cancel
Showing results for 
Search instead for 
Did you mean: 
stickman
Level 12

Lockdown pc with DLP 9.3

Hi guys,

I have been reading the installation and product guides, followed steps to create device rules etc. but just can't get to lockdown pc, block usb ports, etc. This is my first time configuring this, any tips on how to get started? I managed to get DLP endpoint installed on the pc now for blocking externals, shares, printers...

Also.. i created devices class for the pc with GUID to manage this pc with device rule to block USB devices

Message was edited by: minion on 7/18/13 12:55:49 AM CDT

Message was edited by: minion on 7/18/13 1:35:17 AM CDT
0 Kudos
9 Replies
phreeze
Level 7

Re: Lockdown pc with DLP 9.3

what do you mean by lockdown PC ?

Blocking USB ports is relative: if you completey block the USB ports, you block your keyboard, mouse etc.

Blocking STORAGE devices is the most used way. There's KBs an tutorials from MA, https://kc.mcafee.com/corporate/index?page=content&id=KB60861

First create a rule that blocks all storage devices.

Create a definition of you USB stick

go to the created rule, exclude this definition.

0 Kudos
stickman
Level 12

Re: Lockdown pc with DLP 9.3

Ok lock-down might sound a bit harsh, just prevent the user from copying data onto external, block from any shares on the network, prevent from printing, etc.

Thank you for the KB and solutions. Will try it now and give feedback.

0 Kudos
stickman
Level 12

Re: Lockdown pc with DLP 9.3

Ok I followed the steps in the KB, tested with USB and still opens. These are the steps I followed:

Solution  1

How to block all USB drives using Host DLP 9.x:

IMPORTANT: Save your policies before making any changes. See KB60758 for detailed information on exporting Host DLP 9.x policies.

  1. Log on to the ePO 4.x console.
  2. Click Menu, Data Protection, DLP Policy.
  3. In Device Management, click Device Definitions.
  4. Click Add New and select Removable Storage Device Definition.
  5. Add Block USB drives to the end of the Removable Storage Device Definition name.
        Example: Removable Storage Device Definition Block USB drives
  6. Double-click the Removable Storage Device Definition Block USB drives entry that you created in the previous step.
  7. Select Bus Type, select USB from the list, and click OK.
  8. Click OK.
  9. To save the policy changes, click Apply on the toolbar.
  10. In Device Management, click Device Rules.
  11. Click Add New and select Removable Storage Device Rule.
  12. Add All USB drives to the end of the Removable Storage Device Rule name.
        Example: Removable Storage Device Rule All USB drives
  13. In the list for this rule, locate the Removable Storage Device Definition Block USB drives entry, and select Include in the column on the right.
  14. Click Block. This selects Block, Monitor & Notify User entries.
  15. Click Next.
  16. If a group does not display in the list, click Add to create a group.
        NOTE: If the required group is displayed in the list, select that group and click Finish.
  17. In Find objects containing this folder, click the blank field.
  18. Type an appropriate group name, as defined in Active Directory, that you want to apply this policy to and click Search.
  19. In List View, select the found entry and click OK.
  20. Click OK.
  21. Click Finish.
  22. To save the policy changes, click Apply on the toolbar.
0 Kudos
stickman
Level 12

Re: Lockdown pc with DLP 9.3

Are there maybe videos available  for version 9.3? I only found for older versions. The layout completely changed since then.

0 Kudos
stickman
Level 12

Re: Lockdown pc with DLP 9.3

Another thing... i don't see the DLP monitor option. I only see:

- DLP Policy

- DLP Incident Manager

- DLP Operational Events

0 Kudos
cnorris
Level 10

Re: Lockdown pc with DLP 9.3

Hello minion,

So, first of all have a read of this doc: http://mcaf.ee/0dav5 pages 114 and 115 which walks through using device rules for plug and play and removable storage. You may need both types of rule to cover your devices.

On page 150 it covers the Incident Manager and Operation Events console that replaced the DLP Monitor.

If you would like us to look at your policy please attach it here and we'll give you some tips.


Best Regards

Chris Norris, CISSP
McAfee Tier III Support Engineer
Data Loss Prevention

0 Kudos
stickman
Level 12

Re: Lockdown pc with DLP 9.3

Great thank you Chris!

Looks like I am getting somewhere slowly but surely Making more sense now.

I have created the policies, please find attached. The policies also assigned on the system tree to the group I am testing with. Is it suppose to block according to my policies now?

Message was edited by: minion on 7/18/13 7:45:42 AM CDT
0 Kudos
cnorris
Level 10

Re: Lockdown pc with DLP 9.3

Answered via PM

0 Kudos
stickman
Level 12

Re: Lockdown pc with DLP 9.3

Please see the policies attached

Message was edited by: minion on 7/19/13 8:53:56 AM CDT
0 Kudos