2 Replies Latest reply: Nov 14, 2012 12:12 PM by georgec RSS

    cd-rw usage




      Can anyone advise on the best way to monitor usage of cd-writers though DLP, just to see who is using them, and if possible what they are writing (just the file names) ?



        • 1. Re: cd-rw usage

          You have to create a Device Definition in DLP Policy for CD/DVD drives.


          then you have to create a Device Rule and include the CD/DVD drives and set it to Monitor.


          Now, you can either use Active Directory and create a User Access Group under DLP Policies and add the "Everyone" group or you can create a DLP Computer Assignement Group policy and assign it to the root of your System Tree.


          These should tell you when a CD/DVD is accessed on a computer.


          That being said, it wont tell you if files were copied to or from the CD and it wont track which files were burned.



          Its best to just create a CD/DVD Device rule and make all the devices read-only and create a security group in AD to put authorized users into.  Your CIO should write up a policy for this.

          • 2. Re: cd-rw usage

            You need to do an inventory of the cd/dvd burner applications and identify the processes that access the disk when writing files. process monitor is a goot tool for doing this http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx


            One you have a list of the applications, you can create an application protection rules that monitor the cd/dvd writing processes that access data from the disk. The downside is that if someone writes a lot of files, you'll get a hell lot of events. (one per file)



            Using device control rules will create one event when the system boots and loads the cd/dvd drivers, but that's about it, you don't get information about what was copied. Removable storage protection rule doesn`t cover the cd/dvd.


            Message was edited by: georgec on 11/14/12 12:12:35 PM CST