Access Control
Basics
With Access Control, you can manage access rights for users and computers in your directory. Activate Access Control for computers or for users accordingly.
- Configurable for users and computers.
- Applicable to device classes and port types (all external storage media, all scanners, etc.).
- Applicable to specific device and port models (based on model name, specific hardware ID, serial number, etc.).
- Offers different access rights for online and offline Agents.
- Makes it possible to differentiate between rights for online and offline Agents, and unknown or known users. Unknown users are either the users not registered on the Server or the own directory users for whom no products have been activated.
Controlling access to device and port types
For the access rights configuration to take effect, activate Access Control for the selected object (user/computer). For details, see: Activating products
Not blocked devices - If a device (e.g. USB HID device) got no known functionality in Windows, it will not be detected in device classes. These devices got no security relevant functionalities and will not be blocked by EgoSecure Agent.
Controlling access to drive and device types
- In the User management/Computer management | Control, select a user or a computer in the User management/Computer management work area.
- In the lower area, select the Devices and ports tab.
- In the Profile drop-down, select whether permissions apply to online or offline mode. Offline mode means that there is no connection to EgoSecure Server.
- Right-click a device.
- Select an access type in the context menu. Depending on the device type, the following options are available:
- Not controlled (EgoSecure doesn’t control a selected device)
- No access
- Read access (only storage media)
- Write access (only storage media)
- Print access (only locally connected printers)
- Full access
- Scheduled access, for details refer to: Configuring scheduled access
- Playback access (only sound, video and game controllers)
- Temporary access, for details refer to: Configuring one-time access
- Click Save.
- The new permissions apply on the Agents.
Permissions specified for an online mode are automatically applied to an offline mode until making changes to the offline profile. To change permissions for the offline mode, repeat the steps above and select Offline profile.
Controlling access to port types
You can control access to ports. The following ports are controllable:
- FireWire
- PCMCIA
- Parallel
- Serial
- USB (except mice and keyboards)
Priority over device type settings
The settings for ports have priority over the settings for device types. So a full access to external storage media may be defined, but access will be blocked if the storage medium is connected via USB and an access to the USB port is not allowed. Individual device permissions, on the other hand, work independently of the access rights for ports.
Online and offline mode
If you make the changes for an online profile, these changes are inherited to an offline profile. Once you make changes to the offline profile, different sets of rights are applied. If necessary, adjust access rights for the offline profile too.
Configuring access to ports
- Go to User management/Computer management | Control.
- Select a user or a computer in the User management/Computer management work area.
- In the lower section, click the Devices and ports tab.
- Click Ports on the toolbar.
- Right-click a port and select an access type.
- Click Save.
- The selected access type applies to all not individually permitted devices connected to the configured port.
Granting temporary or scheduled access
Configuring one-time access
- On the navigation pane, go to User management/Computer management | Control.
- Select a user or a computer in the User management or Computer management work area.
- In the lower section, click the Devices and ports tab.
- Right-click a device and a port and select Temporary right access.
- The Temporary right access dialog appears.
- Select an access type and define a time period.
- Click OK to confirm.
- In the Device and ports tab, click Save.
Configuring scheduled access
- Right-click a device or a port and select Scheduled access.
- The Access rights – time schema dialog appears.
- Click and drag to select a time period.
- Select an access type.
- Click OK to confirm.
- Click Save in the Devices and ports tab.
Blocking all devices (emergency)
You can block access to all devices and ports in case of emergency with one click. To block all user/computer accesses perform the following:
- Go to User management/Computer management | Control, select a user or a computer in the User management/Computer management work area.
- In the lower section, go to Devices and ports tab.
- Click Emergency on the toolbar.
- Click OK in the dialog.
- The user/computer permissions are now set to No access for all devices and ports. No access is not applied for network share, thin client storage and local printers device types if their control is disabled under Computer management | Settings | Client settings. For such device types enable the control and then apply no access manually.
Restricting or granting access to known devices
Via User management and Computer management, you can assign access rights for device classes and port types on the whole. This means that all device models of this device class (or all ports of this type) can be used. You can limit the usage of specific device models globally. You can also assign individual rights for specific device models to certain users or computers.
Restricting access globally to device models
To globally limit the usage of specific device models, add them to permitted device models. Not listed device models are globally forbidden (exception: User-specific known devices). Under Permitted device models you can add all devices ever connected to Clients.
Access rights for devices from permitted device models
Permitted device models have access rights assigned to a device class. E.g.: flash card SMI USB DISK Device has read access, because under Computer management | Control | Devices and ports, read access is assigned to the external storage device class.
Creating a list of permitted device models
- Go to Permitted devices | Removable devices | Permitted device models.
- To search on a computer for devices, which are currently connected or have been connected:
- Select a computer in the List of EgoSecure Agents work area. To multi-select computers, hold-down Ctrl and click.
- In the Permitted device models area, click Scan computer.
- The Add new device – Scan computer dialog appears. Devices already added to the list of permitted ones are highlighted with bold, devices which were disconnected have a red icon.
- To hide unconnected devices, enable Show only available devices.
- Select a device or a port from the list. To multi-select, hold-down Ctrl and click.
- Click Add.
- The dialog closes. The device is added to the list of permitted ones. -or-
- In the Add new device – Scan computer dialog, select the added device and click Update to close the dialog and update the device info.
- To search the database for devices, which are currently connected or have been connected to network computers
- In the Permitted device models area, select Devices database.
- The Add new device – Devices database dialog appears.
- In the Computer drop-down, select computers to see the list of devices on the selected computers. Select <All> to see the list of devices on all computers of the directory.
- Select a device. To multiselect, hold down Ctrl and click.
- Click Add.
- The dialog closes. The device is added to the list of permitted ones.
- Click Save.
- The white list of device models is applied to all Agents of a company where Access Control is activated. Not listed device models are blocked.
You can search for devices on certain clients or in the database. To write data to a device database, enable the Accept data for devices DB option in the AdminTool.
Allowing user-specific or computer-specific known devices
In individual device permissions, you can specify the devices that a user/computer is allowed to use regardless of the list of permitted device models and the access rights for device types. Individual access rights also apply if access to the device type is not permitted for the user/computer (defined under User management/Computer management | Control | Devices and ports) or the device model is globally locked (defined under Permitted devices | Permitted device models). What is more, you can allow certain devices to be used only on certain computers. When allowing a device individually, select the criteria according to which the device is identified.
Avoiding system conflicts - To avoid system conflicts, do not add one device with different criteria to the list.
You can use wildcards in the Hardware ID, Serial number and Name fields. These fields are case-sensitive.
Criteria
|
Criteria |
Description |
|---|---|
|
Hardware ID + serial number |
Combination of Hardware ID and serial number (default). Serial number is not always the same. If a serial number is unique, the checkmark is displayed in the Unique column.
|
|
Hardware ID |
Unique ID of a specific device model/port. Remains unchanged when connecting to different devices. |
|
Volume ID |
Windows unique ID created when formatting a drive. |
|
Device + Volume ID |
Combination of Hardware ID, serial number und volume ID. For Hardware ID and serial number, you can use wildcards:
|
|
Name |
Windows device name. To view the device name in Windows Explorer: right-click a device, click Properties button in the Hardware tab. Remains unchanged when connecting to different devices. You can use wildcards:
|
Allowing device for user
- Go to Permitted devices | Removable devices | Individual device permissions.
- To search on a computer for devices, which are currently connected or have been connected:
- Select a computer in the List of EgoSecure agents work area. To multi-select, hold-down Ctrl and click.
- In the Individual device permissions area, click Scan computer.
- The Add new device – Scan computer dialog appears. Devices already added to the list of permitted ones are highlighted with bold, devices which were disconnected have a red icon.
- To hide unconnected devices, enable Show only available devices.
- Select a device or a port from the list. To multi-select, hold-down Ctrl and click.
- Under Allow by criteria, select according to which criteria the device is identified.
- Click Add.
- The dialog closes. The device is added to the list of permitted ones.
- -or-
- In the Add new device – Scan computer dialog, select the added device and click Update to close the dialog and update the device info.
- To search the database for devices, which are currently connected or have been connected to network computers
- In the Individual device permissions area, select Devices database.
- The Add new device – Devices database dialog appears.
- In the Computer drop-down, select computers to see the list of devices on selected computer. Select <All> to see the list of devices on all computers of the directory.
- Select a device. To multiselect, hold down Ctrl and click.
- In the Last used column, the information about the last connection of a device to a computer is displayed.
- Under Allow by criteria, select according to which criteria the device is identified.
- Click Add.
- The dialog closes. The device is added to the list of permitted ones.
- Configure the individual rights for the device:
Allowing a device to all users on a certain computer
- Select the device in the list.
- In the lower area, click Add in the Computers tab.
- The Selection of computers dialog appears.
- Select a computer and click OK.
- The Selection of computers dialog closes. The computer appears in the Computers tab. In the Users tab, <All users> are listed (default).
- If necessary, define other settings for using a device in the lower area.
- Click Save.
- All users are allowed to use this device on a selected computer. Access Control product activation is not required.
Allowing a device for certain users on all computers
- Select the device in the list.
- In the lower area, click Add in the Users tab.
- The Selection of users dialog appears.
- Select a user and click OK.
- The Selection of users dialog closes. The user appears in the Users tab. In the Computers tab, <All computers> are listed (default).
- If necessary, define other settings for using a device in the lower area.
- Click Save.
- The user is allowed to use this device on all computers. For the rights to apply, Access Control must be activated for a user and not activated for a computer.
Allowing a device for certain users on certain computers
- Select the device in the list.
- In the lower area, click Add in the Users tab.
- The Selection of users dialog appears.
- Select a user and click OK.
- The Selection of users dialog closes. The users appear in the Users tab.
- Click Assign computers button.
- The Selection of computers dialog appears.
- Select a computer and click OK.
- The dialog closes and a computer appears under a user.
- If necessary, define other settings for using a device in the lower area.
- Click Save.
- The user is allowed to use this device only on the selected computer. For the rights to apply, Access Control must be activated for a user and not activated for a computer.
Defining other settings for using a device
- Access rights: To change the access type for the devices (irrespective of the access rights specified under User management and Computer management), click the entry in the Access rights column. If you define a scheduled access right, the time scheme appears in the Time schema column. The individual access rights apply to a user only if Access Control is deactivated for a computer.
- File type filter: Select which filters to apply when using this device. For details, see: Filters
- <User filters>: applies the filters assigned to user/computer in User management/Computer management.
- <No filter>: disables filters assigned to the user/computer (only for this device).
- [Filter name]: offers all available filters for selection.
- Filter type: defines a mode for the selected filter:
- Click for the Whitelist mode.
- Click for the Blacklist mode.
- Encryption: select an encryption type for a user (computer) exclusively on this device or allow to use this device without encryption:
- <User encryption>: applies the encryption types assigned to user/computer in User management/Computer management.
- <Without encryption>: allows a user/computer to use a device without encryption.
- [Encryption type]: offers all available encryption types for selection. Note: The selected encryption type must be assigned to the user/computer and an encryption product must be activated for the user/computer.
- Mobile encryption: enable the check box to permit the adding of a mobile key for encryption. Note: The mobile encryption can not be activated if <User encryption> is selected in the previous step. Make sure to enable the mobile encryption for the user/computer; the user/computer must create a mobile key.
- Click Save.
- Individual access permissions for one device are assigned. To assign the same access permissions to other devices, use the Copy rights button.
Process encryption type priority. Encryption type selected for a process has priority over encryption type selected for a device. E.g.: For the notepad.exe process the individual encryption is selected and for a device the group encryption type is selected. Once a text file is copied to the device, it is encrypted with the group encryption type. Once the text file is edited with the notepad, it is re-encrypted with the individual type.
Copying usage settings
- Select the device (where the rights are copied to) from the list.
- Click the Copy rights button.
- The Copy rights dialog appears.
- Select the device from where to copy the rights.
- Select one of the options for copying rights:
- Overwrite to delete old rights and assign new ones.
- Append to add new rights in addition to the existing ones.
- Click OK to confirm.
- The rights apply for the selected device.
Media permissions: allowing known optical storage media
Via media permissions, define CDs and DVDs, access to which is globally or user-specifically allowed. The access rights apply even if a user/computer is not permitted to access the CD/DVD device class (defined under User management/ Computer management | Control | Devices and ports).
Pay attention that Media permissions have priority over access rights for CD/DVD-ROMs (defined under User management/Computer management | Devices and ports and under Permitted devices | Individual device permissions).
Permission update required for changed data. EgoSecure calculates and stores a unique string (hash value) for each permitted media to identify it. The calculation is based on the media data. Once the data changes or new files are written to the media, the hash value changes and media permissions must be redefined.
Allowing CD or DVD
- Go to Permitted devices | Removable devices | Media permissions.
- In the List of EgoSecure agents work area, select a computer where a disk is currently connected. To multi-select computers, hold-down Ctrl and click.
- Click Scan computer. The Device database option is not available, because disks can be added to the list only when they are connected at the moment of adding.
- The Add new device – Scan computer dialog appears.
- Select the CD/DVD and click Add.
- The media appears in the list with the checked box.
- Select the disk and define computer and user permissions for using this disk:
- In the lower area, click Add.
- In the Selection of users/Selection of computers dialog, select a user/computer.
- Click OK to confirm.
- The user/computer appears in the lower area.
- Click the entry in the Access rights column to specify access rights:
- Full access: Reading and writing allowed. Warning: Changing the data requires to redefine the permissions.
- Write access: Only writing allowed. Warning: Changing the data requires to redefine the permissions.
- Read access: Only reading allowed.
- Scheduled access: Opens the Access rights – time schema dialog, where you specify a time period for permissions.
- Click Save.
To transfer the defined access rights to other optical storage media, use the Copy rights button. For details, see: Copying usage settings
Granting user requested access rights
Online Clients
- Via the Access request tab, a user can request specific access rights for one or more device types or instances.
- The following access rights are available depending on a device type:
- Not controlled (EgoSecure doesn’t control a selected device)
- Read access (only storage media)
- Print access (only locally connected printers)
- Full access
- Playback access (only sound, video and game controllers)
- Once the requested rights reach the Server, they appear under Administration | Administrator | Access rights requests.
Granting access to a device type or instance
To allow users to request access rights via EgoSecure Agent, enable the Allow requests for access rights option under Administration | Clients | Client settings. Note, in the case of a device instance, the specific instance ID is shown.
- In Console, go to Administration | Administrator | Access rights requests.
- All received requests are displayed. Unprocessed requests are highlighted in bold.
- Right-click an access rights request and select in the context menu:
- Accept request, to permit requested rights. The rights are changed automatically, the user receives a notification. Message text can be customized, for details, see: Customizing user messages.
- Accept request (temporary), to grant the access right only for a certain time period. The user receives the same notification as for Accept request.
- Decline request, to decline requested access rights. The user receives notification, message text can be customized, for details, see: Customizing user messages.
- Mark as read/unread, to mark notifications for the reasons of convenience. No changes are made in user rights as a result.
- Delete, to remove the notification from the list.
- User management, to go to the user entry in User management and see the list of permissions and assign access rights manually, if necessary.
- Computer management, to go to the computer entry in Computer management and see the list of permissions and assign access rights manually, if necessary.
- The access for the device remains except should you assign a temporary access right.
The access to certain device models on the Client can be changed via the Challenge-response procedure. For details, see: Allowing connected devices via unblocking code When an access request refers to a specific device instance, the identity details of the instance will be shown in the corresponding access request column entry.
Offline Clients
When the Agent is offline (no connection between Agent and Server), the settings defined for the offline profile apply. For details, see: Configuring offline profile. Changes to offline permissions take effect when Agent becomes online. To apply the changes of rights and settings on offline Agents, use an unblocking code or import a file with settings.
- Exporting the whole user permission profile to a file
- Granting access to known devices via the challenge-response procedure
- Granting access to a device type via an unblocking code
Exporting permission profile
You can export the following settings:
|
Setting |
Definition in Console |
Display on Agent |
|---|---|---|
|
Access rights |
User management/Computer management | Control | Devices and ports tab |
Access Control | User rights |
|
Permitted device models |
Permitted devices | Removable devices | Individual device permissions; Permitted device models; Media permissions |
Access Control | Connected devices |
|
Encryption settings |
Permitted encryption products and available encryption types are assigned under User management/Computer management | Encryption |
Encryption |
|
Export public keys only |
Permitting only common encryption type and export the associated key |
Encryption | Encryption keys |
- Select a user in the User management work area.
- Define access rights, permitted devices and encryption settings.
- Right-click the user and select Export settings from the context menu.
- A dialog for selecting the settings appears.
- Select the settings for the export and click OK to confirm.
- The Save as dialog appears.
- Save the .esd file with the settings and send it to the user (e.g. by e-mail).
- Via EgoSecure Agent the user can now import the file and receive the settings:
Allowing connected devices via unblocking code
If a user wants to use a connected device for which he doesn’t have access, he can request access rights only for the device. The user generates a request code and sends it to the administrator.
Generating a response code via challenge-response
- In Console, go to Permitted devices | Challenge-response unblocking code.
- Enter the code that a user generated and provided.
- If necessary, edit an access right in the Access drop-down.
- In the Code expiry date field, select till what date the code is valid.
- Click Generate.
- The generated code appears in the Code field. The code can be used several times till its expiration date.
- Send the code to the user.
- Via EgoSecure Agent the user can now enter the code and receive access rights:
- Once the connection between Agent and Server is established, an administrator is informed about the code activation under Reports | Control | Unblocking codes review.
- New code doesn’t replace the previous one.
Granting access to a device type via unblocking code
You can grant access rights to certain device types via an unblocking code. To generate an unblocking code, perform the following:
- Right-click a device class and select Generate unblocking code....
- The Unblocking code generation dialog appears.
- Select an access type and access period.
- Change the code expiry date, if necessary.
- Check the Ignore permitted device models list option, if a user needs a device not included in the list under Permitted devices | Permitted device models.
- Click Generate.
- The generated code appears in the Code field.
- Copy the code and send it to the Client (e.g. by e-mail).
- Via EgoSecure Agent the user can now enter the code and receive access rights:
- Once the connection between Agent and Server is established, an administrator is informed about the code activation under Reports | Control | Unblocking codes review.
- New code doesn’t replace the previous one.
Assigning different user rights for specific computers
The product must be activated only for the user and not for the assigned computer. If a product is activated for the computer, computer rights take effect.
- Right-click a user in the User management work area.
- Select Assign computers from the context menu.
- The Selection of computers dialog opens.
- Select a computer from the directory service structure and click .
- The computer appears under Selected computers.
- Click OK to confirm.
- The computer appears under the user.
- Click on the computer and edit the user-specific permissions on this computer in the lower area. For details, see: Controlling access
- Click Save.
- The user receives one set of access rights on the assigned computer and the other set of rights on other computers.
Filters: controlling access to the file formats
Supervisors can, via filters, define file formats that a user is allowed or not allowed to access on devices, network shares or in clouds. Specify either the access is allowed to all filtered file types (white list) or forbidden to all filtered file types (black list).
Specifying filter mode
- Go to Product settings | Filters | Settings.
- Click on
- White list, to allow only the file types that match the filter settings. All other file types are blocked.
- Black list, to forbid file types that match the filter settings. All other file types are allowed.
- To additionally scan archives and office files for allowed/blocked file types, enable the In archives or In files of Microsoft Office check boxes under Scan embedded files. The options can now be activated for the default user under User management | Default policies | Default rights (user). The inheritance of the options can be deactivated individually for a user.
- Click Save.
- The specified filter mode applies to all filters assigned to users.
Creating filters
- Go to Product settings | Filters | File type filters.
- In the File type filters area, you can see the predefined filters for audio/video files, compressed files, image files and office files.
- Click Add.
- A new entry appears in the list.
- Enter a filter name.
- To assign the filter to all users where Access Control is activated, enable the Global check box. Global filters unlike inherited filters cannot be disabled individually.
- In the Rule definition area, click Add.
- Specify the rules. You can use wildcards (placeholders) for file names and formats:
- * replaces any number of characters
- ? replaces a single character
- Define a specific file name in the Name column.
- In the File type column, select a file format from the drop-down list or double-click on the field and enter a file extension. E.g.: jpg filters all jpg files, jp* filters jpeg and jpg
- To specify a file size limit, double-click the entry in the Limit column. In the File size dialog, define the size of a file and click OK. If you use a black list mode, all files whose size does not exceed the defined limit will be allowed. If you use a white list mode, all files whose size exceeds the defined limit will be blocked.
- Supervisors can add other file formats, if necessary. For details about creating new file formats, see Defining file formats (advanced).
- To copy a filter rule to another filter:
- Select a rule you want to copy. To select multiple rules, hold down Ctrl and click.
- Right-click a rule and select Copy into… from the context menu.
- The Select object dialog appears.
- Select a filter where to copy the rule. To select multiple filters, hold down Ctrl and click.
- Click Save to confirm.
- The rule is duplicated to another filter.
- To move a filter rule to another filter:
- Select a rule you want to move. To select multiple rules, hold down Ctrl and click.
- Right-click a rule and select Move into… from the context menu.
- The Select object dialog appears.
- Select a filter where to move the rule. To select multiple filters, hold down Ctrl and click.
- Click Save to confirm.
- The rule is deleted from the current filter and assigned to the selected filter.
- Click Save.
- The new filter can now be assigned to users or groups.
Assigning filters
- Go to User management and select a user.
- Under Filters, select where a filter takes effect:
- External storage
- Network shares (including thin client storage if its control is enabled)
- Cloud storage
File type filter in clouds: avoiding problems with OneDrive. Disable the Save space and download files as you use them option.
- Enable a filter.
- Now all existing global filters, filters inherited from a group and/or default user and individually enabled filters are assigned to the user.
- To disable inheritance, enable the Activate individual settings check box.
- The previously inherited filters remain selected, uncheck them, if necessary. Global filters apply no matter whether they are enabled in the first column or not and whether inheritance is enabled or not.
- Click Save.
- If necessary, adjust the options for scanning archives and Microsoft Office files. For details, see: Specifying filter mode
- Go to User management | Settings | User settings.
- In the File type filter – embedded files area, enable the Activate individual settings check box and edit the settings.
- Click Save.
- All files corresponding to the filter are now either allowed (whitelisted) or blocked (blacklisted) for the user.
Temporary disabling filters
- Select a user under User management and then select any tab under Filters. The tab selection plays no role, because the filters will be disabled for all storage types.
- Click the Unblocking code… button.
- The Unblocking code generation – File type filter dialog opens.
- Specify a time period.
- Click Generate.
- The generated code appears in the Code field.
- Copy the code and send it to the Client (e.g. by e-mail).
- Via EgoSecure Agent the user can now enter the code and receive access rights:
Defining file formats (advanced)
Only the Supervisor account can access the File Formats dialog. Delete operations are no longer supported.
If the necessary file format is not in the list of predefined ones, supervisors can specify a format. This requires the format’s buffer (file signature in a hexadecimal format) and offset (digit, which identifies a fixed place of a signature in a file) values. The buffer and offset values of the most popular file formats can be found on the Internet while unknown formats should be requested from the program developers.
- Go to Product settings | Filters | Content filter definition.
- In the Rules definition area, click Define file formats.
- The File format editor dialog appears.
- Click Add.
- New entry appears.
- In the Format description area, add information about a format:
- In the Name field, define a format name.
- In the Extension(s) field, enter file ending. E.g.: jpg, jpeg.
- In the Comment field, add notes.
- In the Rule definition area, define rules for a format:
- In the Buffer field, enter a file signature in a hexadecimal format. E.g.: FF D8 FF
- In the Offset field, enter a number which identifies the place of a signature in the file. E.g.: 0 (informs that file signature is at the beginning of the file).
- Click Save.
- The dialog doesn’t close to all to add more formats.
- Carefully verify the information entered: formats, once added, cannot be deleted.
- Click Close.
- The dialog closes.
- New format appears in the list of predefined formats in the drop-down of the File type column.
Controlling cloud access
No Box Drive support. Although Box Sync and Box Drive are the products of one company, EgoSecure supports only Box Sync.
Configuring access
Enabling control for clouds
- Go to User management | Settings.
- In the User management work area, select a default user, a group or an individual user.
- In the Cloud storage tab, if you configure not the default user, enable the Activate individual settings check box.
- The previously inherited clouds remain selected, uncheck them, if necessary.
- Select clouds types to take them under control.
- Click Save.
- Selected clouds are now under control. The cloud-related EgoSecure products will apply their actions only to the controlled clouds.
Assigning access rights for controlled clouds
- Go to User management | Control.
- In the User management work area, select a default user, a group or an individual user.
- If you configure not the default user, enable the Activate individual settings check box in the Cloud storage tab.
- Previously inherited rights for clouds selected, change them, if necessary.
- Click in the Access rights column of a controlled cloud storage to change the rights.
- For the OneDrive cloud type, the full access (without file fetching) access type is available. For details, see: Use OneDrive to fetch files on a PC (external link).
- Dropbox is controlled only in the File Explorer mode; Dropbox is not supported in the Dropbox desktop app mode.
- Click Save.
- To additionally block access to web addresses of controlled cloud storage types, go to User management | Control | Firewall and enable the Block cloud web address check box.
- Click Save. Web addresses of all controlled clouds are blocked for all applications except the cloud native applications, which are used for the automatic synchronization of the local cloud copy with a cloud itself.
One Drive and One Drive for Business not controlled separately via Firewall. If either of the clouds – One Drive or One Drive for Business – is controlled, access to both their web addresses is blocked.
Using a proxy server. Cloud web address are not blocked if a computer connects to the Internet using a proxy server.
Restricting access to certain file formats
You can limit access to specific file formats in clouds: Creating file filters
- Select a user under User management.
- Enable a filter under Filters | Cloud storage tab.
- Click Save.
- The filter takes effect on all cloud storage types where access rights are defined for a user under User management | Control | Cloud storage.
Controlling LAN/WLAN/LTE access
Network driver required. To manage network access, install the network driver on the Clients. To install the network driver, enable the Install network driver for WLAN control option before generating the MSI package. If the option hasn’t been enabled during the first Agent installation, enable the option, generate the MSI package and update the Agents. For details, see: Installing EgoSecure Agents
Preventing simultaneous usage of different network connections (antibridging)
You can control network connections so that only one connection (LAN or WLAN) is always available on the clients at the same time.
To use this functionality, it is not necessary to activate the Access Control product for a computer, the Access Control license must be just available under Administration | Licenses | License management.
Local Agent reinstallation in case of wrong configuration. Selection of more than one antibridging options may lead to the situation when no network is available on the Client. As a result, connection between Agent and Server may be lost and no changes in the Antibridging settings can be transferred to the Agent. In this case, only Agent local reinstallation is a solution. Select the options to maintain the connection between Agent and Server.
- Under Computer management | Control, select a computer from the directory service structure.
- In the Antibridging tab, to disable the inheritance of settings from a group or from a default computer, enable the Activate individual settings check box.
- Previously inherited options remain selected, uncheck them if needed.
- Enable the options:
- No WLAN when LAN is active: Block all WLAN connections if LAN connection is available.
- No WLAN when WLAN is active: Block all WLAN connections except the one WLAN used for connection from Agent to Server at the moment of assigning this option. If no WLAN is used at the moment, any WLAN is randomly selected from the list of available WLANs.
- No WLAN when LTE is active: Block all WLAN connections if LTE connection is available.
- No LAN when WLAN is active: Block all LAN connections if WLAN connection is available.
- No LAN when LAN is active: Block all LAN connections except the one LAN used for connection from Agent to Server at the moment of assigning this option. If no LAN is used at the moment, any LAN is randomly selected from the list of available LANs.
- No LAN when LTE is active: Block all LAN connections if LTE connection is available.
- No LTE when LAN is active: Block all LTE connections if LAN connection is available.
- No LTE when WLAN is active: Block all LTE connections if WLAN connection is available.
- No LTE when LTE is active: Block all LTE connections except the one LTE used for connection from Agent to Server at the moment of assigning this option. If no LTE is used at the moment, any LTE is randomly selected from the list of available LTEs.
- Ignore virtual devices: Do not take network connections on virtual devices into account during antibridging.
- Click Save.
WLAN adapter is not disabled. EgoSecure does not disable WLAN adapters, but blocks the connection. A blocked adapter may continue to display as a connected one under Windows. However, data transfer does NOT occur. To check the antibridging functionality on the Client, open the WLAN connection status in the Control Panel (number of sent and received data is displayed as 0) or enter the command ipconfig/all in the Windows command prompt (connection must be displayed as disconnected).
Defining permitted WLANs
When defining permitted WLANs, only the assigned WLANs are permitted. Other WLANs not included in the list are blocked.
Blocked WLAN in case of enabled antibridging. Make sure that assigned WLAN is not blocked by Antibridging settings. For details, see: Antibridging
Defining permitted WLAN networks
- Go to Permitted devices | Removable devices | WLAN permissions.
- Click Add in the WLAN permissions area.
- Define a name for a WLAN filter.
- In the Rule definition - <filter name> area, click Add and then enter a SSID and/or MAC address of the WLAN access point.
- Enable the Password-protected check box if the connection must be secure.
- Define, for which computers the permission must take effect:
- To assign the WLAN filter for all computers of the directory service structure, enable the Global check box. This filter works independently of the Access Control product activation on Clients.
- To assign the WLAN filter only for an individual computer, leave the Global checkbox disabled and assign WLAN filters individually under Computer management | Filters | WLAN permissions.
- Click Save.
- You can now assign the filter to a default computer (with inheritance to all existing computers where Access Control is activated) or to individual computers of a directory service.
Assigning WLAN filter
- Select a computer under Computer management | Filters.
- In the WLAN permissions tab, enable a filter.
- To disable filters inherited from a group and/or from the default computer, enable the Activate individual settings check box.
- The previously inherited filters remain selected, uncheck them, if needed.
- Click Save.
- All WLAN connections that match the filter are now allowed on the computer. Other wireless connections are blocked.
Controlling access to input devices (BadUSB protection)
The firmware on USB devices is usually not protected and can be manipulated. A malicious USB stick registers in the operating system as a keyboard or a mouse to additionally distribute malware in the network.
Enabling keyboard control on computer
- Go to Administration | Clients | Client settings.
- In the Control input devices group, enable the Keyboard Control and Automatic keyboard registration options.
- You can now enable the Keyboard Control for the default computer or only for an individual computer. If you enable the Keyboard Control for the default computer, this setting is inherited to all computers. The inheritance can be disabled for computers individually.
- Click Save.
- Go to Computer management | Settings.
- Select the default computer under Default policies or a computer from the directory service structure.
- In the BadUSB protection tab, enable the Keyboard Control check box.
- If you haven’t enabled the option for the default computer and want to enable it individually for a computer, first disable the inheritance by enabling the Activate individual settings check box:
- The keyboard that is currently connected becomes the primary one. This is the only keyboard permitted on this computer, all other keyboards are blocked.Enable the Automatic keyboard registration option.
- Newly connected keyboards are registered. While the option is enabled, all keyboards connected to the computer are automatically added to the individual list of permitted devices (Permitted devices | Individual device permissions) and assigned to the computer. Once the option is disabled, only registered keyboards and the primary keyboard are permitted.
- Click Save.
- The computer-based keyboard control is now enabled.
Allowing users to control keyboards
- In User management | Settings, select a user from the directory service structure.
- In the BadUSB protection tab, enable the Grant keyboard control to user option.
- When connecting a keyboard that is not primary or not registered, a user now decides whether to include it to the individual list of permitted devices for this computer or not. When connecting the keyboard for the first time, a message appears.
- The message text can be edited under Administration | Clients | Custom messages, section Security warnings. For details, see: Customizing user messages.
Message does not appear. If the keyboard is already in the list of Individual device permissions, but the administrator has removed the checkmark from it, the message does NOT appear and such a keyboard is locked.
- Additionally, enable the Ask user each time on keyboard connection option to show the message each time on connecting a keyboard that is not primary or not registered. In this case, unlike the previous option, the permitted keyboard is not added to the list of individual device permissions for this computer.
- Click Save.
- The user-based keyboard control is now enabled.
Enabling mouse control on computer
- Go to Administration | Clients | Client settings.
- In the Control input devices group, enable the Mouse Control option.
- You can now enable the Mouse Control for a default computer or only for an individual computer. If you enable the Mouse Control for the default computer, this setting is inherited to all computers. The inheritance can be disabled for a computer individually.
- Go to Computer management.
- Select the default computer in Default policies or a computer in the directory service structure.
- Under Settings | BadUSB protection, enable the Mouse Control option.
- If you haven’t enabled the option for the default computer and want to enable it individually for a computer, first disable the inheritance by enabling the Activate individual settings check box.
- Click Save.
- The mouse that is currently connected becomes the primary one. This is the only mouse permitted on this computer, all other mice are blocked if they are not in the individual list of permitted devices.
Setting up application access to blocked devices
Very often some applications and processes try to access a blocked device on the background. In this case the EgoSecure popup appears. The solution is to enlist the processes for which no popup displays when it tries to access the forbidden device. To creat a list of applications blocked without popups, perform the following steps:
- Go to Product settings | Control | Application-dependent settings.
- Under Applications blocked without popup, click Add.
- Enter a process name.
- Click Save.
- Once a listed application accesses a blocked device, the access for the application will be blocked, but no popup message appears.
Controlling access to Bluetooth devices
When managing Bluetooth devices, distinguish between the following types:
- Bluetooth port: access point on the Agent computer used for connection by Bluetooth devices (built-in or pluggable). Under User management/Computer management | Control, assign access rights for Bluetooth connections. For details, see: Controlling access rights for Bluetooth access point
- Bluetooth device categories: headsets, smartphones, keyboard etc. connected to the Agent computer via a Bluetooth port. Under Permitted devices | Removable devices | Bluetooth devices, restrict the usage of Bluetooth devices to specific device categories. For details, see: Allowing Bluetooth connections for specific device categories
- Bluetooth devices: known devices like keyboard, mouse, telephone etc., connected to the Agent computer via a Bluetooth port. Under Permitted devices | Removable devices | Bluetooth devices, permit to use specific Bluetooth devices. For details, see: Allowing Bluetooth connections for specific devices
Controlling access rights for Bluetooth access point
The rights for a Bluetooth access point have a priority over Bluetooth whitelist. E.g: Block virtual adapter is set for Bluetooth access point and mobile devices are in whitelist. => File transfer on mobile devices is blocked.
- Select a directory object under User management/Computer management | Control.
- In the Devices and ports tab, right-click Bluetooth.
- Select one of the following access rights:
- Full access to allow Bluetooth connections on Agent computer.
- No access to forbid Bluetooth connections on Agent computer.
- Block virtual adapters to forbid only file sending, but to allow the connection from an Agent computer to devices via Bluetooth.
- Scheduled access to apply access rights for a Bluetooth access point according to a scheduler.
- Click Save.
Allowing Bluetooth connections for specific device categories
If the full access or the block virtual adapters access type is assigned to a Bluetooth access point, you can define Bluetooth devices permitted to connect to this access point. Specify Bluetooth device categories (Bluetooth whitelist) or specific Bluetooth devices that the user is allowed to use. Bluetooth device permissions have a priority over Bluetooth whitelist.
Individual Bluetooth device permissions work only if at least one Bluetooth whitelist has been specified for the respective directory service object.
Assigning several whitelists or an empty whitelist. When assigning several whitelists to the same directory object, a union of all the device categories allowed in each whitelist will be permitted to be used. E.g.: one whitelist allows only keyboards while another whitelist allows only headphones - in this case both the usage of Bluetooth keyboards and headphones will be allowed. When assigning only a whitelist with no selected categories (empty whitelist) to a directory object, all Bluetooth devices are forbidden to be connected to the end device. Exclusion: permitted known Bluetooth devices
Allowing Bluetooth device categories (Bluetooth whitelist)
- Go to Permitted devices | Removable devices | Bluetooth devices.
- Click Add whitelist.
- Select a category or a device class of Bluetooth devices allowed to connect to Agent computers.
- In the Whitelist name field, define a name of a whitelist.
- Click Add.
- The dialog closes and the whitelist is added under Bluetooth whitelist.
- Assign the whitelist to a directory object:
- In the lower area, select the User or Computer tab.
- Click Add.
- The Selection of users or Selection of computers dialog appears.
- In the directory service structure, select a user or a computer where Access Control product is activated.
- Click OK to confirm.
- The Selection of users or Selection of computers dialog closes.
- In the Bluetooth devices area, click Save.
- Selected directory objects are allowed to use all Bluetooth devices of the whitelist categories. Devices of other categories are not allowed. The exclusion is known Bluetooth devices.
Allowing Bluetooth connections for known devices
If full access or block virtual adapters access type is assigned to a Bluetooth access point, you can define known Bluetooth devices permitted to connect to this access point. Define specific Bluetooth devices that the user is allowed to connect. Bluetooth device-specific permissions have a priority over Bluetooth whitelist.
- Go to Permitted devices | Bluetooth devices.
- To add a Bluetooth device, click Scan computer or Devices database. For details, see: Allowing device for user
- The device appears in the list.
- If there is no whitelist defined, add an empty whitelist to block all other Bluetooth devices except the ones listed:
- Click Add whitelist.
- Define a name and click Add.
- Now only added Bluetooth devices are allowed.
- Assign the device to a directory object:
- In the lower area, select the User or Computer tab.
- Click Add.
- The Selection of users or Selection of computers dialog appears.
- In the directory service structure, select a user or a computer where Access Control product is activated.
- Click OK to confirm.
- The Selection of users or Selection of computers dialog closes.
- In the Bluetooth devices area, click Save.
- The added directory objects are allowed to use only listed Bluetooth devices.
Disable data transfer via clipboard
- Under User management | Settings, select a user or edit the default rights of known users under Default policies.
- In the lower area, navigate to the User settings tab.
- To disable inheritance for a user and assign individual settings, enable the Activate individual settings check box in the Clipboard area.
- The inheritance is now deactivated.
- Enable the Disable the use of the clipboard option.
- Click Save.
- The user is no longer allowed to use the clipboard.
Viewing directory object permissions and settings
In User management and Computer management, you can see a summary of permissions and settings for a certain user or a computer and export it, if needed. To show a summary of settings, perform the following steps:
- Under User management/Computer management, select a user/computer.
- Under Control | Devices and ports tab, click Summary on the toolbar.
- The Summary – [user/computer name] dialog opens. The overview of the rights and settings is displayed for the selected directory object.
- To print the summary of rights and settings or export to CSV or PDF, click the respective button.
- To close the dialog, click Close.
Using Access Control on IoT devices
EgoSecure Agent on IoT devices has no graphic user interface. Only the Access Control (AC) product can be activated. Via AC only the External storage device class is controlled.
Access rights are delivered to the IoT device once in one minute (because EgoSecure Agent works in the polling mode and checks the EgoSecure Server for new settings with an interval of one minute). Available actions for IoT devices:
- Assigning an access right to the external storage device class
- Inheriting default rights
- Assigning temporary access right
- Assigning different rights for online and offline Agents
- For details about installing EgoSecure Agent on IoT devices, please refer to EgoSecure Agent
Configuring PRESENSE connector
PRESENSE Connector is used in companies where PRESENSE PROVAIA or PRESENSE JANUS are used. These devices analyze data on external storage, floppy disks and check the data for malware, suspicious files, etc. The result of such analysis is the creation of a report file (*.xml). EgoSecure Agent denies access to external storage devices if Connector is enabled and one of the conditions is met:
- There is no report file on external storage.
- Report signature is not valid (not signed by the PRESENSE certificate).
- Report entries have status other than “clean” (if the PRESENSE approved/unapproved files filter is enabled, access to the whole device is permitted, only access to unapproved files is restricted). For details, see: Enabling and assigning PRESENSE filter
If new files have been created on the disk or existing files have been changed, access to these files will also be blocked after reconnecting the device. In this case, a re-analysis of the volume by PRESENSE is required.
Files encrypted with Device Encryption. Files encrypted with Removable Device Encryption are recognized as changed during an encryption process. Decrypt the files so that no volume re-analysis is required.
Access to individually permitted devices. If the access to a device is denied by PRESENSE, the access is nevertheless permitted if the user has an individual device permission for the device.
Enabling PRESENSE control
To use PRESENSE connector, the PRESENSE certificate is required.
- Import the PRESENSE certificate for the Current user. For details, see in help center: Importing certificate
- Go to Administration | Clients | Client settings.
- Check the Enable PRESENSE Connector box.
- The Windows Security dialog appears.
- Select the displayed certificate or click More choices to select a different certificate.
- Click OK in the Windows Security dialog to confirm.
- The Windows Security dialog closes.
- Click Save.
- PRESENSE connector is now enabled and configured. Storage devices where not clean files are detected, are blocked completely if no PRESENSE filter is enabled.
Enabling and assigning PRESENSE filter
If the PRESENSE report of a storage device contains files marked as 'not clean', EgoSecure denies access to the entire storage device. If the PRESENSE filter is enabled for users, only access to unclean files is blocked. Access to other files is granted if they are not blocked by another file filter. For details, see: File type filters. To enable the filter, perform the following steps:
- Select a user under User management | Filters.
- In the External storage tab, enable the PRESENSE approved files (in case of the white list mode) or PRESENSE unapproved files (in case of the black list mode).
- Click Save.
- The PRESENSE filter is now assigned to the user.
Importing settings via XML file
You can apply permissions for a user or a computer via an XML file. Create an XML file with certain settings and specify file directory in the Console. EgoSecure Server processes the file and creates two subfolders in the directory: Success (for successful import) and Fail (for failed import). The import can be performed tenant-specifically or globally for all tenants.
- Create the XML file with the settings. For details, see: XML import format
- In the Console, go to Administration | Administrator | Import of settings from XML to import settings for a current tenant.
- To import settings for all tenants, go to Administration | Superadmin | Import of settings from XML (global).
Avoiding issues with global import. If an xml file contains a tenant-specific command (e.g.: a command for applying individual device permissions to a group that exists only in one tenant), the import of non tenant-specific commands from this file fails. Import XML files with tenant-specific commands under Administration | Administrator | Import of settings from XML
- In the Import folders area, click Browse near Folder for data import and select the directory with the XML file.
- The directory is also used to automatically create Success and Fail subfolders.
- To import the settings, click Save.
- The import occurs. In the specified directory, the Success (for successful import) and Fail (for failed import) subfolders are created and the processed file is moved in one of the subfolders accordingly.
- Once a new file is uploaded to the specified directory, it is reprocessed.
Excluding user network login sessions from processing
Define a security identifier (SID) or name of a user to exclude network login sessions of this user from processing by EgoSecure Agent.
Usage example: if EgoSecure Agents are running on Citrix XenDesktop, it makes sense to add the server SID of XenDesktop controller to exclusions so that it is not processed by EgoSecure Agents and the processing therefore doesn’t cause high CPU. A network login session can be excluded based on a user name or a user SID.
Adding a network login session to exclusions – by user SID
- Go to Product settings | Control | Network login exclusions.
- Click Add SID on the toolbar.
- A new entry appears.
- In the Value column, enter the SID of the user, whose network sessions you want to exclude from processing.
- (optional) In the Comments column, add your description.
- Click Save.
Adding a network login session to exclusions – by user name
- Go to Product settings | Control | Network login exclusions.
- Click Add name on the toolbar.
- A new entry appears.
- In the Value column, enter the name of a user, whose network sessions you want to exclude from processing.
- (optional) In the Comments column, add your description.
- Click Save.