Endpoint Device Control in Windows 7 and Beyond<br />© 2010 Monterey Technology Group Inc.<br /><ul><li>Commissioned by:</...
Preview of Key Points<br />Device Control<br />Device Installation Restrictions <br />Encryption<br />BitLocker to Go<br /...
Device Installation Restrictions <br />© 2010 Monterey Technology Group Inc.<br />
Device Installation Restrictions <br />Block ALL removable devices<br />Includes things like mice and keyboards<br />Not r...
Device Installation Restrictions <br />Block ALL removable storage<br />Also not realistic for most environments<br />© 20...
Device Installation Restrictions <br />2 ways to specify devices<br />Device ID<br />Device Setup Class<br />2 approaches<...
Device Installation Restrictions <br />Whitelist<br />Enable <br />Caveat: does not apply to devices already installed<br ...
Device Installation Restrictions <br />Whitelist<br />Enable installation of specific devices<br />Must understand “device...
Device Installation Restrictions <br />Whitelist<br />How do you figure out device ID or class?<br />System defined classe...
Device Installation Restrictions <br />Whitelist<br />Enable devices or classes with “Allow installation of devices using ...
Device Installation Restrictions <br />Whitelist<br />Test<br />Against non USB devices like eSATA drives<br />Against dev...
Device Installation Restrictions <br />Support Issues<br />Message displayed to user<br />How to handle exceptions?<br />A...
Device Installation Restrictions <br />All or nothing<br />What about controlling read/write access to removable storage?<...
Removable Storage Access<br />© 2010 Monterey Technology Group Inc.<br />
Combining Device Restrictions and Removable Storage Access<br />Possibleto enforce device whitelistthat allows particular ...
BitLocker to Go<br />Applies to removable drives<br />Encryption key<br />Smartcard<br />Stored on computer <br />BitLocke...
BitLocker to Go<br />Policies<br />Deny write access to removable drives not protected by BitLocker<br />Configure use of ...
Bottom Line<br />Device installation restrictions <br />May work for very homogenized, non power user environments<br />Bi...
Limitations and Caveats<br />BitLocker to Go<br />Requires Enterprise / Ultimate Win 7<br />No write support pre Win 7<br ...
Limitations and Caveats<br />No logging, reporting, auditing<br />Controls installation not connection<br />Defining white...
Brought to you by<br />Speakers<br />Chris Chevalier, Senior Product Manager<br />Chris Merritt, Director of Solution Mark...
Want to Learn More?<br />Lumension<br />www.lumension.com <br />info@lumension.com<br />http://blog.lumension.com<br />© 2...
Endpoint Device Control in Windows 7 and Beyond
Upcoming SlideShare
Loading in …5
×

Endpoint Device Control in Windows 7 and Beyond

1,890 views

Published on

Randy Franklin Smith, editor from Ultimate Windows Security, goes in-depth on key endpoint device control capabilities to look for in Windows environments. In this webcast, you will:

*Explore native Windows features like Device Installation Restrictions and learn how to define device whitelists
*Find out how native functionality stacks up against real world requirementsLearn where you may need a more robust endpoint security solution to fill gaps
*Get a full picture of where Windows functionality leaves off and 3rd party solutions pick up

This will be both a technical, how-to webinar as well as a strategic big picture training event.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,890
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Endpoint Device Control in Windows 7 and Beyond

  1. 1. Endpoint Device Control in Windows 7 and Beyond<br />© 2010 Monterey Technology Group Inc.<br /><ul><li>Commissioned by:</li></li></ul><li>Brought to you by<br />Speakers<br />Chris Chevalier, Senior Product Manager<br />Chris Merritt, Director of Solution Marketing<br />© 2010 Monterey Technology Group Inc.<br />
  2. 2. Preview of Key Points<br />Device Control<br />Device Installation Restrictions <br />Encryption<br />BitLocker to Go<br />© 2010 Monterey Technology Group Inc.<br />
  3. 3. Device Installation Restrictions <br />© 2010 Monterey Technology Group Inc.<br />
  4. 4. Device Installation Restrictions <br />Block ALL removable devices<br />Includes things like mice and keyboards<br />Not realistic for most environments<br />© 2010 Monterey Technology Group Inc.<br />
  5. 5. Device Installation Restrictions <br />Block ALL removable storage<br />Also not realistic for most environments<br />© 2010 Monterey Technology Group Inc.<br />
  6. 6. Device Installation Restrictions <br />2 ways to specify devices<br />Device ID<br />Device Setup Class<br />2 approaches<br />Blacklist <br />Not much value<br />Whitelist<br />Makes more sense<br />Disable installation of all devices by default<br />Enable specific devices or classes of devices<br />© 2010 Monterey Technology Group Inc.<br />
  7. 7. Device Installation Restrictions <br />Whitelist<br />Enable <br />Caveat: does not apply to devices already installed<br />Difference between installed and connected<br />Testing caveat <br />© 2010 Monterey Technology Group Inc.<br />
  8. 8. Device Installation Restrictions <br />Whitelist<br />Enable installation of specific devices<br />Must understand “device identification strings”<br />http://msdn.microsoft.com/en-us/library/ff541224.aspx<br />Hardware IDs<br />Exact make, model, and revision of the device<br />Make and model but not specific revision<br />Compatible IDs<br />Generic hardware ID used for assigning generic drivers from MS<br />Enable installation of specific device classes<br />Must understand “Device Setup Classes”<br />http://msdn.microsoft.com/en-us/library/ff541509(v=VS.85).aspx<br />Some are system defined, vendors can also make up new ones<br />© 2010 Monterey Technology Group Inc.<br />
  9. 9. Device Installation Restrictions <br />Whitelist<br />How do you figure out device ID or class?<br />System defined classes: http://msdn.microsoft.com/en-us/library/ff553426(v=VS.85).aspx<br />Control PanelDevice Manager<br />Device properties dialog Details tab<br />© 2010 Monterey Technology Group Inc.<br />
  10. 10. Device Installation Restrictions <br />Whitelist<br />Enable devices or classes with “Allow installation of devices using drivers that match…” policies<br />© 2010 Monterey Technology Group Inc.<br />
  11. 11. Device Installation Restrictions <br />Whitelist<br />Test<br />Against non USB devices like eSATA drives<br />Against devices you want to allow installation of<br />Mice<br />Keyboards<br />Monitors<br />Against devices you want to prohibit<br />© 2010 Monterey Technology Group Inc.<br />
  12. 12. Device Installation Restrictions <br />Support Issues<br />Message displayed to user<br />How to handle exceptions?<br />Are you a least privilege workstation environment?<br />Enable “Configure policy to allow administrators to override device installation restrictions”<br />Otherwise you will have to make temporary GPO exception policies<br />Possible problem when user travelling<br />“Time (in seconds) to force reboot when…”<br />© 2010 Monterey Technology Group Inc.<br />
  13. 13. Device Installation Restrictions <br />All or nothing<br />What about controlling read/write access to removable storage?<br />Removable Storage Access<br />Control read/write access to different classes of removable storage<br />© 2010 Monterey Technology Group Inc.<br />
  14. 14. Removable Storage Access<br />© 2010 Monterey Technology Group Inc.<br />
  15. 15. Combining Device Restrictions and Removable Storage Access<br />Possibleto enforce device whitelistthat allows particular type of USB drive <br />Limit read/write access for that class of device<br />© 2010 Monterey Technology Group Inc.<br />
  16. 16. BitLocker to Go<br />Applies to removable drives<br />Encryption key<br />Smartcard<br />Stored on computer <br />BitLocker must be enabled on system drive<br />Password<br />Allows BitLocker encrypted devices to be shared<br />Can require backup to AD for recovery purposes<br />BitLocker To Go Reader available for pre Windows 7 computers<br />© 2010 Monterey Technology Group Inc.<br />
  17. 17. BitLocker to Go<br />Policies<br />Deny write access to removable drives not protected by BitLocker<br />Configure use of passwords for removable data drives<br />Choose how BitLocker-protected removable drives can be recovered<br />© 2010 Monterey Technology Group Inc.<br />
  18. 18. Bottom Line<br />Device installation restrictions <br />May work for very homogenized, non power user environments<br />BitLocker To Go<br />Password based encryption of removable drives<br />Significant caveats, labor and limitations<br />© 2010 Monterey Technology Group Inc.<br />
  19. 19. Limitations and Caveats<br />BitLocker to Go<br />Requires Enterprise / Ultimate Win 7<br />No write support pre Win 7<br />BitLocker to Go Reader<br />Read access cumbersome, must copy files to desktop<br />No Support for CD/DVD<br />© 2010 Monterey Technology Group Inc.<br />
  20. 20. Limitations and Caveats<br />No logging, reporting, auditing<br />Controls installation not connection<br />Defining whitelisted devices cumbersome and laborious<br />No control based on type of files or content<br />What about temporary exceptions for emergencies when user is off-line?<br />What about pre Windows 7?<br />© 2010 Monterey Technology Group Inc.<br />
  21. 21. Brought to you by<br />Speakers<br />Chris Chevalier, Senior Product Manager<br />Chris Merritt, Director of Solution Marketing<br />© 2010 Monterey Technology Group Inc.<br />
  22. 22. Want to Learn More?<br />Lumension<br />www.lumension.com <br />info@lumension.com<br />http://blog.lumension.com<br />© 2010 Monterey Technology Group Inc.<br />

×