View
1.601
Download
3
Category
Preview:
DESCRIPTION
Randy Franklin Smith, editor from Ultimate Windows Security, goes in-depth on key endpoint device control capabilities to look for in Windows environments. In this webcast, you will: *Explore native Windows features like Device Installation Restrictions and learn how to define device whitelists *Find out how native functionality stacks up against real world requirementsLearn where you may need a more robust endpoint security solution to fill gaps *Get a full picture of where Windows functionality leaves off and 3rd party solutions pick up This will be both a technical, how-to webinar as well as a strategic big picture training event.
Citation preview
Endpoint Device Control in Windows 7 and Beyond
© 2010 Monterey Technology Group Inc.
Commissioned by:
UltimateWindowsSecurity.com
Brought to you by
Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Preview of Key Points
Device Control Device Installation Restrictions
Encryption BitLocker to Go
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
Block ALL removable devices Includes
things like mice and keyboards
Not realistic for most environments
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
Block ALL removable storage Also not
realistic for most environments
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
2 ways to specify devices Device ID Device Setup Class
2 approaches Blacklist
• Not much value
Whitelist• Makes more sense• Disable installation of all devices by default• Enable specific devices or classes of devices
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
Whitelist Enable Caveat: does
not apply to devices already installed
Difference between installed and connected
• Testing caveat
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
Whitelist Enable installation of specific devices
• Must understand “device identification strings” http://msdn.microsoft.com/en-us/library/ff541224.aspx Hardware IDs
• Exact make, model, and revision of the device• Make and model but not specific revision
Compatible IDs• Generic hardware ID used for assigning generic drivers from MS
Enable installation of specific device classes• Must understand “Device Setup Classes”
http://msdn.microsoft.com/en-us/library/ff541509(v=VS.85).aspx
• Some are system defined, vendors can also make up new ones
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
Whitelist How do you figure
out device ID or class?
• System defined classes: http://msdn.microsoft.com/en-us/library/ff553426(v=VS.85).aspx
• Control Panel\Device Manager
Device properties dialog \ Details tab
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Device Installation Restrictions
Whitelist Enable devices
or classes with “Allow installation of devices using drivers that match…” policies
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Device Installation Restrictions
Whitelist Test
• Against non USB devices like eSATA drives• Against devices you want to allow installation of
MiceKeyboardsMonitors
• Against devices you want to prohibit
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Device Installation Restrictions
Support Issues Message displayed to user How to handle exceptions?
• Are you a least privilege workstation environment?Enable “Configure policy to allow administrators to
override device installation restrictions”
• Otherwise you will have to make temporary GPO exception policies
Possible problem when user travelling
• “Time (in seconds) to force reboot when…”
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Device Installation Restrictions
All or nothingWhat about controlling read/write access
to removable storage? Removable Storage Access
• Control read/write access to different classes of removable storage
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Removable Storage Access
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Combining Device Restrictions and Removable Storage Access
Possible to enforce device whitelist that allows particular type of USB drive
Limit read/write access for that class of device
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com BitLocker to Go
Applies to removable drivesEncryption key
Smartcard Stored on computer
• BitLocker must be enabled on system drive
Password• Allows BitLocker encrypted devices to be shared
Can require backup to AD for recovery purposesBitLocker To Go Reader available for pre
Windows 7 computers
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com BitLocker to Go
Policies Deny write access to removable drives not
protected by BitLocker Configure use of passwords for removable
data drives Choose how BitLocker-protected removable
drives can be recovered
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Bottom Line
Device installation restrictions May work for very homogenized, non power
user environmentsBitLocker To Go
Password based encryption of removable drives
Significant caveats, labor and limitations
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Limitations and Caveats
BitLocker to Go Requires Enterprise / Ultimate Win 7
• No write support pre Win 7
BitLocker to Go Reader• Read access cumbersome, must copy files to
desktop
No Support for CD/DVD
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Limitations and Caveats
No logging, reporting, auditingControls installation not connectionDefining whitelisted devices cumbersome
and laboriousNo control based on type of files or
contentWhat about temporary exceptions for
emergencies when user is off-line?What about pre Windows 7?
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
Brought to you by
Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing
© 2010 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Want to Learn More?
Lumension www.lumension.com info@lumension.com http://blog.lumension.com
© 2010 Monterey Technology Group Inc.
Recommended