The following instructions assume that you are on the Configure Storage Device Control Settings page in the Create New Storage Device Control Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Storage Device Control policy (see Editing a Policy’s Details).
The Storage Device Control policy enables control of the Windows AutoPlay feature and access to removable storage devices. You can define the default access control for all removable storage devices and, if required, override that setting with different access controls for the device types indicated below:
CD/DVD: Controls access to any devices listed under DVD/CD-ROM drives in Windows Device Manager.
Floppy Drive: Controls access to any devices listed under Floppy drives in Windows Device Manager.
Removable Storage: Controls access to any devices reporting as removable storage under Disk drives in Windows Device Manager.
Portable Device: Controls access to any devices reporting as Windows Portable Devices under Disk drives in Windows Device Manager.
The AutoPlay/AutoRun setting can only be configured on a global Storage Device Control policy. It is not available on location-based policies. This means that it is always applied regardless of the device’s location.
This setting controls the Windows AutoPlay feature. AutoPlay performs two processes. First, it launches the AutoRun process, which looks for an autorun.inf in the root directory and executes the instructions in the file. Second, it looks for specific content (music, video, and pictures) and launches the appropriate application to display or play the content. Select one of the following options:
Enable: Enables both AutoPlay and AutoRun.
Disable AutoRun: Disables the AutoRun feature so that autorun.inf instructions are not executed. AutoPlay is not disabled so music, video, and picture applications are still launched.
Disable AutoPlay/AutoRun: Disables both the AutoPlay and AutoRun features.
Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.
You control access to storage devices by selecting a default access control for all device types and then enabling or disabling an override access control for individual device types. The access control options are defined below:
Read/Write: Enables the user to have full access to the device on the client computer.
Disable: Prevents read and write access. When users attempt to access files on the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.
Read Only: Enables read access and disable write access. When users attempt to write to the device, they receive an error message from the operating system, or the application attempting to access the local storage device, that the action has failed.
Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other Storage Device Control policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Storage Device Control policies assigned to the user’s groups, folders, or zone.
The Default Access setting enables you to have one control for all removable storage devices when you want them to have the same access control. This includes FireWire, Windows Portable devices, storage cards, USB devices, and any other devices reported as removable storage under Disk drives in Windows Device Manager. If you want to have a different control for device types that use access overrides, you can use the Default Access Overrides configuration to implement those controls.
Use the options in the Default Access Overrides configuration to select an individual access control for any of the three storage device types CD/DVD, Floppy Drive, or USB Device. Select the applicable check box to enable access control selection or deselect a check box to disable an override and reset that device type to the Default Access setting.
The access controls for USB and WPD devices can include an exception list when the Default Access override option is enabled for these device types. This feature provides the capability to define access controls by device makes, models, or even individual devices if required. For example. Your Default Access control could be set to Disable, your Portable Device Access control could be set to Read Only, and devices in the Exception List could be set to Read/Write.
Each device that you add to an Exception List must include an access assignment. The Default Access setting is used as the default access assignment for (1) any device you import that does not have an access assignment and (2) any device you create whose access you set to Default Access.
Select from the following options:
Default Access: Use the control that is defined in the Default Access setting.
Read/Write: Enables read and write access.
Read Only: Enables read access and disables write access. When users attempt to write to the device, they receive an error message that the action has failed.
Disable: Prevents read and write access. When users attempt to access files on the device, they receive an error message that the action has failed.
The following table provides instructions for managing an Exception List:
Task |
Steps |
Additional Details |
---|---|---|
Create a new device |
|
The fields on the Recommended tab are typically sufficient to use for the match criteria. As a best practice, we recommend that you use the fewest number of fields needed to accurately match the device. The more fields you use, the more restrictive the definition becomes. The Manufacturer and Product fields are substring match. For example, “San”, and “SanDisk” both match all SanDisk devices while “SanDisk Cruzer” and “Cruzer” match all SanDisk Cruzer devices but excludes all other SanDisk devices. The Serial Number, Vendor ID, and Product ID fields are exact match. Be aware that not all devices have unique serial numbers. To guarantee a unique match based on a serial number, use the Vendor ID and Product ID fields as well. The Recommended fields are not case sensitive. The fields on the Advanced tab can be used to refine the match criteria in order to isolate very specific devices. Use of these fields can literally restrict a device definition so that it only matches a single device on a specific port on a specific computer. All of the Advanced fields are exact match. They are not case sensitive. |
Copy an existing device from another policy |
|
All devices included in the other Storage Device Control policies are copied. If necessary, you can edit the copied devices after they are added to the list. |
Import a device from a policy export file |
|
All devices included in the export file are imported. If necessary, you can edit the imported devices after they are added to the list. For information about exporting devices, see Export a device. |
Import a device from a Device Scanner file |
|
* The Access field must be selected on import if you want the access setting that is defined in the Device Scanner file to map to the Preferred Device List Access setting. Read Only has no Device Scanner mapping and must be selected manually. For information on how Access settings map, see Control Access Import Mapping (Exception List). For information about using the Device Scanner to collect data about USB devices, see Device Scanner in the ZENworks Endpoint Security Utilities Reference. |
Enable or disable a device |
|
When you add a device, it is enabled by default. You can disable a device to save it in the policy but no longer have it applied. |
Edit a device |
|
|
Rename an device |
|
|
Export a device |
|
|
Delete a device |
|
|
Device Scanner Access Setting |
Exception List Setting |
---|---|
Allow |
Read/Write |
Block |
Disable |
Always Allow |
Read/Write |
Always Block |
Disable |
Default Access |
Default Access |
No mapping |
Read Only |