2.9.5 Restricting prohibited operations
You can set a security policy so that some computer operations will be restricted. By doing so, you can prevent information leakage.
- Restricting printing
-
You can restrict print operations. This can help you prevent information (for internal use only) from being taken out in printed form.
You can set a password for allowing printing. This will let you restrict the users who are allowed print operations to those that you disclose the password to.
- Important note
-
You cannot restrict output to a printer connected via the Internet. You cannot restrict output to a local printer when using a File port or a LAN Manager port. Also, you might not be able to restrict output to a Windows network shared printer.
When the printing function is used to output a PDF file, the PDF file might be output even if a message indicating that the printing is restricted appears on the user's computer.
- Restricting device operations
-
You can restrict the use of USB devices and CD/DVD drives. This prevents information from being taken out on external media. Operations on the following devices can be restricted:
-
Reading/writing on USB devices
-
Writing on internal CD/DVD drives
-
Writing on CD/DVD drives
-
Reading/writing on internal FD drives
-
Writing and reading/writing on FD drives
-
Reading/writing on IEEE1394 connected media
-
Reading/writing using internal SD card slots
-
Writing and reading/writing on removable disks
In the Hardware tab of the Properties window of a device, the deterrence-target USB device is displayed as USB Mass Storage Device in Device Functuions.
The media connected via IEEE1394 and internal SD card slots are displayed as follows when the device components are displayed in the OS's Safely Remove Hardware dialog box:
-
IEEE 1394 SBP2 Drive
-
Secure Digital Storage Device
- Tip
-
The items that can be restricted depend on the OS on the deterrence-target computer.
- Tip
-
Restrictions on device operations are enabled after the computer to which a security policy is assigned restarts. After a security policy is applied to a computer, balloon tips regularly appear, prompting the user to restart the computer. Whether balloon tips are displayed depends on the specification in the Agent Basic Settings view for the agent configuration.
- Important note
-
Do not use JP1/IT Desktop Management with other products that restrict the use of external media (for example, products which apply a Windows group policy or Active Directory policy). If you use them at the same time, the settings of JP1/IT Desktop Management might be changed by the other products, or the setting of the other products might be changed by JP1/IT Desktop Management.
-
- Restricting startup of software programs
-
You can block the startup of the software programs that might cause information leakage (for example, file sharing software or messenger software).
You can block the startup of software programs with the following extensions:
-
exe
-
com
-
scr
Note that if the character string made up of the execution file name and the folder name has 260 or more characters, startup of the software program cannot be blocked.
- Important note
-
If a software program finishes its processing immediately after it starts up, startup of the program might not be blocked because it might finish before it is blocked.
- Important note
-
Do not block startup of the execution files related to the OS and JP1/IT Desktop Management. If you block startup of such execution files, the OS or JP1/IT Desktop Management might not operate properly.
-
- Important note
-
If the two conditions below exist on an agent-installed computer, the printer server or network might be overloaded depending on the status of the printer, and performance might be lowered. Therefore, apply a security policy to an agent-installed computer that does not cause condition 1, or remove unused printers from the shared network printers registered in the agent-installed computer.
-
The security policy assigned to the agent results in either of the following conditions:
- For File Operation/Print Operation (a collection item for operation logs), Print is enabled.
- In the Other Access Restrictions view, Printing Restriction is enabled.
-
A shared network printer has been installed on an agent-installed computer.
-
- Organization of this subsection
(1) External media that can be restricted
By setting prohibited operations in a security policy, you can restrict the use of USB devices and CD/DVD drives on an agent-installed computer. The following table shows the items to be restricted, whether the items can be restricted for individual OSs, and the deterrence targets.
For Windows 8, Windows Server 2012, Windows 7, Windows Server 2008, and Windows Vista:
Item to be restricted |
Windows 8 |
Windows Server 2012 |
Windows 7 |
Windows Server 2008 |
Windows Vista |
Deterrence targets#1 |
||
---|---|---|---|---|---|---|---|---|
No edition |
Pro/Enterprise |
|||||||
Reading/writing on USB devices#2, #3, #4 |
Y |
Y |
Y |
Y |
Y |
Y |
Check the target devices as follows:
For the deterrence-target devices, USB Mass Storage Device is displayed for Device Functions on the Hardware tab of the displayed dialog box. |
|
Writing on CD/DVD drives#5, #6 |
N |
R |
R |
R |
R #7 |
R |
The target drives are displayed under DVD/CD-ROM drives of Device by type in the Device Manager window. Both internal drives and USB connected drives are included. |
|
FD drives#6, #8 |
Writing#9 |
N |
R |
R |
R |
R #7 |
R |
The target drives are displayed under Floppy disk drives of Device by type in the Device Manager window. Both internal drives and USB connected drives are included. |
Reading/writing |
N |
R |
R |
R |
R #7 |
R |
||
Removable disks#4, #6, #10 |
Writing#9 |
N |
R |
R |
R |
R #7 |
R |
For the target drives, Removable Disk is displayed as the drive type, or Local Disk is displayed for the USB connected drives in Windows Explorer. Both internal drives and USB connected drives are included. |
Reading/writing |
N |
R |
R |
R |
R #7 |
R |
Legend: Y: Can be restricted. (Events for restriction can be sent. Messages for restriction can be displayed.) R: Can be restricted. (Events for restriction cannot be sent. Messages for restriction cannot be displayed.) N: Cannot be restricted.
#1: The displayed items might differ depending on the OS settings.
#2: Even when you restrict the use of USB devices, you can configure the settings so that only registered USB devices are allowed for use.
#3: The USB devices mentioned here include USB connected hard disks, USB connected CD/DVD drives, USB connected FD drives, and USB connected flash memory (such as USB memory, USB connected CF cards, SD cards, and memory sticks).
#4: The use of the device is not restricted when the computer OS is Windows 8 or Windows Server 2012 and the USB device is assigned to the storage pool.
#5: The CD/DVD drives mentioned here include USB connected CD/DVD drives, internal CD/DVD drives, and CD/DVD drives connected via IEEE1394.
#6: When reading and writing operations on USB devices are restricted, and restriction settings are enabled for individual CD/DVD drives, FD drives, and removable disks, the operations to be restricted and the behavior of JP1/IT Desktop Management depend on the registration status of the connected device. The following tables describe the details.
- Behavior when a CD/DVD drive is connected by USB:
-
Registration status of the connected device (USB device)
Restricted operations on the CD/DVD drive
Behavior of JP1/IT Desktop Management
Not Registered
Writing
Restricts reading and writing. (Events for restriction are sent. Messages for restriction are displayed.)
Registered
Restricts writing.
- Behavior when a removable disk or FD drive is connected by USB:
-
Registration status of the connected device (USB device)
Restricted operations on the FD drive or removable disk
Behavior of JP1/IT Desktop Management
Not Registered
Writing
Restricts reading and writing. (Events for restriction are sent. Messages for restriction are displayed.)
Reading/writing
Registered
Writing
Restricts writing.
Reading/writing
Restricts reading and writing. (Events for restriction are not sent. Messages for restriction are not displayed.)
#7: Restriction might not be possible depending on the device.
#8: The FD drives mentioned here include USB connected FD drives, internal FD drives, and FD drives connected via IEEE1394.
#9: If a policy in which this item is enabled is applied to an agent earlier than version 09-51, writing to FD drives and removable disks is not restricted.
#10: The removable disks mentioned here include the following devices:
-
USB connected hard disks
-
USB connected flash memory (such as USB memory, USB connected compact flash memory, SD cards, and memory sticks)
-
Internal SD cards
-
Hard disks connected via IEEE1394
-
Flash memory connected via IEEE1394 (such as USB memory, USB connected compact flash memory, SD cards, and memory sticks)
- Tip
-
When the use of removable disks is restricted, the use of a USB connected removable disk cannot be allowed even if the removable disk is registered as a hardware asset.
- Tip
-
To restrict the use of external media regardless of the connection interface, specify the restriction of CD/DVD drives, FD drives, or removable disks.
For Windows Server 2003, Windows XP, and Windows 2000:
Item to be restricted |
Windows Server 2003 |
Windows XP |
Windows 2000 |
Deterrence targets#1 |
|
---|---|---|---|---|---|
USB devices#2 |
Reading/writing#3 |
Y |
Y |
Y |
For the deterrence-target drives, USB Mass Storage Device is displayed when Display device components is selected in the Safely Remove Hardware dialog box. |
Writing |
N #4 |
R |
N #4 |
||
Writing on internal CD/DVD drives#5 |
R |
R |
N |
For the deterrence-target devices, the Recording tab is displayed in the properties dialog box for CD/DVD drives. |
|
Reading/writing on internal FD drives#5 |
R |
R |
R |
The deterrence-target devices are displayed under Devices with Removable Storage in the My Computer window. |
|
Reading/writing on IEEE1394 connection media#6 |
R |
R |
R |
For the deterrence-target drives, IEEE 1394 SBP2 Device is displayed when Display device components is selected in the Safely Remove Hardware dialog box. |
|
Reading/writing on internal SD card slots#5 |
N |
R |
N |
For the deterrence-target drives, Secure Digital Storage Device is displayed when Display device components is selected in the Safely Remove Hardware dialog box. |
Legend: Y: Can be restricted. (Events for restriction can be sent. Messages for restriction can be displayed.) R: Can be restricted. (Events for restriction cannot be sent. Messages for restriction cannot be displayed.) N: Cannot be restricted.
#1: The displayed items might differ depending on the OS settings.
#2: The USB devices mentioned here include USB connected hard disks, USB connected CD/DVD drives, USB connected FD drives, and USB connected flash memory (such as USB memory, USB connected CF cards, SD cards, and memory sticks).
Note that the deterrence-target USB devices are the devices to which data can be recorded via USB connection. They are the devices that have one of the following device setup classes:
Device setup class |
ClassGuid |
---|---|
CD-ROM |
{4d36e965-e325-11ce-bfc1-08002be10318} |
Disk Drive |
{4d36e967-e325-11ce-bfc1-08002be10318} |
Floppy Disk |
{4d36e980-e325-11ce-bfc1-08002be10318} |
#3: Even when you restrict the use of USB devices, you can configure the settings so that only registered USB devices are allowed for use.
#4: When writing to USB devices is restricted, both reading and writing to the USB devices are restricted.
#5: An internal device means a type of device that occupies a media slot incorporated in a computer. There are devices that are connected by USB and are housed in the computer chassis. These are not referred to internal devices.
#6: The IEEE1394 connection media mentioned here include hard disks connected via IEEE1394 and flash memory connected via IEEE1394 (such as USB memory, USB connected CF cards, SD cards, and memory sticks).
- Tip
-
For details about ClassGuids for a device setup class, ask the developer of the device.
Related Topics:
(2) Types of USB devices that can be allowed for use
When the use of USB devices has been restricted by the setting of prohibited operations in a security policy, you can configure the settings so that only USB devices registered as hardware assets are allowed for use.
- Tip
-
USB storage devices are the only type of USB devices which can be allowed for use. Check the target USB devices as follows:
-
From the Start menu, select Devices and Printers.
-
In the displayed dialog box, right click the icon for a device, and then select Properties.
For the target USB devices, USB Mass Storage Device is displayed for Device Functions on the Hardware tab of the displayed dialog box.#
-
#: When the computer OS is Windows 8 or Windows Server 2012 and a USB device is allocated to the storage pool, this function is not supported for the USB device even if USB Mass Storage Device is displayed.
- Tip
-
The device instance ID (which is acquired when a USB device is registered) is used for identifying a USB device. The device instance ID is an ID set to a USB device. Some USB devices have unique IDs that can be identified individually, and other USB devices have IDs that change depending on the connecting ports or environments.
You can allow the use of the following two types of USB devices:
- USB devices that can be allowed for individual devices
-
The USB devices that have unique device instance IDs can be allowed for use for individual devices.
Note that, when you display the Details tab of the device properties (from the Windows Device Manager) and select Capabilities from the pull-down menu, the USB devices that have unique IDs are displayed as CM_DEVCAP_UNIQUEID.
- USB devices that can be allowed for individual products
-
The USB devices whose device instance IDs change depending on the connecting ports or environments can be registered and allowed for use for individual products. For example, if you have multiple USB memory devices of the same model of the same manufacturer, and if the device instance IDs for those USB memory devices are not unique, registering one of those devices allows the use of all of those devices.
A USB device whose device instance ID may change is identified based on a part of the ID. If the beginning part of the device instance ID for a USB device matches the registered device instance ID (which was specified when another USB device was registered), the two devices are regarded as the same product. Note that for a USB device that can be allowed for use for individual products, a message is displayed when the USB device is registered.
- Important note
-
Use a computer managed online to register USB devices to be allowed for use. Note that even if the asset information about USB devices is directly registered in the Hardware Assets view of the Assets module, the use of those registered devices will not be allowed.
- Important note
-
If you have registered a USB device to be allowed for each product, another device of the same product is treated as the same hardware asset when it is registered. Therefore, if the use of USB devices is restricted in a security policy, the use of USB devices is allowed for individual products.
- Important note
-
When a device has multiple ways for connecting to a computer (for example, connecting interfaces and modes), the device might be identified differently depending on the connection method.
- Important note
-
To allow the use of a USB device that connects to a computer via multiple devices, you must allow the use of all the devices on the connection path.
- Important note
-
When you connect a device with no device instance ID to a computer, the OS generates an arbitrary device instance ID. The device instance ID for such a device changes depending on the connecting computer or port, so the use of the device might not be allowed.
- Tip
-
If you connect a USB device that has already been registered and is individually identified to a computer managed offline, information about the files stored in the USB device is collected. The collected information is displayed on the Title File List tab of the Hardware Assets view (of the Assets module). Note that the Title File List tab is displayed only when the Device Type is USB Device. However, the file information is not collected if the USB device is identified for each product and allocated to the storage pool when the computer OS is Windows 8 or Windows Server 2012.
(3) Notes on when prohibited operations are restricted
The following are notes on individual restriction targets when you set a policy for prohibited operations in a security policy.
Related Topics:
(4) Notes on restricting startup of software
-
The total characters for the file name and folder name of the software program to be restricted must be less than 260 characters.
-
If a software program finishes its processing immediately after it starts up, startup of the program might not be blocked because it might finish before it is blocked.
-
If the same software program is restricted by JP1/IT Desktop Management and another program, that software program might not be restricted by JP1/IT Desktop Management.
-
If a target program starts during the approved time and then the system time of the device is changed, the program might not be blocked even outside the approved time.
-
If version information for the executable file of the target program is corrupted or contradicted, the program might not be blocked even if the Original File Name setting in Windows Explorer matches the File Name setting for the program.
-
If startup of a program is repeatedly restricted during a short period of time, OS might display the message below. In this case, the user must terminate the program as instructed by the message, and then restart the OS.
The application failed to initialize properly (0xc0000142). Click on OK to terminate the application.
(5) Notes on restricting printing
-
In the properties for each printer, Print and Manage Documents must be allowed for all logged on users.
-
For a network shared printer, name resolution for the device on which a print operation is performed must be possible on the device running as the printer server.
-
For a network shared printer, on the device running as the printer server, Manage Documents must be allowed on the Security tab in the printer's Properties dialog box.
-
For a network shared printer or a printer connected to another computer, on the Exceptions tab (under Allow a program through Windows Firewall of Windows Firewall) in the Control Panel, File and Printer Sharing must be allowed.
-
For a network shared printer or a printer connected to another computer, WMI that supports the Win32_PrintJob class must be running on the deterrence-target computer.
-
When printing is restricted by Hibun, printing cannot be restricted by JP1/IT Desktop Management.
-
When printing is restricted on both a computer and the printer server in an environment where a network printer is used, printing is not allowed even if the restriction is cancelled only on the computer. In this case, operation logs are collected for print operations on the computer.
-
If test printing is performed when a printer driver is installed, the printing might not be restricted.
-
If printing is performed immediately after you log on to the OS, the printing might not be restricted.
(6) Notes on restricting the use of external media
-
JP1/IT Desktop Management controls devices according to Windows rules, so it cannot control devices that do not comply with Windows rules. We recommend that you check whether the target device can be controlled in advance. For specifications of a device, contact the manufacturer.
-
A device might not be identified depending on the OS running on the computer the device is connected to. Therefore, we recommend that you check whether the device can be properly controlled by the OS in advance.
-
How Windows identifies devices cannot be judged only by the device configuration and the product name. Check the properties in the Windows Device Manager.
-
The use of a USB device might be restricted even when USB Mass Storage Device is not displayed for Device Functions on the Hardware tab of the device properties. In that case, configure the settings so that the use of the USB device is allowed, by excluding the computer from the deterrence targets or by registering the restricted USB device.
-
If AutoPlay has been disabled for CDs and DVDs in the Windows settings, writing to a USB connected CD/DVD drive might not be restricted when you try to restrict only writing to USB devices.
-
When the computer OS is Windows 2000, operations on USB connected FD drives might not be restricted when Allow registered USB device usage is selected in a security policy.
-
When the computer OS is Windows 2000, operations on USB connected FD drives and USB connected hard disks that have been connected before you log in to the system might not be restricted when Allow registered USB device usage is selected in a security policy.
-
When the computer OS is Windows Server 2003, Windows XP, or Windows 2000, if you restrict operations on an internal FD drive, the drive is treated as if it does not exist. Therefore, device information about internal FD drives cannot be collected by computers on which operations on internal FD drives are restricted.
-
When you restrict the use of USB connection link cables, configure the restriction settings depending on the type of a USB device recognized by the OS. However, the use of USB connection link cables might not be able to be restricted for some devices.
-
When you connect a deterrence-target USB device to a computer, AutoPlay might fail even if it has been enabled for USB devices and an error message might be displayed.
-
When you have restricted the use of USB connection media, even if collection of operation logs is enabled, it might not be possible to collect operation logs for operations on files in the USB connection media.
-
An OS error message might be displayed in the following cases:
-
When the computer OS is Windows 2000 and a deterrence-target USB device for which no device driver has been installed is connected.
-
While a USB device is being operated on, a security policy that restricts operations on that USB device is applied.
-
-
When you restrict the use of internal SD card slots, the restriction is enabled when the computer restarts after the security policy is applied.
-
For a device such as MO or card reader, if no media is inserted when the use of the device is restricted, the drive type and drive name are not collected into deterrence logs. Also, for a device such as a CD/DVD drive or FD drive, the drive type and drive name are not collected into deterrence logs.
-
When the computer OS is Windows Server 2003 or Windows XP, if you deselect the Enable CD recording on this drive check box on the Recording tab of the CD/DVD drive's Properties window, writing to an internal CD/DVD cannot be restricted. Note that when you write to a DVD-RAM, writing cannot be restricted because, in that case, the Enable CD recording on this drive check box must be deselected.
-
The use of devices that were connected before the security policy that sets restrictions was applied cannot be restricted. In such a case, temporarily remove the device, and then re-connect the device. Then the restriction will be enabled.
-
When the computer OS is Windows Server 2012, Windows Server 2008, Windows 8, Windows 7, or Windows Vista, if restrictions on the use of external media are set in a security policy, the restrictions are enabled after the computer restarts.
-
This product's restriction function cannot be used concurrently with the restriction functions of other products (for example, when a Windows group policy or Active Directory policy is applied). If operations on devices are restricted by use together with other products, the settings on each product might not be properly executed.
-
Restrictions on the use of external media will not be cancelled even if the service that executes the restriction function is stopped. To cancel the restriction on the use of external media, cancel the restriction in the security policy, or uninstall the agent.
-
If you restrict the use of external media and then cancel the restriction, you must re-install device drivers on individual computers or take other actions so that the device drivers operate properly.
-
If Restrict reading/writing is enabled for USB devices in a security policy, while the USB Device Registration dialog box is displayed on a computer, restriction on the USB devices is temporarily disabled on the computer.
-
The list of files storing USB device information cannot be acquired for the devices restricted by Restrict reading/writing for USB devices in the security policy.
-
When Restrict reading/writing is enabled for USB devices in a security policy, auto play of removable drives and fixed drives is disabled. Even if Restrict reading/writing is disabled for USB devices or the agent is uninstalled when auto play is disabled, auto play remains disabled.