• Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Endpoint Device Control in Windows 7 and Beyond

  • 1,547 views
Published

Randy Franklin Smith, editor from Ultimate Windows Security, goes in-depth on key endpoint device control capabilities to look for in Windows environments. In this webcast, you will: …

Randy Franklin Smith, editor from Ultimate Windows Security, goes in-depth on key endpoint device control capabilities to look for in Windows environments. In this webcast, you will:

*Explore native Windows features like Device Installation Restrictions and learn how to define device whitelists
*Find out how native functionality stacks up against real world requirementsLearn where you may need a more robust endpoint security solution to fill gaps
*Get a full picture of where Windows functionality leaves off and 3rd party solutions pick up

This will be both a technical, how-to webinar as well as a strategic big picture training event.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,547
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
28
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Endpoint Device Control in Windows 7 and Beyond
    © 2010 Monterey Technology Group Inc.
    • Commissioned by:
  • Brought to you by
    Speakers
    Chris Chevalier, Senior Product Manager
    Chris Merritt, Director of Solution Marketing
    © 2010 Monterey Technology Group Inc.
  • 2. Preview of Key Points
    Device Control
    Device Installation Restrictions
    Encryption
    BitLocker to Go
    © 2010 Monterey Technology Group Inc.
  • 3. Device Installation Restrictions
    © 2010 Monterey Technology Group Inc.
  • 4. Device Installation Restrictions
    Block ALL removable devices
    Includes things like mice and keyboards
    Not realistic for most environments
    © 2010 Monterey Technology Group Inc.
  • 5. Device Installation Restrictions
    Block ALL removable storage
    Also not realistic for most environments
    © 2010 Monterey Technology Group Inc.
  • 6. Device Installation Restrictions
    2 ways to specify devices
    Device ID
    Device Setup Class
    2 approaches
    Blacklist
    Not much value
    Whitelist
    Makes more sense
    Disable installation of all devices by default
    Enable specific devices or classes of devices
    © 2010 Monterey Technology Group Inc.
  • 7. Device Installation Restrictions
    Whitelist
    Enable
    Caveat: does not apply to devices already installed
    Difference between installed and connected
    Testing caveat
    © 2010 Monterey Technology Group Inc.
  • 8. Device Installation Restrictions
    Whitelist
    Enable installation of specific devices
    Must understand “device identification strings”
    http://msdn.microsoft.com/en-us/library/ff541224.aspx
    Hardware IDs
    Exact make, model, and revision of the device
    Make and model but not specific revision
    Compatible IDs
    Generic hardware ID used for assigning generic drivers from MS
    Enable installation of specific device classes
    Must understand “Device Setup Classes”
    http://msdn.microsoft.com/en-us/library/ff541509(v=VS.85).aspx
    Some are system defined, vendors can also make up new ones
    © 2010 Monterey Technology Group Inc.
  • 9. Device Installation Restrictions
    Whitelist
    How do you figure out device ID or class?
    System defined classes: http://msdn.microsoft.com/en-us/library/ff553426(v=VS.85).aspx
    Control PanelDevice Manager
    Device properties dialog Details tab
    © 2010 Monterey Technology Group Inc.
  • 10. Device Installation Restrictions
    Whitelist
    Enable devices or classes with “Allow installation of devices using drivers that match…” policies
    © 2010 Monterey Technology Group Inc.
  • 11. Device Installation Restrictions
    Whitelist
    Test
    Against non USB devices like eSATA drives
    Against devices you want to allow installation of
    Mice
    Keyboards
    Monitors
    Against devices you want to prohibit
    © 2010 Monterey Technology Group Inc.
  • 12. Device Installation Restrictions
    Support Issues
    Message displayed to user
    How to handle exceptions?
    Are you a least privilege workstation environment?
    Enable “Configure policy to allow administrators to override device installation restrictions”
    Otherwise you will have to make temporary GPO exception policies
    Possible problem when user travelling
    “Time (in seconds) to force reboot when…”
    © 2010 Monterey Technology Group Inc.
  • 13. Device Installation Restrictions
    All or nothing
    What about controlling read/write access to removable storage?
    Removable Storage Access
    Control read/write access to different classes of removable storage
    © 2010 Monterey Technology Group Inc.
  • 14. Removable Storage Access
    © 2010 Monterey Technology Group Inc.
  • 15. Combining Device Restrictions and Removable Storage Access
    Possibleto enforce device whitelistthat allows particular type of USB drive
    Limit read/write access for that class of device
    © 2010 Monterey Technology Group Inc.
  • 16. BitLocker to Go
    Applies to removable drives
    Encryption key
    Smartcard
    Stored on computer
    BitLocker must be enabled on system drive
    Password
    Allows BitLocker encrypted devices to be shared
    Can require backup to AD for recovery purposes
    BitLocker To Go Reader available for pre Windows 7 computers
    © 2010 Monterey Technology Group Inc.
  • 17. BitLocker to Go
    Policies
    Deny write access to removable drives not protected by BitLocker
    Configure use of passwords for removable data drives
    Choose how BitLocker-protected removable drives can be recovered
    © 2010 Monterey Technology Group Inc.
  • 18. Bottom Line
    Device installation restrictions
    May work for very homogenized, non power user environments
    BitLocker To Go
    Password based encryption of removable drives
    Significant caveats, labor and limitations
    © 2010 Monterey Technology Group Inc.
  • 19. Limitations and Caveats
    BitLocker to Go
    Requires Enterprise / Ultimate Win 7
    No write support pre Win 7
    BitLocker to Go Reader
    Read access cumbersome, must copy files to desktop
    No Support for CD/DVD
    © 2010 Monterey Technology Group Inc.
  • 20. Limitations and Caveats
    No logging, reporting, auditing
    Controls installation not connection
    Defining whitelisted devices cumbersome and laborious
    No control based on type of files or content
    What about temporary exceptions for emergencies when user is off-line?
    What about pre Windows 7?
    © 2010 Monterey Technology Group Inc.
  • 21. Brought to you by
    Speakers
    Chris Chevalier, Senior Product Manager
    Chris Merritt, Director of Solution Marketing
    © 2010 Monterey Technology Group Inc.
  • 22. Want to Learn More?
    Lumension
    www.lumension.com
    info@lumension.com
    http://blog.lumension.com
    © 2010 Monterey Technology Group Inc.