The new Device Control tool is an important component of
Endpoint Security that lets you monitor and restrict access for I/O
devices. With Device Control, you can restrict the use of devices
that allow data access to the device, such as ports, modems,
drives, and wireless connections.
To implement Device Control on clients on your network, you
create and deploy Device Control settings that manage USB, modem,
I/O port, CD/DVD drive, PCMCIA, and other connections.
You can configure USB restrictions by either generically
blocking a whole class of USB devices, such as storage devices, or
by using exceptions to restrict certain USB devices based on
parameters and values you specify.
Component of Endpoint Security
Device Control is one of the components of the comprehensive
Endpoint Security solution, along with the Host Intrusion
Prevention (HIPS) and LANDesk Firewall tools.
Supported platforms
Device Control supports managed devices running:
Windows 2000
Windows Server 2003
Windows XP
Windows Vista (32-bit, and 64-bit)
Using Device Control
settings to restrict device access
For Device Control to function on a device, you must have the
local scheduler agent and the standard agent deployed on that
device. Every time the device initiates a device connection or
makes changes to a device connection, the agent applies setting
rules. These rules include terminating connections that aren't
allowed and sending alerts to the core server.
By default, device control settings can restrict the various
types of devices. You can use the advanced USB settings to restrict
any USB device or class of devices that you specify. Among the
devices you can restrict are:
USB devices such as drives, keyboards and mice,
printers, and scanners
RIM Blackberry, Pocket PC, and Palm handheld
devices
Network volumes
Bluetooth Personal Area Networks
Wireless 802.11x networks
Modems
PCMCIA devices
Serial, parallel, infrared, and FireWire 1394
ports
Floppy and CD/DVD drives
USB device control settings utilizes the usbmon service, which
can:
Prevent the use of unauthorized USB and PCMCIA
devices.
Prevent the use of unauthorized removable storage
devices.
Trigger an external program or script when it detects
an unauthorized device.
Creating device control settings
To create device control settings
Click Tools > Security > Security
Configurations.
Open Endpoint Security, right-click Device
Control, and then click New.
On the General Settings page, enter a
Name.
Select the Enable device control check
box.
On the other pages, customize the options you want.
For more information about the options on the dialog box, see
Device Control settings help.
Click Save to save the settings.
Deploying Device Control
settings
Once you've created a Device Control setting, you must deploy it
to managed devices before it will be active.
Device Control is deployed via Endpoint Security settings.
To deploy device control settings
Right-click the setting, and then click
Schedule.
The setting is added to the Scheduled tasks
window. In this window, drag devices onto the setting icon.
When all devices have been added, from the task's
shortcut menu, click Properties. In the tree click
Schedule task, and configure the scheduling options.
When you schedule device control settings for deployment, Device
Control does the following:
It creates an executable distribution package that's
named after the source device control settings. The package's
primary file is usbmon.exe. Additional files are usbmon.reg,
devactalert.exe, netres.mrl, and <device control settings
name>.ini.
If you target users for the device control settings
task, Device Control uses a public policy-based delivery method
called "Usbmon Pull Delivery." If this delivery method doesn't
exist, Device Control creates it. When task targets are users,
Device Control has to use a policy-based delivery method to ensure
that the correct user gets the settings. When targeted users log
on, the policy-based delivery method activates and installs the
settings.
If you target computers for the device control
settings task, Device Control uses a public policy-supported push
delivery method called "Usbmon Push Delivery." If this delivery
method doesn't exist, Device Control creates it. Since settings
target a device, any user that logs into that device will get the
device control settings; it doesn't matter who is logged in when
settings are installed. You can use push or policy delivery methods
for computers.
Once Device Control creates the usbmon policy or
policy-supported push delivery methods, you can customize them. As
long as the method name doesn't change, Device Control will use the
modified delivery method.
For more information on creating device control settings locally
on managed computers and deploying those settings manually, view
the usbmon help file, usbmon.chm in the core server's LDMain
share.
Device Control settings help
Use this dialog box to create and edit Device Control
settings.
This dialog box contains the following pages.
About the General
settings page
Use this page to name the settings and enable device control on
a client configured with the settings.
Name: Identifies the settings. This name
appears in the main Device Control window.
Enable device control: Turns on Device Control
on a client configured with the settings.
About the Storage
volumes page
Use this page to specify options for storage volumes that
connect to a client configured with this setting.
Storage volumes: Specifies the access level
for any storage volume that wasn't present on the client when the
setting was installed. (Note that if a device containing a volume
was attached when the setting was installed, the usbmon service
will allow that device in the future, even though it may be
removable.)
Full access: Allows read and write access to a
connecting storage volume.
Read only access: Allows users to read from
but not write to a connecting storage volume.
Force encryption: Enforces file encryption on
a connecting storage volume. An encryption utility is deployed that
enables file encryption on a storage device connecting to a client
with this setting. Files are encrypted when written to a storage
device and decrypted when read from the device. Access is allowed
only by providing the correct password that is defined when
creating an encrypted folder on the USB storage device.
IMPORTANT: First create an encrypted folder on the USB
device: When a storage device is configured for file
encryption, users must initially create an encrypted folder before
they can copy files to the device with the encryption utility (go
to Start > LANDesk Management >
LANDesk Encryption >
Advanced > Create encrypted folder). Specify a password when
creating the encrypted folder. If the Allow password hints option
is enabled (see below), the user will have the option of entering a
hint that can help them remember the password, although the
password hint is not required.
No access: Prevents the use of storage volumes
connecting to a client configured with this device control setting.
You can customize which types of devices are still allowed by
selecting specific device types on the Device page.
Exceptions: Click to create exceptions to the
access level for storage volumes. You can add exceptions based on
hardware ID, media serial, or bus type.
Encryption options:
Storage space allocated for encryption:
Specifies the amount of space on a storage device that can be used
for encrypted files. (Note the maximum amount of space that can be
used for encrypted files is 128 MB.)
Allow password hints: Lets the end user enter
a hint that can help them remember the encrypted folder password.
The password hint can't be an exact match to the password itself.
The password hint can't exceed 99 characters in length. (Note that
even if the password hint field is available to enter text, the
user is not required to enter a hint.)
About the
Configure exception (for storage volumes) dialog box
Use this dialog box to create an exception to the access level
for storage volumes.
Description: Enter any description you want to
identify this exception.
Parameter: Select the parameter type (hardware
ID, volume serial, or bus type).
Value: If the hardware ID parameter is
selected, enter a value string.
Access: Specifies the access level for this
exception (full access, read-only access, encrypted only, no
access).
About the Devices
page
Use this page to specify options for various device types that
connect to a client configured with this setting.
Devices / Interfaces: Use the check boxes to
block devices and interfaces from accessing the client.
Block wireless LAN 802.11X: Blocks a wireless
LAN802.11X connection.
Exceptions: Click to create exceptions to
blocked devices and interfaces. You can add exceptions based on
hardware_id, class, service, enumerator, vendor_id, device_id, or
vendor_device_id.
CD / DVD drives: Specifies the access level
for CD / DVD drives.
Exceptions: Click to create exceptions to the
access level for CD / DVD drives. You can add exceptions based on
hardware ID, media serial, or bus type.
About the
Configure exceptions (for devices and interfaces) dialog box
Use this dialog box to create an exception for blocked devices
and interfaces.
Description: Enter any description you want to
identify this exception.
Parameter: Select the parameter type (hardware
ID, volume serial, or bus type).
Value: If the hardware ID parameter is
selected, enter a value string.
Access: Specifies the access level for this
exception (full access, read-only access, encrypted only, no
access).
About the
Shadow copy page
Use this page to enable and configure shadow copy on managed
devices configured with this setting.
Shadow copy lets you track what files have been copied to and
from the device by making a duplicate (or shadow) copy of those
files in a local directory.
Enable shadow copy: Turns on shadow copy on
managed devices with this setting.
Log events only: Indicates that only the file
copy activity is recorded in a log file, not the actual files that
are being copied.
Exceptions: Click to create exceptions. You
can add exceptions based on hardware ID, media serial, or bus
type.
Local cache: Specifies the location on the
local drive where the shadow copy files and log file are
stored.
Device Control management tasks
This section includes information about the following Device
Control features and tasks.
Creating custom messages when
unauthorized devices/volumes are detected
In the Device control settings dialog, you can customize
the message text that the user sees when unauthorized devices or
volumes are detected. In the message text, you can use these
placeholders to show information about the unauthorized volume or
device:
%vol%: volume serial number
%desc%: description
%service%: service
%hwid%: hardware ID
%mfg%: manufacturer
%loc%: location
%class%: class
Unauthorized device
handling
Device control settings use the usbmon service on managed
devices. When the usbmon service receives notification from the OS
that a new USB or PCMCIA device has been inserted, the usbmon
service applies a number of custom defined rules to decide whether
or not the device is allowed. You can set up simple rules to allow
only certain types of devices such as keyboards and mice, printers,
and scanners. More complex rules might allow only secure storage
devices of a given manufacturer, or exclude devices of a given
manufacturer.
When an unauthorized device is detected, the usbmon service
will:
Remove the device from the Windows Device Manager so
Windows won't see it any more. Any drivers for the device remain
installed.
Send a "Disabled device activated" AMS alert to the
core server. The alert message includes the device name.
Removable
storage device handling
Usbmon is the name of the service on managed devices that
restricts USB connections. When a new volume is mounted, the usbmon
service receives notification from the operating system. The usbmon
service then uses the GetDriveType() API call to check the type of
drive that was mounted. If the OS describes the drive as
"removable" or "fixed drive", the usbmon service will take action.
The usbmon service also checks for removable volumes at boot time.
If an unauthorized volume is found at boot time, the same actions
are taken as when the volume is mounted later.
Drives that are considered removable include (but are not
limited to) USB storage devices. CD drives (read-only or
read/write) are not considered removable storage.
The OS doesn't consider hard drives as removable. The
GetDriveType() call describes them as "fixed drive" even if they
are attached via USB or some other external port. To allow
removable hard drives to be handled the same as other removable
storage devices, the usbmon service records the list of hard drives
at the time the service is installed. For example, if a device has
two hard drives (C: and D:) at the time the usbmon service is
installed, the usbmon service will consider those drives as fixed
and will not check them. But if at some later time a hard drive
with drive letter E: is found, the usbmon service will consider it
a removable device.
The usbmon service keeps the list of "fixed drives" in the
registry at HKLM\Software\LANDesk\usbmon\FixedDrives. This list is
created at the time the service is installed. The No access
option blocks access to any volume that wasn't present when the
device control settings was installed. Note that if a device
containing a volume was attached when the settings was installed,
the usbmon service will allow that device in the future, even
though it may be removable.
When a removable storage device is detected, the usbmon service
will:
Lock the volume. Users who attempt to access the
volume will get an "access denied" error.
Optionally display a configurable message to the
user.
Optionally load an external program. For example, the
external program can be a script that sends an alert to a central
console.
Send a "Disabled device activated" AMS alert to the
core server. The alert says a volume was activated, but additional
information about the volume isn't available.
NOTE:Blocking all
unknown volumes works for Windows XP or Windows 2003 only
In Windows 2000, the operating system says that the volume is
blocked when it really isn't blocked. We recommend that for Windows
2000 you block specific devices in order to prevent the addition of
new volumes.
What if a support person needs to use a USB memory stick?
If you're an IT support person and you want to use a USB storage
device on a user's computer, there are several things you can
do:
The most convenient method of allowing access to a
USB device on a temporary basis is to enable the password override
option when defining and deploying a device control settings to
your managed devices.
You can try the following methods if the device control isn't
configured with the password override feature:
Log on with admin rights and temporarily disable the
usbmon service.
Log on with admin rights, run the usbmon GUI and add
the device to the list of authorized volumes.
Configuring advanced USB
settings
Once Device Control is installed on a device, the agent stores
information about the last ten USB devices that it blocked access
to. The inventory scanner sends this information to the core
database. Information about these blocked devices then appears in
the Advanced USB settings dialog. You can use this
information to create advanced rules that allow or block specific
USB devices. These advanced rules allow you to control more than
just the basic device categories you see in the Device control
settings dialog box.
In the Advanced USB settings dialog box, you can base a
rule on any of the six columns. Right-click on a value in the
column and click Allow to create a rule that allows devices
based on that attribute. The keywords created for each of the
columns are the following:
DeviceDesc
HardwareID
Service
Mfg
LocationInformation
Class
These are the same names that are used in the registry under the
HKLM\System\CurrentControlSet\Enum\USB key.
The most useful field to base rules on is usually
Service. This corresponds to a Windows driver. For example,
the driver for USB ActiveSync connections to Windows CE PDAs is
called wceusbsh (see HKLM\CurrentControlSet\Services\wceusbsh). Any
of the six columns can be used to base a rule on; however, it is up
to you to decide which rules make sense for your situation.
Wildcards
You can use wildcards in rules. For example, the following would
allow any device that has the string "floppy" in its device
description:
DeviceDesc=*floppy*
Whitelist vs. blacklist rules
All the rules illustrated so far have been whitelist rules,
where devices are forbidden unless they satisfy at least one of the
rules. The usbmon service also supports blacklist rules. Rules
prefixed by a minus sign are blacklist rules. For example:
Service=usbstor
-DeviceDesc=*floppy*
The first rule allows USB storage devices. The second rule
blacklists devices that have the string "floppy" in their device
description.
If both whitelist and blacklist rules are defined, the usbmon
service first checks devices against the whitelist rules. If there
are no whitelist rules that allow the device, the device is
forbidden. If there is at least one whitelist rule that allows the
device, then the usbmon service checks the device against the
blacklist rules. If the device satisfies none of the blacklist
rules, it is allowed. Otherwise it is forbidden.
If only whitelist rules exist, a device is forbidden unless it
satisfies one of the whitelist rules. If only blacklist rules
exist, a device is allowed unless it satisfies one of the blacklist
rules.
Composite rules
All the rules illustrated so far have been simple rules, where a
single field is tested. Usbmon also supports composite rules, as in
the following example:
Service=wceusbsh,DeviceDesc=*iPAQ*
This rule allows only Windows CE devices that have the string
IPAQ in their device description.
Composite blacklist rules are also possible. Example:
Service=wceusbsh
-Service=wceusbsh,Mfg=*iPAQ*
The above two lines allow Windows CE devices, except those that
have the string IPAQ in their manufacturer field. The above lines
are equivalent to the following single line:
Service=wceusbsh,-Mfg=*iPAQ*
Configuring commands that
run when an unauthorized device is detected
When the usbmon service detects an unauthorized volume or
device, it can execute external programs. You can include one or
two placeholders in the commands:
%1: will be replaced with either "volume" or
"device", depending on whether an unauthorized volume or an
unauthorized USB device was detected.
%2: will be replaced with either the volume serial
number of the unauthorized volume, or with the identification
string of an unauthorized USB device.
For example, when the following command is given:
wscript myscript.vbs %1 %2
The following command is launched:
wscript myscript.vbs volume "1234ABCD"
wscript myscript.vbs device "Y-E Data USB Floppy:
Vid_057b&Pid_0000"
Usbmon guarantees that only one instance of the script will be
running at the same time.
To configure commands
In a device control setting, click
Commands.
Enter the commands you want.
Click OK.
Configuring alerts
Device Control settings use the alert management system for
alerting. Device Control can trigger alerts on these events:
Configuration error
Disabled device activated
Restricted network connection attempted
Unlisted network connection attempted
Unlisted network session detected
Viewing the
unauthorized device list
On each computer, Device Control stores a list of the ten most
recent unauthorized devices that were connected.
You can view this information from the Network view by clicking
Inventory on a device's shortcut menu. Then click
LANDesk Management
> Device Control > Usbmon alert.
Troubleshooting Device
Control
This section contains information about some possible situations
you might encounter with Device Control, and how to address
them.
Each new Device Control setting is saved as one
configuration file and one script file in the following folders:
ldmain\ccmgr\name.cfg
ldmain\scripts\name.ini
If a script or setting already exists with the same
name that you give a setting, you'll be prompted to overwrite the
existing script or setting. This can cause an unrelated
distribution script of the same name to be overwritten.
When entering IP ranges for network restrictions,
don't restrict access to the network range the core server is on.
If clients access a restricted network and Device Control disables
network access, only communication with the core server can restore
network access. If devices can't communicate with the core server
because of a restriction, network access can't be restored.
When restricting access to I/O devices, don't
restrict I/O devices that host network adapters. If you restrict
access to I/O devices that host a network adapter, the client will
no longer be able to access the network. For example, restricting
USB access prevents any USB network adapters from working. Without
network access, you won't be able to update restriction settings
for that client.
If you select the following options in Device
Control, and the core server isn't available on a listed network,
clients will have unrestricted I/O device access while on that
network:
Limit connections to listed networks
Allow unlisted networks if not connected
Verify core server existence on the network
If "Allow unlisted networks if not connected" is
checked, and the agent can't find the core on a listed network, it
will assume that the network is unlisted. At this point, unintended
access may be granted to local I/O devices. This can create a
security risk. Make sure the core server is available to prevent
this from happening.
