Endpoint Device Control in Windows 7 and Beyond

© 2010 Monterey Technology Group Inc.

Commissioned by:

UltimateWindowsSecurity.com

Brought to you by

Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Preview of Key Points

Device Control Device Installation Restrictions

Encryption BitLocker to Go

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

Block ALL removable devices Includes

things like mice and keyboards

Not realistic for most environments

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

Block ALL removable storage Also not

realistic for most environments

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

2 ways to specify devices Device ID Device Setup Class

2 approaches Blacklist

• Not much value

Whitelist• Makes more sense• Disable installation of all devices by default• Enable specific devices or classes of devices

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

Whitelist Enable Caveat: does

not apply to devices already installed

Difference between installed and connected

• Testing caveat

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

Whitelist Enable installation of specific devices

• Must understand “device identification strings” http://msdn.microsoft.com/en-us/library/ff541224.aspx Hardware IDs

• Exact make, model, and revision of the device• Make and model but not specific revision

Compatible IDs• Generic hardware ID used for assigning generic drivers from MS

Enable installation of specific device classes• Must understand “Device Setup Classes”

http://msdn.microsoft.com/en-us/library/ff541509(v=VS.85).aspx

• Some are system defined, vendors can also make up new ones

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

Whitelist How do you figure

out device ID or class?

• System defined classes: http://msdn.microsoft.com/en-us/library/ff553426(v=VS.85).aspx

• Control Panel\Device Manager

Device properties dialog \ Details tab

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Device Installation Restrictions

Whitelist Enable devices

or classes with “Allow installation of devices using drivers that match…” policies

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Device Installation Restrictions

Whitelist Test

• Against non USB devices like eSATA drives• Against devices you want to allow installation of

MiceKeyboardsMonitors

• Against devices you want to prohibit

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Device Installation Restrictions

Support Issues Message displayed to user How to handle exceptions?

• Are you a least privilege workstation environment?Enable “Configure policy to allow administrators to

override device installation restrictions”

• Otherwise you will have to make temporary GPO exception policies

Possible problem when user travelling

• “Time (in seconds) to force reboot when…”

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Device Installation Restrictions

All or nothingWhat about controlling read/write access

to removable storage? Removable Storage Access

• Control read/write access to different classes of removable storage

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Removable Storage Access

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Combining Device Restrictions and Removable Storage Access

Possible to enforce device whitelist that allows particular type of USB drive

Limit read/write access for that class of device

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com BitLocker to Go

Applies to removable drivesEncryption key

Smartcard Stored on computer

• BitLocker must be enabled on system drive

Password• Allows BitLocker encrypted devices to be shared

Can require backup to AD for recovery purposesBitLocker To Go Reader available for pre

Windows 7 computers

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com BitLocker to Go

Policies Deny write access to removable drives not

protected by BitLocker Configure use of passwords for removable

data drives Choose how BitLocker-protected removable

drives can be recovered

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Bottom Line

Device installation restrictions May work for very homogenized, non power

user environmentsBitLocker To Go

Password based encryption of removable drives

Significant caveats, labor and limitations

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Limitations and Caveats

BitLocker to Go Requires Enterprise / Ultimate Win 7

• No write support pre Win 7

BitLocker to Go Reader• Read access cumbersome, must copy files to

desktop

No Support for CD/DVD

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Limitations and Caveats

No logging, reporting, auditingControls installation not connectionDefining whitelisted devices cumbersome

and laboriousNo control based on type of files or

contentWhat about temporary exceptions for

emergencies when user is off-line?What about pre Windows 7?

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Brought to you by

Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing

© 2010 Monterey Technology Group Inc.

UltimateWindowsSecurity.com Want to Learn More?

Lumension www.lumension.com info@lumension.com http://blog.lumension.com

© 2010 Monterey Technology Group Inc.