Auditing, Shadowing & Alerts (devices)

There is not much difference between setting up permissions and defining audit, shadowing and alert rules for devices, so at fist read the Permissions section of this manual.

DeviceLock Service can use the standard Windows event logging subsystem to log a device's information. It is extremely useful for system administrators because they can use any event log reading software to view the DeviceLock audit log. You can use the standard Event Viewer, for example. Also, DeviceLock Service can use its own protected proprietary log. The data from this log is sent to DeviceLock Enterprise Server and stored centrally in the database. To define what log should be used set the Audit log type parameter in Service Options.

To define rules for a device type, highlight it (use Ctrl and/or Shift to select several types simultaneously) and select Set Auditing, Shadowing & Alerts from the context menu available by the right mouse click. Alternatively, you can press the appropriate button on the toolbar.

There are two types of user access that can be logged to the audit log:

• Allowed - all access attempts that were permitted by DeviceLock Service, i.e. the user was able to access a device.

• Denied - all access attempts that were blocked by DeviceLock Service, i.e. the user was not able to access a device.

To enable logging to the audit log for one or both of these access types, check Audit Allowed and/or Audit Denied. To enable notification of successful and/or failed attempts to access a device, check Alert Allowed and/or Alert Denied. All these flags are not linked to users/groups, they are related to a whole device type.

DeviceLock sends alerts on the basis of alert settings. Before enabling alerts for specific events, you must configure alert settings in Service Options. 

The names of the users and user groups assigned to a device type are shown in the list of accounts on the top left-hand side of the Auditing, Shadowing & Alerts dialog box.

To add a new user or user group to the list of accounts, click on the Add button. You can add several accounts simultaneously.

To delete a record from the list of accounts, use the Delete button. Using Ctrl and/or Shift you can highlight and remove several records simultaneously.

Use the Set Default button to set default rules for devices: members of the Users group and the Everyone account have Read and Write audit rights and shadowing is disabled for them.

Using special time control, you can define a time when the rule for the selected user or user group will or will not be active. Time control appears at the top-right side of the Auditing, Shadowing & Alerts dialog box. Use the left mouse button and select the time when the rule is active (active time). To select a time when the rule is not active (inactive time), use the right mouse button. Also, you can use the keyboard to set times - arrow keys for navigation and the spacebar to toggle active/inactive time.

To define which user's actions on devices are to be logged to either the audit or shadow log or which actions will trigger alert notifications, set the appropriate rights. In the upper-left pane of the dialog box, under Users, select the user or group that you added. In the lower-left pane of the dialog box, under User's Rights, select either Allow or Deny to directly allow or deny a right.

All rights are divided into three groups: Audit, Shadowing and Alert. Each group has its own set of rights:

- Audit - rights that belong to this group are responsible for actions logged into the audit log.

NOTE: Until either Audit Allowed or Audit Denied is checked for the device type, logging to the audit log is disabled for that device in spite of defined audit rules.

Also logging to the audit log is disabled for devices that are in the white list and for a whole class of devices if the access control for that class is turned off in Security Settings.

• Read - to log the read access attempts. For BlackBerry, Bluetooth, FireWire port, Infrared port, Parallel port, Serial port, USB port and WiFi device types, you can enable this right only if Write is selected in the Audit group.

• Write - to log the write access attempts. For BlackBerry, Bluetooth, FireWire port, Infrared port, Parallel port, Serial port, USB port and WiFi device types, you can enable this right only if Read is selected in the Audit group.

• Format - to log the direct write access attempts (e.g. formatting). Applies only to Floppy, Hard disk and Removable device types.

• Print - to log all attempts to send documents to printers. Applies only to the Printer device type.

• Execute - to log access attempts to remotely execute a code on the device's side. Applies only to the Windows Mobile device type.

• Read Non-files - to log the read access attempts for non-file objects (Calendar, Contacts, Tasks, etc.). Applies only to iPhone, Windows Mobile and Palm device types.

• Write Non-files - to log the write access attempts for non-file objects (Calendar, Contacts, Tasks, etc.). Applies only to iPhone, Windows Mobile and Palm device types.

• Copy - to log all attempts to paste data from the clipboard and capture screen shots. Applies only to the clipboard.

• Mapped Drives Read - to log all attempts to read data from mapped drives during a terminal session. Applies only to TS Devices.

• Mapped Drives Write - to log all attempts to write data to mapped drives during a terminal session. Applies only to TS Devices.

• Serial Port Access - to log all attempts to access serial ports during a terminal session. Applies only to TS Devices.

• USB Devices Access - to log all attempts to access USB devices during a terminal session. Applies only to TS Devices.

• Clipboard Incoming - to log all attempts to paste data (text data, graphical data, audio data, files and any other unidentified data) from the clipboard to a terminal session/ virtual machine. Applies only to TS Devices.

• Clipboard Outgoing - to log all attempts to paste data (text data, graphical data, audio data, files and any other unidentified data) from the clipboard from a terminal session/ virtual machine. Applies only to TS Devices.

- Shadowing - rights that belong to this group are responsible for actions logged into the shadow log.

• Write - to enable shadowing of all data written by the user. Applies only to Floppy, iPhone, Optical Drive, Parallel port, Removable, Serial port, Windows Mobile and Palm device types.

• Format - to enable shadowing of raw data written by the user via the direct disk access (e.g. formatting). Applies only to Floppy and Removable device types.

• Print - to enable shadowing of all documents sent to printers. Later, these documents can be viewed using any PDF reading software (e.g. Adobe Acrobat Reader) and DeviceLock Printer Viewer. Applies only to the Printer device type.

• Write Non-files - to enable shadowing of all non-file objects (Calendar, Contacts, Tasks, etc.) written by the user. Applies only to iPhone, Windows Mobile and Palm device types. 

• Copy - to enable shadowing of pasted clipboard data and captured screen shots. Applies only to Clipboard. 

• Clipboard Incoming - to enable shadowing of clipboard data pasted to a terminal session/virtual machine. Applies only to TS Devices. 

• Clipboard Outgoing - to enable shadowing of clipboard data pasted from a terminal session/virtual machine. Applies only to TS Devices.

- Alert - rights that belong to this group are responsible for alert notifications.

NOTE: Until either Alert Allowed or Alert Denied is checked for the device type, notifications are disabled for that device in spite of defined rules.

• Read - to notify on the read access attempts. For BlackBerry, Bluetooth, FireWire port, Infrared port, Parallel port, Serial port, USB port and WiFi device types, you can enable this right only if Write is selected in the Alert group.

• Write - to notify on the write access attempts. For BlackBerry, Bluetooth, FireWire port, Infrared port, Parallel port, Serial port, USB port and WiFi device types, you can enable this right only if Read is selected in the Alert group.

• Format - to notify on the direct write access attempts (e.g. formatting). Applies only to Floppy, Hard disk and Removable device types.

• Print - to notify on all attempts to send documents to printers. Applies only to the Printer device type.

• Execute - to notify on access attempts to remotely execute a code on the device's side. Applies only to the Windows Mobile device type.

• Read Non-files - to notify on the read access attempts for non-file objects (Calendar, Contacts, Tasks, etc.). Applies only to iPhone, Windows Mobile and Palm device types.

• Write Non-files - to notify on the write access attempts for non-file objects (Calendar, Contacts, Tasks, etc.). Applies only to iPhone, Windows Mobile and Palm device types.

• Copy - to notify on all attempts to paste data from the clipboard and capture screen shots. Applies only to the clipboard.

• Mapped Drives Read - to notify on all attempts to read data from mapped drives during a terminal session. Applies only to TS Devices.

• Mapped Drives Write - to notify on all attempts to write data to mapped drives during a terminal session. Applies only to TS Devices.

• Serial Port Access - to notify on all attempts to access serial ports during a terminal session. Applies only to TS Devices.

• USB Devices Access - to notify on all attempts to access USB devices during a terminal session. Applies only to TS Devices.

• Clipboard Incoming - to notify on all attempts to paste data (text data, graphical data, audio data, files and any other unidentified data) from the clipboard to a terminal session/ virtual machine. Applies only to TS Devices.

• Clipboard Outgoing - to notify on all attempts to paste data (text data, graphical data, audio data, files and any other unidentified data) from the clipboard from a terminal session/ virtual machine. Applies only to TS Devices.