Security Settings (devices)


 

These security parameters enable you to keep some device types completely locked, but allow the use of certain device classes without need to authorize every device in the white list.

 

For example, you can disallow using all USB devices except any mouse and keyboard devices that connect through the USB.

 

DeviceLock supports these additional security parameters:

 

- Access control for USB HID - if enabled, allows DeviceLock Service to audit and control access to Human Interface Devices (mouse, keyboard, etc.) plugged into the USB port. Otherwise, even if the USB port is locked, Human Interface Devices continue to function as usual and audit is not performed for these devices.

 

- Access control for USB printers - if enabled, allows DeviceLock Service to audit and control access to printers plugged into the USB port. Otherwise, even if the USB port is locked, printers continue to function as usual and audit is not performed for these devices.

 

- Access control for USB Bluetooth adapters - if enabled, allows DeviceLock Service to audit and control access to Bluetooth adapters plugged into the USB port. Otherwise, even if the USB port is locked, Bluetooth adapters continue to function as usual and audit is not performed for these devices.

 

This parameter affects audit and access control on the interface (USB) level only. If the device belongs to both levels, the permissions and audit rules (if any) for the type (Bluetooth) level will be applied anyway.

 

- Access control for USB and FireWire network cards - if enabled, allows DeviceLock Service to audit and control access to network cards plugged into the USB or FireWire (IEEE 1394) port. Otherwise, even if the USB or FireWire port is locked, network cards continue to function as usual and audit is not performed for these devices.

 

- Access control for USB scanners and still image devices - if enabled, allows DeviceLock Service to audit and control access to scanners and still image devices plugged into the USB port. Otherwise, even if the USB port is locked, these devices continue to function as usual and audit is not performed for these devices.

 

- Access control for serial modems (internal & external) - if enabled, allows DeviceLock Service to audit and control access to modems plugged into the COM port. Otherwise, even if the COM port is locked, modems continue to function as usual and audit is not performed for these devices.

 

- Access control for USB storage devices - if enabled, allows DeviceLock Service to audit and control access to storage devices (such as flash drives) plugged into the USB port. Otherwise, even if the USB port is locked, storage devices continue to function as usual and audit is not performed for these devices.

 

This parameter affects audit and access control on the interface (USB) level only. If the device belongs to both levels: interface and type, the permissions and audit rules (if any) for the type (Removable, Floppy, Optical Drive or Hard disk) level will be applied anyway.

 

- Access control for virtual Optical Drives - if enabled, allows DeviceLock Service to audit and control access to virtual (software emulated) CD/DVD/BD-ROMs. Otherwise, even if the CD/DVD/BD device is locked, virtual drives continue to function as usual and audit is not performed for these devices. This parameter is effective only for Windows 2000 and later systems.

 

- Access control for FireWire storage devices - if enabled, allows DeviceLock Service to audit and control access to storage devices plugged into the FireWire port. Otherwise, even if the FireWire port is locked, storage devices continue to function as usual and audit is not performed for these devices.

 

This parameter affects audit and access control on the interface (FireWire) level only. If the device belongs to both levels: interface and type, the permissions and audit rules (if any) for the type (Removable, Floppy, Optical Drive or Hard disk) level will be applied anyway.

 

- Access control for virtual printers - if enabled, allows DeviceLock Service to audit and control access to virtual printers which do not send documents to real devices, but instead print to files (e.g. PDF converters). Otherwise, even if the physical printer is locked, virtual printers continue to print as usual and audit is not performed for them. This parameter is effective only for Windows 2000 and later systems.

 

- Access control for intra-application copy/paste clipboard operations - if enabled, allows DeviceLock Service to audit and control access to copy/paste operations within an application. Otherwise, even if the clipboard is locked, access control for copy/paste operations within one application is disabled and audit is not performed for them.

 

- Block FireWire controller if access is denied - if enabled, allows DeviceLock Service to disable FireWire controllers when the Everyone account has No Access permissions for the FireWire port device type.

 

- Switch PostScript printer to non-PostScript mode - if enabled, DeviceLock Service makes PostScript printers act like non-PostScript printers. This resolves an issue in which DeviceLock Service is unable to create a correct shadow copy of printed data and perform content analysis of data sent to printers that use a PostScript driver.

 

- Treat TS forwarded USB devices as regular ones - if enabled, allows DeviceLock Service to control access to all USB devices redirected during a Citrix XenDesktop/ RemoteFX session according to the rights set for the USB port device type. Otherwise, DeviceLock Service controls access to all USB devices redirected during a Citrix XenDesktop/ RemoteFX session according to the USB Devices Access right set for TS Devices.

 

 

Security Settings are similar to the device white list but there are three major differences:

 

1. Using Security Settings you can only allow a whole class of device. You can't allow only a specific device model, while locking out all other devices of the same class.

 

For example, by disabling Access control for USB storage devices, you allow the use of all USB storage devices, no matter their model and vendor. By specifying the one USB Flash Drive model you want to allow on the devices white list, you ensure that all other USB storage devices remain locked out. 

 

2. Using Security Settings you can only select from the predefined device classes. If the device doesn't belong to one of the predefined classes, then it can't be allowed. 

 

For example, there is no specific class for smart card readers in Security Settings, so if you want to allow a smart card reader when the port is locked, you should use the devices white list.

 

3. Security Settings can't be defined on a per user basis; they affect all users of the local computer. However, devices in the white list can be defined individually for the every user and group.

 

NOTE: Security Settings work only for those devices that are using standard Windows drivers. Some devices are using proprietary drivers and their classes can't be recognized by DeviceLock Service. Hence, access control to such devices can't be disabled via Security Settings. In this case you may use the devices white list to authorize such devices individually.