2 Replies Latest reply: Nov 14, 2012 12:12 PM by georgec RSS

    cd-rw usage

    mcafeee

      Hi,

       

      Can anyone advise on the best way to monitor usage of cd-writers though DLP, just to see who is using them, and if possible what they are writing (just the file names) ?

       

      thanks.

        • 1. Re: cd-rw usage
          epository

          You have to create a Device Definition in DLP Policy for CD/DVD drives.

           

          then you have to create a Device Rule and include the CD/DVD drives and set it to Monitor.

           

          Now, you can either use Active Directory and create a User Access Group under DLP Policies and add the "Everyone" group or you can create a DLP Computer Assignement Group policy and assign it to the root of your System Tree.

           

          These should tell you when a CD/DVD is accessed on a computer.

           

          That being said, it wont tell you if files were copied to or from the CD and it wont track which files were burned.

           

           

          Its best to just create a CD/DVD Device rule and make all the devices read-only and create a security group in AD to put authorized users into.  Your CIO should write up a policy for this.

          • 2. Re: cd-rw usage
            georgec

            You need to do an inventory of the cd/dvd burner applications and identify the processes that access the disk when writing files. process monitor is a goot tool for doing this http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

             

            One you have a list of the applications, you can create an application protection rules that monitor the cd/dvd writing processes that access data from the disk. The downside is that if someone writes a lot of files, you'll get a hell lot of events. (one per file)

             

             

            Using device control rules will create one event when the system boots and loads the cd/dvd drivers, but that's about it, you don't get information about what was copied. Removable storage protection rule doesn`t cover the cd/dvd.

             

            Message was edited by: georgec on 11/14/12 12:12:35 PM CST