How to Create a Removable Media Policy

Version 3

    Introduction

    We all know that a USB thumb drive is a very easy way for a user to copy data off a corporate computer. Whether by accident or on purpose, users sometimes move sensitive data to a USB drive and from there that data could end up anywhere. McAfee DLPe 9.4 provides a simple way to block the ability to copy data to a removable storage device and prevent users from moving files off a corporate computer.


    In this document, we’re just going to create a simple policy to block users from being able to write data to a USB Device, but still allow them to copy data from the usb drive to their computer..

     

    Video Demo

     

     

    Create a Removable Media Policy

    First, we are going to create a new DLP Policy and assign it to the default policy within the environment. To create a removable media DLP Policy, go to Menu | Data Protection | DLP Policy Manager.

     

    01.png

     

    Here, we’ll want be under the Rule Sets tab and create a New Rule Set by going to Actions | New Rule Set. We’ll call this rule set Removable Device read only rule set.

    After the rule set is create, click on the Rule Set name, Removable Device read only rule set, and that will open up the DLP Rule Set configuration page.

     

    02.png

     

    To create a new device control rule, click on the Device Control tab. Next, click on Actions | New Rule | Removable Storage Device Rule. Let’s start by naming it Removable Storage Read Only Rule. Right below, we’ll want to set the state to enable and let’s increase the severity to Minor.

     

    03.png

     

    Now, in the Removable Storage section, click on the three dots on the first line. That will open up a new dialog box where you can specify the properties of the device for the rule. We’ll want to create a new device by clicking on New Item.

     

    For the name, enter USB Storage Device. Next, on the left hand side, click on Bus Type and use the drop down under Value to select USB. You can also narrow down the scope of the devices that you want to monitor or block by using the other options here, such as the USB Device Serial Number or VID/PID codes. We’re just going to use a general USB device rule for now and click Save.

    Now we can see our USB Storage Device, so go ahead and check it and click Save.

     

    04.png

     

    Next, we’ll want to set the reactions by clicking on the Reactions tab. Here, under the Prevent Action, let’s select Read-Only.

    We can create a user notification by clicking on the three dots in the User Notification section. In the notification selection box, click on New Item. We can name this Removable Storage Notification under the Name section and we’ll just put “This removable Storage Device is configured to be read only”. Just click Save and then select the newly created Removable Storage Notification and click OK when you’re done.

     

    05.png

     

    Lastly, check the Report Incident box so that we can see the incident in the McAfee ePO console. After that’s all configured, click Save. We can now close the rule set with the close button in the bottom right.

     

    Assigning the rule

    Next, we’ll want to assign the rule set to a policy. In this example, I’m going to assign this rule set to the default policy so that all of the machines with DLP installed will be affected. In your environment, you may want to assign it to a test policy.

     

    In the DLP Policy Manager, click on the Policy Assignment tab. Here, we can see which policies are assigned within the environment. Click on Actions | Assign a Rule Set to policies to bring up the policy assignment dialog box. Use the Drop down and select the Removable device read only rule set check the policy that you wish to assign this rule set to, then click OK. You can now see that there’s a pending change. To apply this rule set, you’ll want to go to Actions | Apply Selected Policies. In the dialog box that pops up, check the police to apply and click OK.

     

    06.png

     

    Now, to test the policy, we’ll first want to perform an agent wake up. Go to the system tree, find your test DLP system, check it, and click on Wake Up Agent.

    After the Agent has performed a Collect and Send Properties, we can test it out by plugging in a USB thumb drive. When we plug in the drive, it’ll notify us that the drive is set to read only mode. We can copy files off of it but when we try to copy a file onto the drive, it’ll give us an error.

     

    07.png

     

    As you can see, McAfee DLPe can help protect your organization by preventing users from accidentally or purposefully copying data to removable storage devices.