7 Replies Latest reply: May 23, 2014 9:41 AM by k_bashir RSS

    DLP Rules and Active Directory

    denicog55

      DLP rules are currently assigned based on AD group membership.  We continue to see members not assigned to removable media security groups in AD accessing removable storage devices.  How is this possible?

        • 1. Re: DLP Rules and Active Directory
          vimalnavis

          Could you provide more information? What were the rules configured to do and how are the AD Groups assigned?

          • 2. Re: DLP Rules and Active Directory
            denicog55

            DLP rules are assigned based on AD group membership.  The rules are configured to deny any user not assigned to the security groups associated with removable media.  For example if userid d555555 tried to access an external storage device DLP would query security groups in AD for the specific user.  If the userid was found it would allow access and vice versa.  We have noticed on multiple occasions DLP allowing access to removable media even though the user is not assigned to the appropriate security groups.  The rule is configured to prevent this from happening.  We are trying to identify what could cause the rule not to work.

            • 3. Re: DLP Rules and Active Directory
              vimalnavis

              In the User Assignment Group, what's included and excluded? Could you share a screenshot?

              The DLPe Agent does not query AD. It uses the AD SID information recorded when a user/group/OU etc. are added to the User Assignment Group.

               

              AD can take up to 8 hours to update SID information on end user machines. If the machine always connects using Wireless or VPN, it could take longer (This has nothing to do with DLPe)

              • 4. Re: DLP Rules and Active Directory
                k_bashir

                Hi Vimalnavis,

                 

                I was told by Mcafee Sales Engineer  (we are still in evaluation phase) that DLP agent on client queries AD groups. Is that not the case.

                 

                Are you saying the agent is receiving AD SID information from ePO server as part of ASCI.

                 

                AD can take upto 8 hours to update SID information. Is that microsoft specific you are referring? Are there Microsoft articles.

                Is there a detail knowledge base that explain Mcafee ePO or agent interaction with AD.

                 

                Also I thought this might be other way round " If the machine always connects using Wireless or VPN, it could take longer"

                 

                Appreciate your help and clarification on this.

                • 5. Re: DLP Rules and Active Directory
                  vimalnavis

                  DLP Agent does not query AD Groups to enforce rules. The SID is added to the policy when adding uers/groups/OUs to User Assignment Groups. When you click on "Apply", the DLP policy gets recorded in ePO.

                  McAfee Agents get this policy and enforce the policy for DLPe Agent. Since the SID is part of the policy, DLPe Agent does not need to query AD.

                   

                  I recommend checking with your AD team to understand how replication has been set up in your company.

                  I have seen in the past that the AD group changes are enforced when a user logs in to a machine. Wireless and VPN connections are typically established after a user logs in to the machine (which is why there could be a delay).

                  • 6. Re: DLP Rules and Active Directory
                    keithdrone

                    Vimalnavis is correct.   One thing you can do though, is if you have systems you know MUST have this rule, is assign them to the computer policy and not through users.   That would effectively apply the policy on Machine X, regardless of which user is logged on.

                     

                    Again, this may not apply to your situation.