I am testing out different methods of applying rules to users and just wanted to get some input on what others are doing. Can't find any best practices, recommendations or methodologies for assigning policies. My scenario is this. I have 300 users of which only 25 should be allowed to write to cd/dvd rom drives. I created all of the pertinent device rules making the cd/dvd read only. Here is where I am hitting a road block.
Originally, I created a user assignment group that inlcuded "Everyone". This policy assignment applied all of my e-mail, printer, network and read only protection rules to everyone. For the group of 25 users that I wanted to allow CD/DVD writing, I put them in a different user assignment group applying only the device rule for CD/DVD read only (my logic being, because they are a part of everyone, the other rules are already applied) and I chose toexlude the users from the selected CD/DVD read only rule. It seemed to be working after some initial testing, then excluded users began to inform me that they could not write to cd, so I contacted support, I was told this method probably would not work because the most restrictive policy of setting the CD/DVD drive to read only would take effect when a user was in multiple user assignments. I called this an ACTIVE exclusion, since I told the assignment specifically not to apply the rule to those users.
Method two, the PASSIVE exclusion. I separated all of my cd writing users from my non cd writing users by AD groups. So one user assignment is for non-writers, all protection rules are applied to the group. The second user assignment is for CD/DVD writers, all protection rules are applied, except for the CD/DVD read only rule. So I am not using the exclusion to actively exclude users from the rule, I just chose not to select that rule for users in this group.
So active, passive or a different approach altogether? How are you all applying rules to user assignments? Message was edited by: cweatherall on 2/2/11 6:34:22 PM CSTMessage was edited by: cweatherall on 2/2/11 6:35:09 PM CST
This is a good question. We are beginning to implement DLP. The way I see us applying policy is via AD OU and have an exception AD group. So I would create a restrictive rule applied to the AD OU, then exclude the AD exception group from the rule. I chose AD OU because different business units are going to have different DLP requirements/policies.
I do have questions relating to performance. How are policies calculated for the user who logs in? How long does it take? Any negative performance effects on the machine with user based policies? This is where a best practices guide for policy assignment would come in handy.
Hi had tried this before my method which is like all user allow to read disable write. While i had another AD Group which will tie to the EPO new rules which allow write and it works perfectly.
My rules are usually tagged with users not the computers. So i do not know what type control are you doing.
But with Best Practices Guildlines. I do not see McAfee coming out. So Answer is no.
Even Auditor did not even tap to these application security. It too new to auditors
What i know from McAfee is that default rule overwrite which means allow policy is giving more priority.on 10/16/12 1:56:46 AM CDT