Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
977 Views 2 Replies Latest reply: Nov 14, 2012 12:10 PM by georgec RSS
mcafeee Newcomer 40 posts since
May 6, 2009
Currently Being Moderated

Oct 31, 2012 4:28 AM

cd-rw usage

Hi,

 

Can anyone advise on the best way to monitor usage of cd-writers though DLP, just to see who is using them, and if possible what they are writing (just the file names) ?

 

thanks.

  • epository Apprentice 89 posts since
    Jan 23, 2010
    Currently Being Moderated
    1. Nov 14, 2012 6:18 AM (in response to mcafeee)
    Re: cd-rw usage

    You have to create a Device Definition in DLP Policy for CD/DVD drives.

     

    then you have to create a Device Rule and include the CD/DVD drives and set it to Monitor.

     

    Now, you can either use Active Directory and create a User Access Group under DLP Policies and add the "Everyone" group or you can create a DLP Computer Assignement Group policy and assign it to the root of your System Tree.

     

    These should tell you when a CD/DVD is accessed on a computer.

     

    That being said, it wont tell you if files were copied to or from the CD and it wont track which files were burned.

     

     

    Its best to just create a CD/DVD Device rule and make all the devices read-only and create a security group in AD to put authorized users into.  Your CIO should write up a policy for this.

  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    2. Nov 14, 2012 12:12 PM (in response to mcafeee)
    Re: cd-rw usage

    You need to do an inventory of the cd/dvd burner applications and identify the processes that access the disk when writing files. process monitor is a goot tool for doing this http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

     

    One you have a list of the applications, you can create an application protection rules that monitor the cd/dvd writing processes that access data from the disk. The downside is that if someone writes a lot of files, you'll get a hell lot of events. (one per file)

     

     

    Using device control rules will create one event when the system boots and loads the cd/dvd drivers, but that's about it, you don't get information about what was copied. Removable storage protection rule doesn`t cover the cd/dvd.

     

    Message was edited by: georgec on 11/14/12 12:12:35 PM CST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points