Mais conteúdo relacionado Endpoint Device Control in Windows 7 and Beyond2. Preview of Key Points Device Control Device Installation Restrictions Encryption BitLocker to Go © 2010 Monterey Technology Group Inc. 4. Device Installation Restrictions Block ALL removable devices Includes things like mice and keyboards Not realistic for most environments © 2010 Monterey Technology Group Inc. 6. Device Installation Restrictions 2 ways to specify devices Device ID Device Setup Class 2 approaches Blacklist Not much value Whitelist Makes more sense Disable installation of all devices by default Enable specific devices or classes of devices © 2010 Monterey Technology Group Inc. 7. Device Installation Restrictions Whitelist Enable Caveat: does not apply to devices already installed Difference between installed and connected Testing caveat © 2010 Monterey Technology Group Inc. 8. Device Installation Restrictions Whitelist Enable installation of specific devices Must understand “device identification strings” http://msdn.microsoft.com/en-us/library/ff541224.aspx Hardware IDs Exact make, model, and revision of the device Make and model but not specific revision Compatible IDs Generic hardware ID used for assigning generic drivers from MS Enable installation of specific device classes Must understand “Device Setup Classes” http://msdn.microsoft.com/en-us/library/ff541509(v=VS.85).aspx Some are system defined, vendors can also make up new ones © 2010 Monterey Technology Group Inc. 9. Device Installation Restrictions Whitelist How do you figure out device ID or class? System defined classes: http://msdn.microsoft.com/en-us/library/ff553426(v=VS.85).aspx Control Panelevice Manager Device properties dialog Details tab © 2010 Monterey Technology Group Inc. 10. Device Installation Restrictions Whitelist Enable devices or classes with “Allow installation of devices using drivers that match…” policies © 2010 Monterey Technology Group Inc. 11. Device Installation Restrictions Whitelist Test Against non USB devices like eSATA drives Against devices you want to allow installation of Mice Keyboards Monitors Against devices you want to prohibit © 2010 Monterey Technology Group Inc. 12. Device Installation Restrictions Support Issues Message displayed to user How to handle exceptions? Are you a least privilege workstation environment? Enable “Configure policy to allow administrators to override device installation restrictions” Otherwise you will have to make temporary GPO exception policies Possible problem when user travelling “Time (in seconds) to force reboot when…” © 2010 Monterey Technology Group Inc. 13. Device Installation Restrictions All or nothing What about controlling read/write access to removable storage? Removable Storage Access Control read/write access to different classes of removable storage © 2010 Monterey Technology Group Inc. 15. Combining Device Restrictions and Removable Storage Access Possibleto enforce device whitelistthat allows particular type of USB drive Limit read/write access for that class of device © 2010 Monterey Technology Group Inc. 16. BitLocker to Go Applies to removable drives Encryption key Smartcard Stored on computer BitLocker must be enabled on system drive Password Allows BitLocker encrypted devices to be shared Can require backup to AD for recovery purposes BitLocker To Go Reader available for pre Windows 7 computers © 2010 Monterey Technology Group Inc. 17. BitLocker to Go Policies Deny write access to removable drives not protected by BitLocker Configure use of passwords for removable data drives Choose how BitLocker-protected removable drives can be recovered © 2010 Monterey Technology Group Inc. 18. Bottom Line Device installation restrictions May work for very homogenized, non power user environments BitLocker To Go Password based encryption of removable drives Significant caveats, labor and limitations © 2010 Monterey Technology Group Inc. 19. Limitations and Caveats BitLocker to Go Requires Enterprise / Ultimate Win 7 No write support pre Win 7 BitLocker to Go Reader Read access cumbersome, must copy files to desktop No Support for CD/DVD © 2010 Monterey Technology Group Inc. 20. Limitations and Caveats No logging, reporting, auditing Controls installation not connection Defining whitelisted devices cumbersome and laborious No control based on type of files or content What about temporary exceptions for emergencies when user is off-line? What about pre Windows 7? © 2010 Monterey Technology Group Inc. 21. Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing © 2010 Monterey Technology Group Inc. 22. Want to Learn More? Lumension www.lumension.com info@lumension.com http://blog.lumension.com © 2010 Monterey Technology Group Inc.