Setting up LES permissions for the Wireless class

Version 1

    Details

    Lumension Endpoint Security with Device Control (LDC), all supported versions

    BACKGROUND

    When you block access to the Wireless NIC class you will not receive an "Access Denied" if you try to use the wireless connection without permission to do so, unlike other device classes.  It is even possible for the computer to connect to the Access Point and get an IP Address, but there will be no traffic over the wireless link.  SK-NDIS is a filter driver so it blocks the traffic rather than killing the connection.

    As a wireless NIC is initialized before login you cannot assign policy to individuals, hence the option is to use the ‘Everyone’ group.

    PROCESS

    To provide a separate level of access while users are connected to the wired LAN vs. when they are not, you should include 2 sets of permissions and modify the 'Online state definition' per the steps below. This example demonstrates setting it up for all managed endpoints (note you can set it at Machine-Specific, i.e. individual or machine group level also):

    1.   Under Tools > Default Options, set the 'Online state definition' option to Wired Connectivity.

    1.   Create a Wireless NIC class offline Permission; let’s call it “Wireless NIC – Offline”
    •   Device Class: Wireless NICs
    •   Right-click Wireless NICs class, hit “Add/Modify Offline Permissions…”.
    •   Hit Add button, select ‘Everyone’.
    •   Permissions: Select both the Read and Write check boxes.


    1.   Create a Wireless NIC class online Permission; let’s call it “Wireless NIC – Online”
    •   Device Class: Wireless NICs
    •   Right-click Wireless NICs class, hit “Add/Modify Online Permissions…”.
    •   Hit Add button, select ‘Everyone’.
    •   Permissions: Leave both the Read and Write check boxes unchecked; so no permission/deny access.

    l

    Remember to check if there is any permanent permission in place on this Wireless NICs class that may need removing/editing following addition of the two permissions added above.

    The above permission combination will prevent users from accessing Wi-Fi while a network cable is plugged in, but will allow Wi-Fi operation otherwise. 

    When you unplug the network cable after a few seconds the wireless connection will come alive. The Status window of the LES tray icon will display ‘Read/Write’ for Wireless NIC class.
    Plug the network cable back in and wait a couple of seconds and the traffic will no longer flow over the wireless NIC. The Status window of the LES tray icon will display ‘None’ for Wireless NIC class.

    As the WIFI connection is not disabled but the traffic is blocked as mentioned above to the naked eye the connection may ‘appear’ open. Should you wish to review what interface the data is travelling over you may use a something like Microsoft’s Netmon to have 2 active separate network traces running (one for each NIC). You will be able see the traffic flowing/not flowing as the case may be.

    ADDITIONAL INFO

    Online State Definition values and their result

    Wired Connectivity value set from the “Online state definition” option (together with the policies outlined above in place):

    Scenario 1 - Your client machine has a LAN cable plugged in and is active.

    •   Access to WIFI will not be allowed and Status of the LES tray icon will display the NONE value.

    Scenario 2 - Your client machine has a LAN cable plugged in, is active and the LES Application Server (SXS) service is stopped

    •   Access to WIFI will not be allowed and Status of the LES tray icon will display the NONE value.

    Scenario 3 - The LAN cable is removed from the client machine.

    •   Access to WIFI will be allowed and Status of the LES tray icon will display the Read\Write value.

    Server Connectivity value set from the “Online state definition” option:

    Scenario 1 - Your client machine has a LAN cable plugged in, is active and the LES Application Server (SXS) service is running

    •   Access to WIFI will not be allowed and Status of the LES tray icon will display the NONE value.

    Scenario 2 - Your client machine has a LAN cable plugged in, is active and the LES Application Server (SXS) service is stopped

    •   Access to WIFI will be allowed and Status of the LES tray icon will display the Read\Write value.

    Scenario 3 - The LAN cable is removed from the client machine.

    •   Access to WIFI will be allowed and Status of the LES tray icon will display the Read\Write value.

    Note, most customers would set Online State Definition to 'Wired'.