How to get started with Ivanti Endpoint Security - Device Control

Version 9

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    Introduction

     

    This document is designed to give a LANDESK Administrator the ability to create Endpoint Security device control settings for their organization using LANDESK Security Suite in LDMS 2016. This is not the only way to do implement Endpoint Security, but this will get you started so you have a solid starting place to build upon.

     

    Endpoint Security Device Control is an advanced security tool that give the corporate security team the ability to set behaviors for Storage Volumes, Devices, entire Interfaces, etc. This helps protect the environment from external and internal security breaches.

     

    LANDESK Endpoint Security Device Control settings are part of a comprehensive layered security model. This security model should include a process for patching vulnerabilities (OS and third party), Endpoint Security application behavior, application blocking, application control, and/or Antivirus. Along with this is training employees about security.

     

    The corporate policy should keep in mind that users should not have administrative rights on the end device, or that the users do not log in as administrator. If end users have these rights, then they could inadvertently, or knowingly open their devices to a breach.

     

    Also, remove unnecessary software. Sometimes software is installed as part of the OS, or other applications that increase the attack surface on the client devices.

     

    Assumptions

     

    A LANDESK core server is installed with internet connectivity. The core server has been activated with a valid license for LANDESK Security Suite.

     

    It is also assumed that there are existing LANDESK agents deployed and that the agents have access to the LANDESK core server.

     

    It is also assumed that the administrator has a working knowledge of LANDESK Management Suite and an idea of what the end security posture should look like.

     

    Endpoint Security Basics

     

    LANDESK Endpoint Security is the base control for Application Control, Device Control, and LANDESK Firewall.  At a base level Endpoint Security can be installed on clients and offer some protections without configuring any of the three sub-components mentioned:

     

    • Application Control
    • Device Control
    • LANDESK Firewall

     

    Exceptions for various devices, interfaces, etc.

     

    Endpoint Security - Device Control

    Creating  our first Device Control Configuration.

     

    1. Go to the Agent Settings tool, drill down to Security, and then open the Security Subgroup.
    2. Expand Security and right-click on Device Control and select "New..."

     

    You will be present with 5 sections:

     

    • General Settings
    • Storage Volumes
    • CD/DVD/Blu-Ray
    • Devices
    • Shadow copy

     

    General Settings

    The general tab presents two options, the name of the Device Control Setting and the checkbox to select whether or not this is going to be your default setting.

     

    Storage Volumes

    This section contains information regarding storage volumes.   A volume is a storage device, such as a fixed disk, USB disk, or CD-ROM that is formatted to store directories and files.  Such volumes can generally be accessed through a drive letter.  A single device may provide several volumes.

     

    Specifies the access level for any storage volume that wasn't present on the client when the setting was installed.

    If a device containing a volume was attached when the setting was installed, the Ivanti Endpoint Security service will allow that device in the future, even though it may be removable.

    Devices that are allowed due to being connected during installation can be reset to No Access or Read Only access (whatever you have set the limitation to be) by pushing a policy s

     

     

     

    Full access

    Allows read and write access to a connecting storage volume.

    Read only access

    Allows users to read from but not write to a connected storage volume.

     

    Force encryption

    Enforces file encryption on a connecting storage volume. An encryption utility is deployed that enables file encryption on a storage device connecting to a client with this setting. Files are encrypted when written to a storage device and decrypted when read from the device. Access is allowed only by providing the correct password that is defined when creating an encrypted folder on the USB storage device.

    IMPORTANT: First create an encrypted folder on the USB device: When a storage device is configured for file encryption, users must initially create an encrypted folder before they can copy files to the device with the encryption utility (go to Start Ivanti Management > Ivanti Encryption Utility. Specify a password when creating the encrypted folder. If the Allow password hints option is enabled (see below), the user will have the option of entering a hint that can help them remember the password, although the password hint is not required.

     

    No access

    Prevents the use of storage volumes connecting to a client configured with this device control setting. You can customize which types of devices are still allowed by selecting specific device types on the Device page.

    Exceptions

    Click to create exceptions to the access level for storage volumes. You can add exceptions based on hardware ID, media serial, or bus type.

     

    Encryption options

    • Storage space allocated for encryption: Specifies the amount of space on a storage device that can be used for encrypted files.
    • Allow password hints: Lets the end user enter a hint that can help them remember the encrypted folder password. The password hint can't be an exact match to the password itself. The password hint can't exceed 99 characters in length. (Note that even if the password hint field is available to enter text, the user is not required to enter a hint.)
    • Notify end user: Displays a message box when a user connects an unauthorized storage device.

     

    About the Configure exception (for storage volumes) dialog box

    Use this dialog box to create an exception to the access level for storage volumes.

     

    Description

    Enter any description you want to identify this exception.

    Parameter

    Select the parameter type (hardware ID, volume serial, or bus type).

    Value

    If the hardware ID parameter is selected, enter a value string.

    Access

    Specifies the access level for this exception (full access, read-only access, encrypted only, no access).

     

    CD/DVD/Blu-ray drives

     

    Specifies the access level for CD / DVD drives.  Again we have Full access, Read-only access, and No access.

    Exceptions

    Click to create exceptions to the access level for CD / DVD drives. You can add exceptions based on hardware ID, volume serial, or bus type or Device Instance ID.

    Notify end user

    Displays a message box when a user connects an unauthorized device.   (By default this setting is not set)

     

    Devices

     

    Select a device, and in the Access column, select whether you want to Allow, Block, or Always allow the device.

     

    The following devices are supported:

     

    • Apple IOS devices
    • Blackberry Smartphones
    • Fingerprint Readers
    • Floppy Drives
    • Keyboards (USB)
    • Mice (USB)
    • Modems
    • Palm OS Devices
    • Printers
    • Scanners
    • Windows Mobile devices

     

    You will not that Android devices and some other devices are missing.   We will discuss how to limit access from/to these devices as well.

     

    Devices Tab

    If you have disabled an entire interface (such as USB) it is important to set items such as Keyboard or Mouse to "Always Allow".  The "Always Allow" option overrides the Interface setting.   Without setting this correctly you will not be able to control the device until you have made the corrections to "Always allow" and pushed a Configure Updates task to the client having the issue.  If you using Biometric Fingerprint login you will also want to set this to "Always allow".

    aa.gif

     

    Interfaces Tab

     

    As different interfaces can be used to copy data to and from a device you can also disable an entire interface from functioning and allow the usual exceptions.

     

    Interfaces that can be blocked:

     

    • 1394 (Firewire)
    • Bluetooth
    • IR (Infrared)
    • Parallel
    • PCMCIA
    • PS2
    • Serial
    • USB

     

    Wireless options

     

    Block Wireless LAN 802.11x

     

    802.11x (B, G, N, AC, etc) wireless communications can also be blocked.  It is useful to block wireless communications when within an office environment in order to protect from connecting to outside networks which could enable a data breach.

     

    Block Wireless LAN 802.11x only when a wired connection exists

     

    Exceptions tab


    This section gives a listing of those devices that have been reported to the core from each EPS client.   At the of this writing, there is a bug where the list will be blank unless you click and toggle the »[  ] Only USB checkbox in the upper right.

     

    ExecptionsImport.jpg

    From here you can select a device from the list, click the "Add instance path" or "Add hardware ID" radio button and then click "Add to exception list".

     

    After adding the device to the exception list you can modify the exception to make it more or less precise to a particular device revision, etc.

     

    As an example, I will choose a removable USB media that I have selected and click "Add Hardware ID" and then "Add to exception list"

    Kingston.jpg

    This opens up the exceptions dialogue where I can make further edits.

    EditException.jpg

    I can then modify the Description, manually change the exception information, etc.

     

    As an example, you can shorten the Hardware ID or Instance Path and add a wildcard "*" to make it less device specific.  This applies to other areas where exceptions can be applied as well.

     

    In addition, exceptions can be added in the Security Activity tool within the LDMS console.

     

    The following video demonstrates this action:

     

    ConsoleException.gif

     

     

    Shadow Copy

     

    Use this page to enable and configure shadow copy on managed devices configured with this setting.

     

    Shadow copy lets you track what files have been copied to and from the device by making a duplicate (or shadow) copy of those files in a local directory.

     

    Use this page to enable and configure shadow copy on managed devices configured with this setting.

     

    Shadow copy lets you track what files have been copied to and from the device by making a duplicate (or shadow) copy of those files in a local directory.

     

    • Enable shadow copy: Turns on shadow copy on managed devices with this setting.
    • Log events only: Indicates that only the file copy activity is recorded in a log file, not the actual files that are being copied.
      Shadow copy information shows up in the Security Activity tool within the LANDESK Console underneath "Device Control" and then "Shadow Copy Files"ShadowCopyFiles.jpg
    • ShadowCopyFiles.jpg
    • Local cache settings: Specifies the location on the local drive where the shadow copy files and log file are stored.
    • Exceptions: Click to create exceptions. You can add exceptions based on hardware ID, media serial, or bus type.

     

    Order of Priority

     

    • - For the Devices policy (#1), the order is: Exceptions -> Device -> Interface
    • - For storage volumes and CD/DVD the order is the same : Exceptions -> Device policy (see #1) – applies only if you block the volume or CD/DVD -> volume or CD/DVD policy

     

    Example with a USB Blu-ray Drive, with the CD/DVD policy set to “Full access”:

    1. If the USB Interface is set to “Block” in the ‘Devices’ policy, the USB Blu-ray drive will be blocked
    2. If the USB Interface is set to “Block” in the ‘Devices’ policy, and if there’s an “Allow device” exception in the Devices exceptions for this drive, it will be allowed
    3. If the USB Interface is set to “Block” in the ‘Devices’ policy, and if there’s a “Full access” exception in the CD/DVD exceptions for this drive, it will be allowed

     

    Same with CD/DVD policy set to ‘No access’:

    1. If the USB Interface is set to “Allow” in the ‘Devices’ policy, the USB Blu-ray drive will be still blocked (since the device policy is not set to block USB).
    2. If there’s a “Full access” exception in the CD/DVD exceptions for this drive, it will be allowed, whatever is the Devices policy

     

     

    Troubleshooting

     

    For troubleshooting information see How to troubleshoot Ivanti Endpoint Security Device Control