cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

DLP 9.3 CD/DVD rules

Jump to solution

I am trying to configure DLP rules to allow only a certain AD group to burn CD/DVDs and everyone else in AD will have read only CD/DVD access.  It seems like the only access I am getting is either everyone can burn or everyone is only read access.  Can some please provide an example of what I may need to do or where to start?

Thank you

1 Solution

Accepted Solutions
Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

Silverss05, you would need 2 user groups and 2 rules to perform this.

Assume you want to make all users read only except the IT admins group.

Group 1:

Include Everyone, exclude IT Admins

Group 2:

Include IT Admins

Your 2 rules are:

Include CD/DVD, Action - read only, Action - monitor, include Group 1

Include CD/DVD, Action - monitor, include Group 2

copied from

View solution in original post

15 Replies
Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

Silverss05, you would need 2 user groups and 2 rules to perform this.

Assume you want to make all users read only except the IT admins group.

Group 1:

Include Everyone, exclude IT Admins

Group 2:

Include IT Admins

Your 2 rules are:

Include CD/DVD, Action - read only, Action - monitor, include Group 1

Include CD/DVD, Action - monitor, include Group 2

copied from

View solution in original post

Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

Thanks .

I want to allow "domain users" read only access, and allow another group "MediaBurners" the ability to burn.

Group 1: Domain Users

Include Domain Users, exclude MediaBurners

Group 2: MediaBurners

Include MediaBurners

Rules:

Read-Only CD/DVD, Action - read only & monitor, include Group 1

Allow CD/DVD Burning, Action - monitor, include group 2 (MediaBurners)

Does this sound correct? 

Highlighted
Level 12
Report Inappropriate Content
Message 4 of 16

Re: DLP 9.3 CD/DVD rules

Jump to solution

That is correct.

Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

Yes that does sound correct. And you have your device definition for the rule set to DVD/CD ?

Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

FYI there was one thing I noticed lately and haven't had time to look it up to see if its just me or not.

I had a security group that was domain local. When I put it into a UAG it didn't apply a policy agaisn't the people in the security group. I am not sure why. But if you want to see if the people you have in the UAG have the policy applied agaisn't them.

Find the system then click on the products tab then select DLP. Scroll down and see if you see the policy rule name applied against that system that has someone logged into it.

I was one of the people in this security group I was testing, then I added my username directly inside the same UAG, then it was being applied to my system.

Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

I have a similar issue to this as well.  I have set up Domain Admins group as a privileged user group and set to override all.  The settings don't seem to be applying to the group, but if I add a user from within the domain admin group individually the settings apply...

Highlighted
Level 12
Report Inappropriate Content
Message 8 of 16

Re: DLP 9.3 CD/DVD rules

Jump to solution

You might want to check to see if the end user's machine is showing the correct SID for the domain admin group you've applied it to by using gpresult or whoami commands.  KB75675 linked below provides some outlines for this.

McAfee KnowledgeBase - Changes to User Assignment Groups for Data Loss Prevention Endpoint 9.x in eP...

Highlighted

Re: DLP 9.3 CD/DVD rules

Jump to solution

I am not sure how the users system SID would matter when using UAG-User assignment groups ??

ooo wait, after reading your link, you mean if they where just added to the group they would need to log off then back in.....right following you there

I will test more this week, but so far I have only noticed it if the security group is DOMAIN LOCAL.

Highlighted
Level 12
Report Inappropriate Content
Message 10 of 16

Re: DLP 9.3 CD/DVD rules

Jump to solution

The "gpresult" command will list the AD groups for the machine while the "whoami /groups" will list the AD groups and their corresponding SID.

Under the UAG definition, you are provided the option to Identify LDAP objects using either SID or Name.  SID is the default.  In some environments I've seen user groups in AD not assign properly so the assigned UAG will never enforce.  Gpresult and whoami will show if the local machine has the AD assignment.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community