Device Control

The new Device Control tool is an important component of Endpoint Security that lets you monitor and restrict access for I/O devices. With Device Control, you can restrict the use of devices that allow data access to the device, such as ports, modems, drives, and wireless connections.

Read this section to learn about:

Device Control overview

To implement Device Control on clients on your network, you create and deploy Device Control settings that manage USB, modem, I/O port, CD/DVD drive, PCMCIA, and other connections.

You can configure USB restrictions by either generically blocking a whole class of USB devices, such as storage devices, or by using exceptions to restrict certain USB devices based on parameters and values you specify.

Component of Endpoint Security

Device Control is one of the components of the comprehensive Endpoint Security solution, along with the Host Intrusion Prevention (HIPS) and LANDesk Firewall tools.

Supported platforms

Device Control supports managed devices running:

Using Device Control settings to restrict device access

For Device Control to function on a device, you must have the local scheduler agent and the standard agent deployed on that device. Every time the device initiates a device connection or makes changes to a device connection, the agent applies setting rules. These rules include terminating connections that aren't allowed and sending alerts to the core server.

By default, device control settings can restrict the various types of devices. You can use the advanced USB settings to restrict any USB device or class of devices that you specify. Among the devices you can restrict are:

USB device control settings utilizes the usbmon service, which can:

Creating device control settings

To create device control settings
  1. Click Tools > Security > Security Configurations.
  2. Open Endpoint Security, right-click Device Control, and then click New.



  3. On the General Settings page, enter a Name.
  4. Select the Enable device control check box.
  5. On the other pages, customize the options you want. For more information about the options on the dialog box, see Device Control settings help.
  6. Click Save to save the settings.

Deploying Device Control settings

Once you've created a Device Control setting, you must deploy it to managed devices before it will be active.

Device Control is deployed via Endpoint Security settings.

To deploy device control settings
  1. Right-click the setting, and then click Schedule.
  2. The setting is added to the Scheduled tasks window. In this window, drag devices onto the setting icon.
  3. When all devices have been added, from the task's shortcut menu, click Properties. In the tree click Schedule task, and configure the scheduling options.

For more information on scheduling tasks, see Scripts and tasks.

When you schedule device control settings for deployment, Device Control does the following:

Once Device Control creates the usbmon policy or policy-supported push delivery methods, you can customize them. As long as the method name doesn't change, Device Control will use the modified delivery method.

For more information on creating device control settings locally on managed computers and deploying those settings manually, view the usbmon help file, usbmon.chm in the core server's LDMain share.

Device Control settings help

Use this dialog box to create and edit Device Control settings.

This dialog box contains the following pages.

About the General settings page

Use this page to name the settings and enable device control on a client configured with the settings.

About the Storage volumes page

Use this page to specify options for storage volumes that connect to a client configured with this setting.

About the Configure exception (for storage volumes) dialog box

Use this dialog box to create an exception to the access level for storage volumes.

About the Devices page

Use this page to specify options for various device types that connect to a client configured with this setting.

About the Configure exceptions (for devices and interfaces) dialog box

Use this dialog box to create an exception for blocked devices and interfaces.

About the Shadow copy page

Use this page to enable and configure shadow copy on managed devices configured with this setting.

Shadow copy lets you track what files have been copied to and from the device by making a duplicate (or shadow) copy of those files in a local directory.

Device Control management tasks

This section includes information about the following Device Control features and tasks.

Creating custom messages when unauthorized devices/volumes are detected

In the Device control settings dialog, you can customize the message text that the user sees when unauthorized devices or volumes are detected. In the message text, you can use these placeholders to show information about the unauthorized volume or device:

Unauthorized device handling

Device control settings use the usbmon service on managed devices. When the usbmon service receives notification from the OS that a new USB or PCMCIA device has been inserted, the usbmon service applies a number of custom defined rules to decide whether or not the device is allowed. You can set up simple rules to allow only certain types of devices such as keyboards and mice, printers, and scanners. More complex rules might allow only secure storage devices of a given manufacturer, or exclude devices of a given manufacturer.

When an unauthorized device is detected, the usbmon service will:

Removable storage device handling

Usbmon is the name of the service on managed devices that restricts USB connections. When a new volume is mounted, the usbmon service receives notification from the operating system. The usbmon service then uses the GetDriveType() API call to check the type of drive that was mounted. If the OS describes the drive as "removable" or "fixed drive", the usbmon service will take action. The usbmon service also checks for removable volumes at boot time. If an unauthorized volume is found at boot time, the same actions are taken as when the volume is mounted later.

Drives that are considered removable include (but are not limited to) USB storage devices. CD drives (read-only or read/write) are not considered removable storage.

The OS doesn't consider hard drives as removable. The GetDriveType() call describes them as "fixed drive" even if they are attached via USB or some other external port. To allow removable hard drives to be handled the same as other removable storage devices, the usbmon service records the list of hard drives at the time the service is installed. For example, if a device has two hard drives (C: and D:) at the time the usbmon service is installed, the usbmon service will consider those drives as fixed and will not check them. But if at some later time a hard drive with drive letter E: is found, the usbmon service will consider it a removable device.

The usbmon service keeps the list of "fixed drives" in the registry at HKLM\Software\LANDesk\usbmon\FixedDrives. This list is created at the time the service is installed. The No access option blocks access to any volume that wasn't present when the device control settings was installed. Note that if a device containing a volume was attached when the settings was installed, the usbmon service will allow that device in the future, even though it may be removable.

When a removable storage device is detected, the usbmon service will:

NOTE: Blocking all unknown volumes works for Windows XP or Windows 2003 only
In Windows 2000, the operating system says that the volume is blocked when it really isn't blocked. We recommend that for Windows 2000 you block specific devices in order to prevent the addition of new volumes.

What if a support person needs to use a USB memory stick?

If you're an IT support person and you want to use a USB storage device on a user's computer, there are several things you can do:

You can try the following methods if the device control isn't configured with the password override feature:

Configuring advanced USB settings

Once Device Control is installed on a device, the agent stores information about the last ten USB devices that it blocked access to. The inventory scanner sends this information to the core database. Information about these blocked devices then appears in the Advanced USB settings dialog. You can use this information to create advanced rules that allow or block specific USB devices. These advanced rules allow you to control more than just the basic device categories you see in the Device control settings dialog box.

In the Advanced USB settings dialog box, you can base a rule on any of the six columns. Right-click on a value in the column and click Allow to create a rule that allows devices based on that attribute. The keywords created for each of the columns are the following:

DeviceDesc

HardwareID

Service

Mfg

LocationInformation

Class

These are the same names that are used in the registry under the HKLM\System\CurrentControlSet\Enum\USB key.

The most useful field to base rules on is usually Service. This corresponds to a Windows driver. For example, the driver for USB ActiveSync connections to Windows CE PDAs is called wceusbsh (see HKLM\CurrentControlSet\Services\wceusbsh). Any of the six columns can be used to base a rule on; however, it is up to you to decide which rules make sense for your situation.

Wildcards

You can use wildcards in rules. For example, the following would allow any device that has the string "floppy" in its device description:

DeviceDesc=*floppy*

Whitelist vs. blacklist rules

All the rules illustrated so far have been whitelist rules, where devices are forbidden unless they satisfy at least one of the rules. The usbmon service also supports blacklist rules. Rules prefixed by a minus sign are blacklist rules. For example:

Service=usbstor

-DeviceDesc=*floppy*

The first rule allows USB storage devices. The second rule blacklists devices that have the string "floppy" in their device description.

If both whitelist and blacklist rules are defined, the usbmon service first checks devices against the whitelist rules. If there are no whitelist rules that allow the device, the device is forbidden. If there is at least one whitelist rule that allows the device, then the usbmon service checks the device against the blacklist rules. If the device satisfies none of the blacklist rules, it is allowed. Otherwise it is forbidden.

If only whitelist rules exist, a device is forbidden unless it satisfies one of the whitelist rules. If only blacklist rules exist, a device is allowed unless it satisfies one of the blacklist rules.

Composite rules

All the rules illustrated so far have been simple rules, where a single field is tested. Usbmon also supports composite rules, as in the following example:

Service=wceusbsh,DeviceDesc=*iPAQ*

This rule allows only Windows CE devices that have the string IPAQ in their device description.

Composite blacklist rules are also possible. Example:

Service=wceusbsh

-Service=wceusbsh,Mfg=*iPAQ*

The above two lines allow Windows CE devices, except those that have the string IPAQ in their manufacturer field. The above lines are equivalent to the following single line:

Service=wceusbsh,-Mfg=*iPAQ*

Configuring commands that run when an unauthorized device is detected

When the usbmon service detects an unauthorized volume or device, it can execute external programs. You can include one or two placeholders in the commands:

For example, when the following command is given:

wscript myscript.vbs %1 %2

The following command is launched:

wscript myscript.vbs volume "1234ABCD"

wscript myscript.vbs device "Y-E Data USB Floppy: Vid_057b&Pid_0000"

Usbmon guarantees that only one instance of the script will be running at the same time.

To configure commands
  1. In a device control setting, click Commands.
  2. Enter the commands you want.
  3. Click OK.

Configuring alerts

Device Control settings use the alert management system for alerting. Device Control can trigger alerts on these events:

Viewing the unauthorized device list

On each computer, Device Control stores a list of the ten most recent unauthorized devices that were connected.

You can view this information from the Network view by clicking Inventory on a device's shortcut menu. Then click LANDesk Management > Device Control > Usbmon alert.

Troubleshooting Device Control

This section contains information about some possible situations you might encounter with Device Control, and how to address them.