Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2239 Views 3 Replies Latest reply: Oct 16, 2012 1:54 AM by reduakari RSS
cweatherall Newcomer 2 posts since
Feb 2, 2011
Currently Being Moderated

Feb 2, 2011 6:35 PM

Best Practices/Successful Practices for Applying Rules to User Assignment Groups

I am testing out different methods of applying rules to users and just wanted to get some input on what others are doing.  Can't find any best practices, recommendations or methodologies for assigning policies. My scenario is this.  I have 300 users of which only 25 should be allowed to write to cd/dvd rom drives.  I created all of the pertinent device rules making the cd/dvd read only.  Here is where I am hitting a road block.

 

Originally, I created a user assignment group that inlcuded "Everyone". This policy assignment applied all of my e-mail, printer, network and read only protection rules to everyone.  For the group of 25 users that I wanted to allow CD/DVD writing, I put them in a different user assignment group applying only the device rule for CD/DVD read only (my logic being, because they are a part of everyone, the other rules are already applied) and I chose toexlude the users from the selected CD/DVD read only rule.  It seemed to be working after some initial testing, then excluded users began to inform me that they could not write to cd, so I contacted support, I was told this method probably would not work because the most restrictive policy of setting the CD/DVD drive to read only would take effect when a user was in multiple user assignments.  I called this an ACTIVE exclusion, since I told the assignment specifically not to apply the rule to those users.

 

Method two, the PASSIVE exclusion. I separated all of my cd writing users from my non cd writing users by AD groups.  So one user assignment is for non-writers, all protection rules are applied to the group.  The second user assignment is for CD/DVD writers, all protection rules are applied, except for the CD/DVD read only rule. So I am not using the exclusion to actively exclude users from the rule, I just chose not to select that rule for users in this group.

 

So active, passive or a different approach altogether?  How are you all applying rules to user assignments?  Message was edited by: cweatherall on 2/2/11 6:34:22 PM CST

 

 

Message was edited by: cweatherall on 2/2/11 6:35:09 PM CST
  • cdobol Apprentice 159 posts since
    Feb 23, 2009

    This is a good question.  We are beginning to implement DLP.  The way I see us applying policy is via AD OU and have an exception AD group.   So I would create a restrictive rule applied to the AD OU, then exclude the AD exception group from the rule.  I chose AD OU because different business units are going to have different DLP requirements/policies. 

     

    I do have questions relating to performance.  How are policies calculated for the user who logs in?  How long does it take?  Any negative performance effects on the machine with user based policies?  This is where a best practices guide for policy assignment would come in handy.

  • zeb Newcomer 13 posts since
    May 8, 2012

    Hi,

     

    Ever got an answer on the subject or a best practice guide somewhere ?

     

    Thank you.

  • reduakari Newcomer 26 posts since
    Oct 12, 2011

    Hi had tried this before my method which is like all user allow to read disable write. While i had another AD Group which will tie to the EPO new rules which allow write and it works perfectly.

     

    My rules are usually tagged with users not the computers. So i do not know what type control are you doing.

     

    But with Best Practices Guildlines. I do not see McAfee coming out. So Answer is no.

     

    Even Auditor did not even tap to these application security. It too new to auditors

     

    What i know from McAfee is that default rule overwrite which means allow policy is giving more priority.

     

    on 10/16/12 1:56:46 AM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points