however, the huge drawback is that it disables ALL USB storage - ALL.
That means it would disable our Olympus dictation devices. Where with SEP, I can disable usb storage but allow the Olympus devices to be used - put in as an exception.

You also must be careful with notebooks and docking stations - at times their CD/DVD or even HARD DRIVES are seen as usb devices when docked.

SEP is still the best bet unless you do a whale of a lot of testing and modify those scripts with some if/then statements to not run if it's a notebook, or certain users.   IT's a bit too much "shotgun" approach for me. It's a ready, fire, aim approach where you block it all then decide what needs to be allowed after the scripts disable all devices with any storage to them, cameras, dictation devices, etc.

If you want to block any and all usb storage devices, period, no exception, that's the way to go, HOWEVER, you need to also then write protect the keys or a savy user simply goes in and puts 'em back!

Hello all -

The original scope of what we are trying to achieve is that we wanted to block only unauthorized thumb drives.  We want to implement a policy to only allow 4 types of thumb drives - ones that force encryption.

We first started out trying to use Device Control.  Block all USBSTOR/DISK* and then white list or exempt the 4 USB Thumb Drives using their Device ID.

That works, but here is the problem.

We do not wish to block phones, cameras, MP3 Players, etc etc.  Yes, yes I know they can serve the same purpose as an unsecured USB Thumb drive but that was/is not our intention right now.

We ran a scan over our entire enterprise and found over 1200 unique device entries in our desktop registries that would be effected by the USBSTOR/DISK* block.  Many of those were "bad" USB Thumb Drives but many were other devices that wished not to block.  Creating and maintaining a massive exemption/whitelist is something we don't want to do and I imagine it would cause unforseen headaches to the client based upon the enormity of the list.

After some searching, Symantec came back to us saying that we could use the Application Control portion of the policy, not the Device Control, to partially acheive our goal.

Here's what they alluded to  - Check the Rule Set - "Block writing to USB drives" and then click edit.  Somewhere within the Rules and Conditions, you can enter the Device ID's of my approved USB Thumb Drives to be exempted.  I'm not sure if I should also use the Rule Set -"Make all removeable drives read-only" or not.  Maybe they work together??  I've tested it without modifying any settings - it works great just blocking write acces to any USB Storage device, but I can't get my approved devices to be exempted.

Everything pertaining to modifying these Rule Sets seems to deal only with specific processes and what device they are running on, not excluding a whole device.  I would be happy to just have all USBSTOR/DISK* be read only, and allow full access to exempted devices.  Following me?

Can this be done?  Any suggestions?

Thanks.

please post a new thread for this. thanks