Suppressing external media operations

By suppressing external media operations at a client, you can prevent the leakage of confidential information and the entry of undesirable information from external systems. This facility is available when the client version is between 08-51 and 09-00.

During external media operation suppression, writing and reading data via the following external media is suppressed:

USB media
Internal CD/DVD drive
Internal floppy disk drive
IEEE 1394-connected media
Internal SD card slot

Select the media whose operations are to be suppressed based on factors such as the frequency of use by jobs and the risk for information leakage.

If the client version is 09-50 or later, you can suppress these external media operations by suppressing device operations. For details about how to suppress device operations, see 2.5.6 Suppressing device operations.

The following figure provides an overview of external media operation suppression.

Figure 2-24 Overview of external media operation suppression

[Figure]

Organization of this subsection: (1) Prerequisites for the client OS; (2) Notes on suppressing external media operations

(1) Prerequisites for the client OS

To suppress external media operations, match the client OS to the prerequisites. If the client's OS is Windows NT 4.0, Windows 98, or Windows Me, suppression of external media operations is not supported.

Facility	Windows
Facility	2000	Server 2003	XP	Vista	Server 2008	7
Suppression of USB-connected media operations (write- and read-disabled)^{#1, #2}	Y	Y	Y	Y	Y^#3	Y
Exclusion of specific USB-connected media from suppression^{#4, #5}	Y	Y	Y	Y	Y	Y
Suppression of USB-connected media operations (only write-disabled)^{#1, #2}	N	N	Y	N	N	N
Suppression of writing data to internal CD/DVD drive	N	Y	Y	Y	N	Y
Suppression of internal floppy disk operations	Y	Y	Y	Y	N	Y
Suppression of IEEE 1394-connected media operations^#1	Y	Y	Y	Y	N	Y
Suppression of internal SD card clot operations^#1	N	N	Y	Y	N	Y

Legend:: Y: Supported; N: Not supported

#1

The USB-connected media, IEEE 1394-connected media, and SD cards to be suppressed are those media that are displayed as follows when device components are displayed from the Safely Remove Hardware dialog box.

USB Mass Storage Device
IEEE 1394 SBP2 Drive
Secure Digital Storage Device

#2: In some cases, a USB-connected media device that is not displayed as a USB Mass Storage Device in the Safely Remove Hardware dialog box may be suppressed. In such a case, exclude the client PC or the suppressed USB-connected media from suppression. When you suppress USB-connected media operations (only write-disabled), you cannot exclude specific USB-connected media devices from suppression.

#3: If the OS of the client PC is Windows Server 2008, the suppressed items are USB storage devices.

#4: If the Exclude the specified media from suppression check box is selected, the items suppressed by suppressing USB-connected media operations (write- and read-disabled) are USB storage devices.

#5: With JP1/Software Distribution Client version 08-51 and earlier, you cannot exclude specific media from suppression.

The operations that can be suppressed differ depending on the OS of the client PC, as indicated below.

When both of the following conditions are met and a file is being copied to a USB-connected hard disk or floppy disk drive, operation of the USB-connected media device cannot be suppressed until file copying is completed:
- The client's OS is Windows 7 or Windows Server 2008 R2.
- An operation monitoring policy for suppressing operation of USB-connected media device is applied while file copying is being performed.
When an operation monitoring policy is applied that excludes a specific USB-connected media device from suppression based on its friendly name, that USB-connected media device is suppressed when it is connected to the client PC for the first time. In this case, reconnect the USB-connected media device. It will not be suppressed the second and subsequent times.
If the OS of the client PC is Windows 7 or Windows Vista, the following types of suppression cannot be specified separately:
- Suppression of USB-connected media operations (when the Exclude the specified media from suppression check box is cleared)
- Suppression of IEEE 1394-connected media operations
- Suppression of internal SD card slot operations
If either of these is specified, both writing data to and reading data from USB-connected media, IEEE 1394-connected media, an internal SC card, and removable disks on the client are suppressed.
If the OS of the client PC is Windows 7, Windows Server 2008, or Windows Vista, and the version of JP1/Software Distribution Client is 09-00 or later: when you exclude specified media from suppression during suppression of USB-connected media operations, do not specify suppression of operations of IEEE 1394-connected media or the internal SD card slot. Specifying suppression of these individual operations will invalidate the setting of the Exclude the specified media from suppression check box, and both writing data to and reading data from all USB-connected media will be suppressed.
If you suppress writing data to an internal CD/DVD drive when the OS of the client PC is Windows 7 or Windows Vista, writing data to not only the internal CD/DVD drive but also to USB-connected CD/DVD drives will be suppressed. Similarly, if you allow writing data to USB-connected CD/DVD drives, USB-connected media operations are not suppressed.
If you suppress writing data to and reading data from an internal floppy disk drive when the OS of the client PC is Windows 7 or Windows Vista, writing data to and reading data from not only the internal floppy disk drive but also to USB-connected floppy disk drives are suppressed. Similarly, if you allow writing data to USB-connected floppy disk drives, USB-connected media operations are not suppressed.
The setting that suppresses only writing data to USB-connected media does not go into effect if the OS of the client PC is one of those listed below. Therefore, if a setting that suppresses only writing data to USB-connected media is applied, a setting that suppresses both writing and reading is applied to the client PC instead.
Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP (without any service pack, or with Service Pack 1), and Windows 2000
If the OS of the client PC is Windows XP, the setting that suppresses only writing data to USB-connected media is supported by Service Pack 2 or later only.
If the Exclude the specified media from suppression check box is selected when the OS of the client PC is Windows 2000, you cannot suppress the operations of a USB-connected floppy disk or hard disk drive that was connected before you logged onto the system. To suppress operations of such USB-connected media, clear the check box.

(2) Notes on suppressing external media operations

If you suppress only writing data to USB-connected media when the auto-playback function of CD/DVD is disabled in the Windows settings, writing data to USB-connected CD/DVD drive might not be suppressed.
Even when you specify suppression of external media operations, the operations of any external media that were already connected will not be suppressed. The suppression setting goes into effect after the media are disconnected (removed).
Suppression of writing data to and reading data from an internal SD card slot goes into effect after the client PC is rebooted.
Suppression of external media operations is not released even if the operation-monitoring service is stopped. To release the suppression of external media operations, do one of the following:
- Create an operation monitoring policy that does not suppress external media operations, and apply it.
- Uninstall JP1/Software Distribution Client.
If the operation of an internal floppy disk drive is suppressed when the client OS is Windows Server 2003, Windows XP, or Windows 2000, the internal floppy disk drive itself is treated as nonexistent. Consequently, if you collect inventory information from a client whose internal floppy disk operations are suppressed, no information is collected from the internal floppy disk drive.
JP1/Software Distribution cannot be used concurrently with other products that limit the use of external media (such as Windows Group Policy or Active Directory Policy). If such a product and JP1/Software Distribution are used concurrently on the same client, JP1/Software Distribution's setting for suppressing external media operations might be modified by the other product. JP1/Software Distribution might also modify the setting of the other product.
There is a risk that the setting for suppressing external media operations might be modified by Active Directory or operator actions. Therefore, the setting for suppressing external media operations is reset according to the operation monitoring policy when the operation monitoring service is restarted. However, if the setting for suppressing external media operations has not been used at all, it will not be reset when the operation monitoring service is restarted. Additionally, no settings related to external media operations are made when an operation monitoring policy that does not suppress external media operations is applied.
If the OS of the client PC is Windows 7, Windows Server 2008, or Windows Vista, the setting for suppressing external media operations goes into effect after the OS is restarted. Regardless of the OS of the client PC type, when a specific USB-connected media device is excluded from suppression, the setting for suppressing USB-connected media operations and the setting for excluding the specific USB-connected media device from suppression go into effect after the OS is restarted.
To release external media operation from suppression, perform reinstallation or take a similar action to make sure that the device driver is running normally.
To suppress the use of a USB-connected link cable, specify operation suppression according to the USB device recognized by the OS. Note that depending on the device, it might not be possible to suppress the use of a USB-connected link cable.
If you select the Safely Remove Hardware icon on the client PC, or if you right-click each USB-connected media device in Device Manager (accessed by choosing Control Panel, Administrative Tools, and then Computer Management), and choose Delete, suppression of USB-connected media operations might not function normally.
If you connect USB-connected media targeted for suppression to a client PC, auto-playback might fail and an error message might be displayed even if the auto playback function for USB-connected media is enabled.
If the Exclude the specified media from suppression check box is selected when the OS of the client PC is Windows 2000, you cannot suppress USB-connected floppy disk drive operations. To suppress the operations of this USB-connected media device, clear the check box.
If the Exclude the specified media from suppression check box is selected and the auto-playback function is enabled in the Windows settings when the OS of the client PC is Windows 7, Windows Server 2008, or Windows Vista, you cannot suppress the operations of USB-connected floppy disk or hard disk drives. To suppress the operations of these USB-connected media, clear the check box or disable the auto-playback function.
The OS might display an error message in the following cases:
- You connect USB-connected media targeted for suppression when the OS of the client PC is Windows 2000 and no device driver has been installed.
- An operation monitoring policy for suppressing the operation of USB-connected media is applied while the USB-connected media are operating.
It might not be possible to suppress the operation of USB-connected media that are connected before the function for monitoring the operating status of software starts.
If the Enable CD recording on this drive check box under the Recording tab in Properties is cleared when the OS of the client PC is Windows Server 2003 or Windows XP, you cannot suppress recording to the internal CD/DVD. When recording on DVD-RAM, you need to clear the Enable CD recording on this drive check box. Therefore, you cannot suppress recording.

Notes on suppressing external media operations at an offline machine

Do not suppress the operation of external media that will be used to apply an operation monitoring policy or collect operating information. If you suppress the operation of such external media, you will not be able to apply an operation monitoring policy or collect operating information.

Notes on virtual environments

Note the following when an operation monitoring policy for suppressing external media operations is applied to a virtual environment:

The warning dialog box, which indicates that the connection of USB-connected media has been suppressed, is displayed only to users connected to a console session.
If all of the following conditions are satisfied, operation of the redirected drive cannot be suppressed even if a security policy for suppressing external media has been applied to the terminal server:
1. A security policy for suppressing external media connection has not been applied to a PC remotely connected to the terminal server.
2. The drive connected to the PC in condition 1 is set to be used by the terminal server.
To suppress such a drive, disable redirection on the terminal server side. However, doing so will disable redirection for all drives. The procedure for disabling redirection for a terminal server in Windows Server 2008 is as follows.
- For Windows Server 2008:
1. From Windows Terminal Service Configuration, open the RDP-Tcp property.
2. Under the Client Settings tab, choose Drive in Redirection.
- For Windows Server 2008 R2:
1. From Windows RD Session Host configuration, open the RDP-Tcp property.
2. Under the Client Settings tab, choose Drive in Redirection.

All Rights Reserved. Copyright (C) 2009, 2013, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.

2.5.5 Suppressing external media operations

(1) Prerequisites for the client OS

(2) Notes on suppressing external media operations