9 Replies Latest reply: Jul 19, 2013 8:53 AM by stickman RSS

    Lockdown pc with DLP 9.3

    stickman

      Hi guys,

       

      I have been reading the installation and product guides, followed steps to create device rules etc. but just can't get to lockdown pc, block usb ports, etc. This is my first time configuring this, any tips on how to get started? I managed to get DLP endpoint installed on the pc now for blocking externals, shares, printers...

       

      Also.. i created devices class for the pc with GUID to manage this pc with device rule to block USB devices

       

      Message was edited by: minion on 7/18/13 12:55:49 AM CDT

       

      Message was edited by: minion on 7/18/13 1:35:17 AM CDT
        • 1. Re: Lockdown pc with DLP 9.3
          phreeze

          what do you mean by lockdown PC ?

           

          Blocking USB ports is relative: if you completey block the USB ports, you block your keyboard, mouse etc.

           

          Blocking STORAGE devices is the most used way. There's KBs an tutorials from MA, https://kc.mcafee.com/corporate/index?page=content&id=KB60861

           

          First create a rule that blocks all storage devices.

          Create a definition of you USB stick

          go to the created rule, exclude this definition.

          • 2. Re: Lockdown pc with DLP 9.3
            stickman

            Ok lock-down might sound a bit harsh, just prevent the user from copying data onto external, block from any shares on the network, prevent from printing, etc.

             

            Thank you for the KB and solutions. Will try it now and give feedback.

            • 3. Re: Lockdown pc with DLP 9.3
              stickman

              Ok I followed the steps in the KB, tested with USB and still opens. These are the steps I followed:

               

               

              Solution  1

              How to block all USB drives using Host DLP 9.x:

               

              IMPORTANT: Save your policies before making any changes. See KB60758 for detailed information on exporting Host DLP 9.x policies.

               

              1. Log on to the ePO 4.x console.
              2. Click Menu, Data Protection, DLP Policy.
              3. In Device Management, click Device Definitions.
              4. Click Add New and select Removable Storage Device Definition.
              5. Add Block USB drives to the end of the Removable Storage Device Definition name.
                    Example: Removable Storage Device Definition Block USB drives
              6. Double-click the Removable Storage Device Definition Block USB drives entry that you created in the previous step.
              7. Select Bus Type, select USB from the list, and click OK.
              8. Click OK.
              9. To save the policy changes, click Apply on the toolbar.
              10. In Device Management, click Device Rules.
              11. Click Add New and select Removable Storage Device Rule.
              12. Add All USB drives to the end of the Removable Storage Device Rule name.
                    Example: Removable Storage Device Rule All USB drives
              13. In the list for this rule, locate the Removable Storage Device Definition Block USB drives entry, and select Include in the column on the right.
              14. Click Block. This selects Block, Monitor & Notify User entries.
              15. Click Next.
              16. If a group does not display in the list, click Add to create a group.
                    NOTE: If the required group is displayed in the list, select that group and click Finish.
              17. In Find objects containing this folder, click the blank field.
              18. Type an appropriate group name, as defined in Active Directory, that you want to apply this policy to and click Search.
              19. In List View, select the found entry and click OK.
              20. Click OK.
              21. Click Finish.
              22. To save the policy changes, click Apply on the toolbar.
              • 4. Re: Lockdown pc with DLP 9.3
                stickman

                Are there maybe videos available  for version 9.3? I only found for older versions. The layout completely changed since then.

                • 5. Re: Lockdown pc with DLP 9.3
                  stickman

                  Another thing... i don't see the DLP monitor option. I only see:

                   

                  - DLP Policy

                  - DLP Incident Manager

                  - DLP Operational Events

                  • 6. Re: Lockdown pc with DLP 9.3
                    cnorris

                    Hello minion,

                     

                    So, first of all have a read of this doc: http://mcaf.ee/0dav5 pages 114 and 115 which walks through using device rules for plug and play and removable storage. You may need both types of rule to cover your devices.

                     

                    On page 150 it covers the Incident Manager and Operation Events console that replaced the DLP Monitor.

                     

                    If you would like us to look at your policy please attach it here and we'll give you some tips.


                    Best Regards

                    Chris Norris, CISSP
                    McAfee Tier III Support Engineer
                    Data Loss Prevention

                    • 7. Re: Lockdown pc with DLP 9.3
                      stickman

                      Great thank you Chris!

                       

                      Looks like I am getting somewhere slowly but surely Making more sense now.

                       

                      I have created the policies, please find attached. The policies also assigned on the system tree to the group I am testing with. Is it suppose to block according to my policies now?

                       

                      Message was edited by: minion on 7/18/13 7:45:42 AM CDT
                      • 8. Re: Lockdown pc with DLP 9.3
                        cnorris

                        Answered via PM

                        • 9. Re: Lockdown pc with DLP 9.3
                          stickman

                          Please see the policies attached

                           

                          Message was edited by: minion on 7/19/13 8:53:56 AM CDT