5 Replies Latest reply on Jan 18, 2011 1:03 PM by j.hawes

    DLP User + Device based exclusions

    Namster

      The goal is to use AD groups to exclude certain users from having a DLP device rule applied to them as well as allowing approved devices.

       

      Basically I only want a certain group of AD users to be able to use a specific set of USB devices by PID/VID/Serial#.

       

      How would I set this up?

       

      My current config has two device definitions:

      #1 says all USB devices

      #2 says usb device with these pid/vid/sn

       

      The rule includes all #1 and excludes #2, and includes Domain Users, and excludes my active directory group.

       

      The result is that any user on the network can use those devices listed in #2.

       

      Can DLP help me with what I would like to accomplish? Anyone get this to work?

        • 1. Re: DLP User + Device based exclusions
          rbdudani

          At the user assignement screen.

           

          Make new user Assgignemtn Group

           

          exclude All users and include selected users....

          • 2. Re: DLP User + Device based exclusions
            Namster

            Thanks for your response. Your solution has been tried and does not work.

            e.g. If i have a rule to block all usb mass storage devices and include all domain users, it will block all usb mass storage for all domain users.

             

            Then I add a global group to the current user assignment group and exclude them. Inside this group is John Doe. John doe can now use USB devices, but everyone else cannot, as expected.

             

            Then I create and add a new device definition to the current rule that contains the PID and VID for a onetouch 750 usb device. John Doe can use this, so can all domain users.

             

            My goal was to restrict all users with exclusions to these specific devices.

            • 3. Re: DLP User + Device based exclusions

              To start with, I am so new at this it is almost painful.  However, I have implemented one USB device rule, and it works.  Here is what I did to get it to work, although this may not be the easiest, the cleanest, or the most efficient:

               

              1.    I created three specific Device Definitions, all for exclusion, listed by VID/PID

               

              2.    Created the Device Class USBSTOR, with the correct GUID (as taken from the Windows registry)

               

              3.    Created a USB Removable Storage Rule which Blocked all USB access for Device Class USBSTOR, with the exception for the three allowed drives (by VID/PID).

               

              4.    Created a User Assignment Group with all individual members of Windows Active Directory, checking the ENABLE radio button for everyone except for the few that are allowed the exception. Those people are included in the User Assignment Group, but are marked as EXCLUDE.

               

              5.    I go to the second tab, and apply the USB Removable Storage Rule to the User Assignment Tab.

               

              6.    I enabled the USB Removable Storage Rule, I saved my GlobalPolicy, the Applied the rule, and pushed out a job to make sure it goes out to all the devices.

               

              This may not work in your environment, but that is what I had to do to get my rule working.

              • 4. Re: DLP User + Device based exclusions
                Namster

                I basically did the same thing. When I tested an approved device with an unapproved user, the approved device always works. Have you tried an approved device with a user account that is not excluded yet?

                • 5. Re: DLP User + Device based exclusions

                  First, I have only implemented one rule, so I may not have anything to add, but I think what I may have done differently is that I did not include or exclude AD groups. We only have a user community of 350-400 users, so when I did my AD user import, I selected users to sort on, and only added real users, not OUs or Groups.

                   

                  That way, my one rule either enabled or not enabled for every user in AD individually.