I'm attempting to lockdown CD/DVD devices using DLP. I was able to successfully control who has no access to them, who has read rights and who has the ability to write. I did this using User Assignment Groups with device rules and everything works great.
For the User Assignment Group that has the ability to write, I want to add a protection rule that monitors what files they write, request justification and store evidence. I made the necessary protection rule and an application definition which includes our burning software of choice. However, when I open the application and burn a file to verify the policy is working correctly, it's as if the rule isn't applied at all. I'm never prompted for justification and the DLP logs don't show the files I burned. I've also noticed that users in the allow write User Assignment Group are unable to use the built-in windows burning utility.
What am I doing wrong? I greatly appreciate any assistance!
We're currently using DLP 9.2 and ePO 4.5. Below are the steps I followed.
1) Modified the default Media Burner Application Definition to include our Media Burner Application
2) Created a Removable Storage Protection Rule & Enabled It
3) Selected Media Burner Application Definition with Block, Monitor, Notify User, Request Justification and Store Evidence.
4) Assigned Removable Storage Protection Rule to appropriate User Assignment Group.
However upon logging in the rule isn't applied at all. Could process strategy have anything to do with it?
I'm also wondering if the known compatibility issue below applies. We do enforce UAC and our user assignment group only has one domain group. Unfortunately I can't disable UAC to verify this is our issue.
|540126||Issue: On Windows Vista and Windows 7 with User Account Control (UAC) turned on, if a user assignment group has only one domain group, protection rules do not work when you apply a policy to a member of the assignment group or log in as any member of the domain group.|
I spoke with McAfee support and found out that monitoring all files written to a device isn't possible. You have to create classification rules for certain types of files (wildcards won't work) and then do tagging based on those classification rules.
I don't know how true that is @Mullenjm. I set up a protection rule and only had it monitor explorer.exe WHen writting files to a USB Device. It recorded each file that was moved to the device.
I would also like to do the same with CD/DVD, but I haven't been able to figure out how to define the internal Windows 7 burner.
CD/DVD drives modify the data as it's being written to disk and DLP is not able to track using a Removable Storage Protection rule. DLP can track using an application file access protection rule.
I am just now getting to testing the above. THe only part I don't fully understand yet. I can't enable the rule unless I have a content cateogry or tag. I don't understand the tags and cateogries under the definitions. Can you tell me a generic overview of this or point me into the direction to read on it ?
Any help is greatly appreciated
From the Product Guide -
Tags give you a method for classifying content and reusing that classification.
Tagging rules assign tags to content from specific applications or locations. Once assigned, the tag
stays with the content as it is moved or copied, or included in or attached to other files or file types.
Content categories, known as content tags in earlier versions of McAfee DLP Endpoint software, are
another way of classifying content. Content categories are used with classification rules to classify
content and registered document groups. They can also be specified directly in most protection rules.