NetWrix USB Blocker Version 3.6 Administrator Guide
Table of Contents 1. Introduction...3 1.1. What is NetWrix USB Blocker?...3 1.2. Product Architecture...3 2. Licensing...4 3. Operation Guide...5 3.1. System Requirements...5 3.1.1. Management Server...5 3.1.2. Managed Computers...7 3.2. Installing the Product...7 3.2.1. Default Installation Paths...8 3.3. Configuring the Product...8 3.3.1. Starting NetWrix USB Blocker...8 3.3.2. Configuration Window Layout Detailed Description...9 3.3.2.1. Managed Computers...10 3.3.2.2. Granular Access Control...12 4. Passcode on a Managed Computer...15 5. Monitoring Console...16 5.1. USB Blocker Monitoring Console Administrative Portal...16 5.2. USB Blocker Monitoring Console...17 5.3. USB Blocker Monitoring Console Access Rights...18 6. Uninstalling the Product...18 7. Contacting NetWrix Support...19 8. Additional Software Links...20 9. About NetWrix Products...21 10. Disclaimer...21 Page 2
1. Introduction 1.1. What is NetWrix USB Blocker? NetWrix USB Blocker is a budget-friendly, easy-to-deploy solution that allows you to block USB devices automatically on computers in a specified domain or domain organizational units. NetWrix USB Blocker enforces centralized access control to prevent unauthorized use of removable media that connects to computer USB ports, such as memory sticks, removable hard disks, PDAs 1 and others 1. USB port access control is an important aspect of your endpoint security, regardless of the effectiveness of your antivirus and firewall. The USB device lockdown protects your network against malware and prevents the theft of sensitive corporate data. The product relies on built-in group policy mechanisms and seamlessly integrates into your existing environment. Another advantage is its simplicity, as it takes only a couple of mouse clicks to configure the product and get the necessary USB ports blocked. In addition, the software is free of charge for small networks (i. e., up to 50 computers). However the commercial version has much more advanced functionality and an unlimited capacity in terms of network size. It is available for a charge. Benefits: Prevents unauthorized use of removable devices. Strengthens endpoint security. Enables regulatory compliance, such as SOX, HIPAA and GLBA. Saves you money in IT. Features: Seamless integration with Active Directory. Simple point-and-click deployment and interface. Fully centralized management. USB ports status monitoring. 1.2. Product Architecture Management server is the computer where NetWrix USB Blocker is installed. Thus this computer is further used to configure NetWrix USB Blocker. Managed computers are the computers where the NetWrix USB Blocker Agent is installed and on which USB ports access is monitored and controlled with NetWrix USB Blocker. The management server and the managed computers must belong to a single domain. NetWrix USB Blocker should be first installed on the management server and then spread to the managed computers via the standard group policy mechanism. This is done automatically by NetWrix USB Blocker to all the specified managed computers. The management server then is used for centralized USB access control. 1) Only available in commercial version. Page 3
2. Licensing NetWrix USB Blocker is available in two versions: freeware and commercial. The commercial version has much more advanced functionality and includes full technical support. The following table shows a feature comparison of these two available product versions. Feature Freeware Version Commercial Version Supported devices Storage devices only Storage devices Other devices (Printers, PDAs, Imaging devices, etc) Granular access control Computer list to exclude Computer list to exclude Limit the scope of blocking by OU Whitelist and blacklist of devices List of users explicitly allowed to access devices User activity logging No Yes, with reporting capabilities 2 Temporary device access No Yes, using an unlock code Technical support Support forum Full range of options Licensing Free of charge for up to 50 managed computers Per managed computer, please see our pricing information or request a quote 2) Features coming soon Page 4
3. Operation Guide Follow the instructions below to install and configure the NetWrix USB Blocker. 3.1. System Requirements System requirements differ for the management server and the managed computers. 3.1.1. Management Server CPU x86 or x64 processor (1 GHz or faster). RAM 512 MB or more. OS required operating systems and additional software are described in the table below Operating System Additional Software Windows XP Windows Components: Internet Information Services (IIS).Net Framework 3.5.Net Framework 1.1 Group Policy Management Console (GPMC) Windows 2003 Server SP2 Windows Vista Windows Components: Internet Information Services (IIS) ASP.Net 3.Net Framework 3.5.Net Framework 1.1 Group Policy Management Console (GPMC) Windows 2008 Server Windows Components: Internet Information services (IIS) ASP.Net Microsoft Remote Server Administration Tools (RSAT).Net Framework 3.5 Windows Vista SP1 or higher Windows Components: Internet Information services (IIS) ASP.Net.Net Framework 3.5 Microsoft Remote Server Administration Tools (RSAT) Window 7 Windows 2008 Server R2 Windows Components: Internet Information services (IIS) ASP.Net.Net Framework 3.5 Microsoft Remote Server Administration Tools (RSAT) Note: Links for the additional system components are provided in the 6. Additional Software Links subsection. To install Windows components, please follow the instructions below: Note: A computer used to access the Monitoring Console (see 5. Monitoring Console ) via the web is required to have Silverlight installed. 3) For 64-bit systems ASP.NET is a part of.net Framework thus it does not have to be installed separately. Page 5
On Windows XP: Go to Control Panel > Add or Remove Programs > Add/Remove Windows Components. Select Internet Informational Services (IIS) and click on Details... Make sure that Common Files and Internet Information Services Snap-In are checked. Click OK and let Windows install the components. On Windows 2003 Server: Go to Control Panel > Add or Remove Programs > Add/Remove Windows Components. Please select Application Server and click on Details... For 32-bit version only: make sure that ASP.NET is checked. Select Internet Informational Services (IIS) and click on Details... Make sure that Common Files and Internet Information Services Manager are checked. Click OK and let Windows install the components. On Windows Vista / Windows 7: Go to Control Panel > Programs > Turn Windows Features on or off. First check Internet Information Services so that the check box becomes solid green, then expand the Internet Information Services > Web Management Tools tree node, and verify that IIS6 Management Compatibility (and all of its insides), IIS Management Console and IIS Management Service are checked. Expand the Internet Information Services > World Wide Web Services > Security tree node, and verify that Windows Authentication is checked. Click OK and let windows install the components. On Windows 2008 Server / 2008 Server R2: Click Start > All Programs > Administrative Tools > Server Manager. In the Server Manager window, select Roles. Click Add Roles. The Add Roles wizard opens. Click Next to select roles to install and select Web Server (IIS). Click Add Required Role Services. The Web Server is now selected for install. The Select Server Roles dialog box opens. Click Next two times. Verify that ASP.NET, Windows Authentication and IIS6 Compatibility are checked. Click Next and then click Install. IIS Note: USB Blocker requires at least one active IIS website to run. The default IIS setting includes a pre-created website so that normally you do not have to change anything. Although if you have deleted or disabled the IIS websites, it is necessary to get at least one of them up and running. ASP Note: If your system is 64-bit and ASP is not configured yet please follow these steps: 1. Click Start, click Run, type cmd, and then click OK. 2. Type the following command to disable the 32-bit mode: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0 3. Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under: %SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i 4. Make sure that the status of ASP.NET version 2.0.50727 is set to Allowed in the Web service extension list in Internet Information Services Manager. Page 6
3.1.2. Managed Computers CPU x86 or x64 processor (1 GHz or faster). RAM 64 MB or more. OS Windows 2000 SP4 or later, joined to an Active Directory domain..net Framework 2.0 3.1.3. SQL Server An SQL 2005 or 2008 server is required for Monitoring Console (see 5. Monitoring Console ). You can use an existing SQL server or download MS SQL Express. Download link for MS SQL 2005 Express can be found in 8. Additional Software Links. Note: MS SQL 2005 is free but it only supports databases not greater than 4Gb is size. However it is sufficient for NetWrix USB Blocker. Page 7
3.2. Installing the Product NetWrix USB Blocker can be installed on any computer in the managed domain. Choose one of the computers to be the management server. Note: Before installing the commercial version please uninstall the freeware version. Before starting the installation process, carefully review all of the system requirements. The computer on which you install NetWrix USB Blocker must meet the management server requirements (see 3.1.1. Management server ). Further, any computers on the network that you want to audit must meet the managed computers requirements (see 3.1.2. Managed computers ). To install NetWrix USB Blocker, run ubfree_setup.msi using the freeware version, or ubfull_setup.msi using the commercial version. The installation wizard guides you step-bystep through the installation process. Note: The account and password specified on the Computer Management page during NetWrix USB Blocker setup must have local administrator rights on the managed computers. When the installation process is completed, click Finish to close the wizard. You may leave the Start NetWrix USB Blocker check box selected if you want to run the application automatically when you exit the setup program. 3.2.1. Default Installation Paths The default installation paths for NetWrix USB Blocker are: %ProgramFiles%\NetWrix\USB Blocker - on management server. %ProgramFiles%\NetWrix\NetWrix Device Management Agent - on managed computers. Note: on most computers the system variable %ProgramFiles% is set to C:\Program Files for 32-bit systems and C:\Program Files (x86) for 64-bit systems. 3.3. Configuring the Product 3.3.1. Starting NetWrix USB Blocker For the free version: Start > All Programs > NetWrix Freeware > USB Blocker > USB Blocker. For the commercial version: Start > All Programs > NetWrix > USB Blocker > USB Blocker After doing so you will be presented with the programs main window (see Figure 1). Page 8
Figure 1: NetWrix USB Blocker configuration window See the detailed description of the NetWrix USB Blocker configuration window layout on the next page. Page 9
3.3.2. Configuration Window Layout and its Detailed Description 3.3.2.1. Managed Computers 1. Block USB devices checkbox enables the blocking of USB devices on managed computers. 2. Active Directory domain field allows you to specify the name of the managed domain. Please type in the full name of the domain. 3. All domain computers switch sets blocking for all the domain computers without any exceptions. In case if you only want to block certain Organization Units, you should use the Computers from specified OUs option. 4. Computers from specified OUs option lets you specify a list of managed Organization Units. USB ports on the computers which belong to the specified OUs will be blocked. USB ports on all other computers will remain available for uncontrolled use. The buttons Add... and Remove let you edit the list by adding and removing OUs. 5. Explicitly exclude specified computers is a sophisticated feature that allows you to specify the computers which are to be excluded from the managed list. Press the Configure... button for the Exclude Computers dialog to show up (see Figure 2) Figure 2: Exclude Computers dialog window Use the Add... and Remove buttons to modify the list. Upon pressing the Add... button the Select Computer dialog window will appear (see Figure 3). Page 10
Figure 3: Select Excluded Computer dialog window The Enter the object name to select text field lets you specify the name of the object to be excluded. It is also possible to point out on multiple objects by separating their names with a semicolon. Use Advanced... button to switch to the advanced search mode. After entering all the search parameters click Check Names to execute search. 6. Enable protection against tampering feature will force NetWrix USB Device Management Agent process to automatically restart on a managed computer in case if it was terminated by a user or a program. The feature is useful against clever users who may try to shut the Agent down to receive an uncontrolled access to the computers USB ports. It will also ensure that no 3rd party applications will do the same. 7. Monitor status of managed computers: press the Run button to open your default internet browser and access the Monitoring Console (see 5. Monitoring Console ) 8. Management Agent setup package location field must specify a valid shared folder on the management server where NetWrix USB Device Management Agent installation package is located. The folder must be accessible from all the managed computers in order for the agent to be properly copied and installed on all the managed computers. It is possible to manually type in the location or press the... button to open a browser. Page 11
3.3.2.2. Granular Access Control 9. Block by device type text box shows the device types being blocked. The Configure... button pops up the dialog window where you can select the device types to be blocked (see Figure 4) Figure 4: Block by Device Type dialog window 10. Always grant access to the specified users is a sophisticated feature that allows turning on/off the USB ports access for certain users or user groups. Press the Configure... button next to it for the Grant Access dialog to pop up (see Figure 5) Figure 5: Grant Access dialog window The Grant Access dialog is very similar to Exclude Computers dialog in its structure and functionality (see the Explicitly exclude specified computers paragraph) except that it works for single users or user groups instead of whole computers. Page 12
11. Specify device whitelist and blacklist adds even more micromanagement possibilities for the USB access control on the managed computers by enforcing the whitelist and blacklist policy. Press the Configure... button next to it for the Specify Device Whitelist and Blacklist dialog to pop up (see Figure 6) Use the Add..., Edit... and Remove buttons to modify the lists. The whitelist and blacklist feature similar list modification controls. The Add... button pops up the Device Parameters dialog window where the required devices properties are to be specified (see Figure 7). The Device Parameters dialog lets you manually choose the way of device recognition and set a generic device filter. The following device parameters are available for specification: Device ID, Product ID and Vendor ID. Alternatively it is possible to autoscan for existing devices. To perform the autoscan first unplug any of the devices that you d like the scan to find. Then press the Scan... button and plug the devices in USB ports. Click OK. It is also possible to add a custom comment about each device in the corresponding text box. 12. Allow device access by passcode is another granular access filtering feature. The specified passcode may be used by administrator or a trusted person on any of the managed computers to gain unlimited access to the computers USB ports (for more info please refer to 4. Passcode on a Managed Computer ). 13. Click OK. The NetWrix USB Blocker creates a Group Policy Object that will install the NetWrix USB Device Management Agent on managed computers. At this point, the configuration is saved, and the USB ports of the managed computers will be blocked immediately after you restart the managed computers. Beware, sometimes software installation policy application may be delayed until the next logon because of the enabled logon optimization for group policy, in this case it will take two reboots. 14. Also upon pressing the OK button you will be prompted to immediately launch the Monitoring Console. Click OK again if you want to launch the Monitoring Console right after (for more info please refer to 5. Monitoring Console ). 15. Use NetWrix USB Blocker Monitoring Console to monitor the status of agents installed on the managed computers and the USB ports blocking status. Page 13
Figure 6: Specify Device Whitelist and Blacklist dialog window Figure 7: Device Parameters dialog window Page 14
4. Passcode on a Managed Computer If Allow device access by passcode option is enabled, then it is possible to access USB devices on any of the managed computers. To do this please go to Start > All Programs > NetWrix Device Management Agent > Access Devices by Passcode on the managed computer. The Access Devices by Passcode dialog window should pop up (see Figure 8). Figure 8: Access Devices by Passcode dialog window Type in the passcode and press OK. If the passcode is correct then you will see the acknowledgement notice (see Figure 9). Figure 9: Temporary access granted notification You may click OK to close the notice and access the USB ports. The Access Devices by Passcode will minimize. Restore it and click Cancel in the Access Devices by Passcode dialog window to block the USB ports again. Page 15
5. Monitoring Console NetWrix USB Blocker Monitoring Console is the heart center of your NetWrix USB Blocker activity monitoring. NetWrix USB Blocker Monitoring Console is automatically installed on your management server with NetWrix USB Blocker (requires a running SQL 2005 or 2008 server, for a download link please see 8. Additional Software Links ). Note: Any Internet browser with Silverlight (download link can be found in 6. Additional Software Links ) support is required to access the Monitoring Console via the web. 5.1. Monitoring Console Administrative Portal When you run the Monitoring Console for the first time, the Monitoring Console Administrative Portal window will open in your default Internet browser (see Figure 10) Figure 10: Monitoring Console Administrative Portal window Type the names of the SQL server and database in the corresponding fields. You may use Integrated authentication or you may unmark this checkbox and enter your MS SQL administrator credentials. Page 16
5.2. Monitoring Console After you successfully pass the Monitoring Console Administrative Portal dialog, the Monitoring Console window opens (see Figure 11). The left panel shows a list of the managed computers, as follows: The name of the computer. Status of the USB Device Management Agent. Whether there are blocked USB devices on the computer or not. The right panel includes details about the selected computer: The top section shows details about the USB devices attached to the selected computer, including the device name, type, the user who plugged the device in, state of access to the device, and the reason for granting or blocking. The bottom section shows details about users logged on to the selected computer, the name and the type of logging. If the computers are marked with red icons on the first run, it is most likely that the USB Device Management Agent is not yet installed on the managed computers (usually it means that the managed computers have not yet been restarted) or no users are logged in. To fix this please restart the managed computers. The new Group Policy Object will be applied to the managed computers and NetWrix USB Device Management Agent will be installed. Figure 11: NetWrix USB Blocker Monitoring Console window Page 17
5.3. Monitoring Console Access Rights In correspondence with IIS designation, there are two groups of users who have privileged rights: 1. NetWrix USB Blocker Admins allowed accessing all the parts of the site. It means that they can access USB Blocker Monitoring Console Administrative Portal and create/configure USB Blocker SQL database. 2. NetWrix USB Blocker Operators only allowed accessing USB Blocker Monitoring Console to watch managed computers statuses. These groups exist as local if the management server is not DC and as domain in the other case. By default the person installed the product belongs to the NetWrix USB Blocker Admins group. Page 18
6. Uninstalling the Product You can uninstall the NetWrix USB Blocker using the MS Windows Add/Remove Programs wizard. Note: Product uninstall will also cause the corresponding Group Policy Object to be deleted. Thus rebooting the managed computers will restore uncontrolled access to their USB ports. Beware, sometimes software installation policy application may be delayed until the next logon because of the enabled logon optimization for group policy, in this case it will take two reboots. 7. Contacting NetWrix Support If you have any questions please feel free to contact the NetWrix support team. NetWrix provides unlimited phone and email support for customers who purchase the commercial version (including evaluation). In addition, limited support is provided at no charge to customers who use the freeware version through the NetWrix Support Forum. Page 19
8. Additional Software Links.Net Framework 3.5 is available at http://www.microsoft.com/downloads/details.aspx?familyid=333325fd-ae52-4e35- B531-508D977D32A6&displaylang=en.Net Framework 2.0 is available at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=0856eacb- 4362-4b0d-8edd-aab15c5e04f5 or for 64-bit systems at http://www.microsoft.com/downloads/details.aspx?familyid=b44a0000-acf8-4fa1- AFFB-40E78D788B00&displaylang=en.Net Framework 1.1 is available at http://www.microsoft.com/downloads/details.aspx?familyid=262d25e3-f589-4842- 8157-034D1E7CF3A3&displaylang=en Microsoft Silverlight is available at http://www.microsoft.com/silverlight/getstarted/install/default.aspx Group Policy Management Console (GPMC) is available at http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en Microsoft Remote Server Administration Tools (RSAT) is available for 32-bit systems at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9ff6e897-23ce-4a36-b7fc-d52065de9960&displaylang=en, or for 64-bit systems at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=d647a60 B-63FD-4AC5-9243-BD3C497D2BC5 Microsoft SQL Server 2005 is available at http://www.microsoft.com/sqlserver/2005/en/us/express.aspx Page 20
9. About NetWrix Products Solutions developed by NetWrix Corporation help organizations to meet compliance standards, simplify identity management, and reduce IT infrastructure costs. The product line includes solutions for change management, identity management, virtualization, and Active Directory troubleshooting. NetWrix Active Directory Change Reporter reports the changes made to Active Directory and Group Policy and delivers detailed information on a daily basis. The report includes the 4 W s - Who, What, When, and Where - of all changes and includes before and after values for each and every setting. This report lists changes made to AD and Exchange configurations, Group Policy objects and setting modifications, and many more. NetWrix Password Manager product gives end users the ability to securely manage their passwords and resolve account lockout incidents in a self-service fashion without involvement of help desk personnel. NetWrix Account Lockout Examiner detects, diagnoses, and resolves account lockouts in real time to reduce administrative costs associated with manual resolution of account lockouts. Privileged Account Manager provides a secure facility for provisioning, accessing, automatic updating, and de-provisioning of shared administrative accounts, to enable centralized control and auditing of all shared accounts in organizations, from Active Directory and servers to routers and database systems. For more information, please visit www.netwrix.com or call our toll-free number: +1-888-638-9749. 10. Disclaimer The information in this publication is furnished for information use only, does not constitute a commitment from NetWrix Corporation of any features or functions discussed and is subject to change without notice. NetWrix Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication. NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners. 2010 NetWrix Corporation. All rights reserved. www.netwrix.com Page 21