Deny USB Pen Drives
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Deny USB Pen Drives - 13.May2008 12:13:30 PM
|
|
|
cmddotexe
Posts: 10
Joined: 21.May2007
Status: offline
|
Hi
I've just started evaluating EndPointSecurity4 for our network, and have a couple of questions.
First of all, I'm trying to allow users to use USB Printers etc, but deny access to all USB pen drives other than those we specifically whitelist.
Initially, I set up a policy to give domain users Access/Read permissions on Printers. That didn't work by itself, so I've also given Access/Read to USB ports, but left Storage Devices unconfigured. That allowed domain users to use USB printers, but also gives full access to USB pens. I then tried explicitly setting a policy for domain users which blocked access to Storage Devices, with no effect.
Is there a simple way to block access to all USB pens while still allowing USB printers/keyboards/mice etc, short of having a default block on USB ports and whitelisting all of the USB printers/keyboards etc that we want to allow (we have a lot of them on site!)? The USB pens I've tried have been SanDisk Cruzer Micro USB (both U3 and non-U3) and show up in Device Manager under both the Disk Drives and Storage Volumes sections.
My other question is regarding Windows safe mode. Is it normal for a user to be able to bypass all restrictions just by booting into safe mode? I'm assuming this is just due to the GFI EP service not getting started. Is there a way to ensure the service starts up even in safe mode?
Thanks
Graham.
|
|
|
|
RE: Deny USB Pen Drives - 13.May2008 1:15:57 PM
|
|
|
imatone
Posts: 71
Joined: 6.Aug.2007
Status: offline
|
I'll let the GFi experts answer your SanDisk Cruzer U3 & non-U3 question but I've tried safe mode and the answer is nope. GFi endpointagntservice.exe still starts up in Safe mode including Directory Recovery mode. One way I know and I'm sure many of us knew or would do is to boot up from a bootable W2K or WinXP CD or recovery disk and kicks into recovery console. That way you can bypass EPS agent.
|
|
|
|
|
RE: Deny USB Pen Drives - 14.May2008 5:40:48 AM
|
|
|
cmddotexe
Posts: 10
Joined: 21.May2007
Status: offline
|
Thanks for the reply - I've just double checked this, and the service did actually start up in safe mode (not sure why I thought it didn't yesterday!), however, the policies don't appear to get enforced.
To test this, I've logged in as a local user account and plugged in a pen drive - access is denied.
I then rebooted the PC into safe mode, logged in as the same user and plugged in the same pen drive - access is permitted.
I know there are other ways to bypass the EPS agent, I was just curious if it was supposed to work while in safe mode.
|
|
|
|
|
RE: Deny USB Pen Drives - 14.May2008 9:23:45 AM
|
|
|
DrewE
Posts: 85
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
Our quality metrics team is currently reviewing this issue.
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Deny USB Pen Drives - 14.May2008 11:18:25 AM
|
|
|
imatone
Posts: 71
Joined: 6.Aug.2007
Status: offline
|
Will there be a prize awarded to the individual who could uninstall EPS Agent manually? ;-)
|
|
|
|
|
RE: Deny USB Pen Drives - 19.May2008 10:39:53 AM
|
|
|
akyr
Posts: 2
Joined: 19.May2008
Status: offline
|
Worse still, policies are not working for "safe mode with networking". Consequently, bypass protection can ALL users, not just administrators in "safe mode".
|
|
|
|
|
RE: Deny USB Pen Drives - 21.May2008 7:07:51 AM
|
|
|
cmddotexe
Posts: 10
Joined: 21.May2007
Status: offline
|
Has there been any progress with this issue?
Thanks.
|
|
|
|
|
RE: Deny USB Pen Drives - 21.May2008 8:23:20 AM
|
|
|
hilbert
Posts: 5
Joined: 29.Apr.2008
Status: offline
|
We required a support to fix this problem, answer was that it depends on Windows OS, which in safe mode doesn't load drivers, EPS included.
In other words...no solution was found and users can upload/download files into USB sticks without been blocked.
Any suggestions ?
Thnx
|
|
|
|
|
RE: Deny USB Pen Drives - 22.Jun.2008 5:58:40 PM
|
|
|
hilbert
Posts: 5
Joined: 29.Apr.2008
Status: offline
|
Good News.
Yes, It has. Support has released us a patch to addressed this and other issues raised during the time.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
