2.9.5 Restricting prohibited operations
You can set a security policy so that some computer operations will be restricted. By doing so, you can prevent information leakage.
- Important
-
The restriction of prohibited operations is not available for API-controlled devices.
- Restricting printing
-
You can restrict print operations. This can help you prevent information (for internal use only) from being taken out in printed form.
You can set a password for allowing printing. This will let you restrict the users who are allowed print operations to those that you disclose the password to.
- Important
-
You cannot restrict output to a printer connected via the Internet. You cannot restrict output to a local printer when using a File port or a LAN Manager port. Also, you might not be able to restrict output to a Windows network shared printer.
When the printing function is used to output a file such as a PDF file, the file might be output even if a message indicating that the printing is restricted appears on the user's computer.
- Suppression of Device Usage
-
You can restrict usage of a device. This prevents information from being taken out via the device. Use of the following devices can be restricted:
-
USB devices (normal USB devices)
-
USB devices (USB devices that are recognized as UASP-enabled devices in Windows 8 and later)
-
Built-in CD/DVD drives
-
Built-in FD drives
-
IEEE1394 devices
-
Built-in SD cards
-
Bluetooth devices
-
Imaging devices
-
Windows portable devices
You can display a message indicating that use of a device is restricted on the user's computer.
If you restrict the use of USB devices, you can permit the use of some registered USB devices or limit assets that can use the USB device based on the department, location, or associated asset. You can also create a list of files stored on the USB devices.
In addition, you can restrict only the writing operation to the following devices:
-
Removable disks
-
CD/DVD drives
-
FD drives
Write-only restrictions can only be applied to permitted devices.
- Tip
-
The write restrictions are enabled after the computer to which a security policy is assigned restarts. After a security policy is applied to a computer, balloon tips regularly appear, prompting the user to restart the computer. Whether balloon tips are displayed depends on the specification in the User notification settings view for the agent configuration.
-
- Restricting startup of software programs
-
You can block the startup of the software programs that might cause information leakage (for example, file sharing software or messenger software).
You can block the startup of software programs with the following extensions:
-
exe
-
com
-
scr
Note that if the character string made up of the execution file name and the folder name has 260 or more characters, startup of the software program cannot be blocked.
- Important
-
If a software program finishes its processing immediately after it starts up, startup of the program might not be blocked because it might finish before it is blocked.
- Important
-
Do not block startup of the execution files related to the OS and JP1/IT Desktop Management 2. If you block startup of such execution files, the OS or JP1/IT Desktop Management 2 might not operate properly.
- Important
-
If 16-bit software is used, you cannot block the startup of the software program.
-
- Important
-
If an agent's OS is Windows 7, suppression on the use of devices, printing restriction and collection of operation logs cannot be performed on Windows XP Mode.
- Organization of this subsection
(1) Devices whose use can be restricted
By setting prohibited operations in a security policy, you can restrict the use of devices on an agent-installed computer.
The following table shows the devices whose use can be restricted, and conditions for the deterrence targets.
- Tip
-
Devices which have been accessed by a user before the security policy settings are enabled are not subject to the restriction.
Devices that can be restricted |
Condition for the deterrence targets#1#6 |
---|---|
USB devices (normal USB devices) |
Devices to which data can be stored via USB connection#2. The target devices must satisfy the following two conditions when connected:
In addition, the enumerator of a device that is displayed under one of the Disk drives, DVD/CD-ROM drives, or Floppy disk drives in the Device Manager window must be USBSTOR. |
USB devices (USB devices that are recognized as UASP-enabled devices in Windows 8 and later) |
Devices to which data can be stored via USB connection#2 The target devices must satisfy the following two conditions when connected:
|
Built-in CD/DVD drives |
The target devices are CD/DVD drives built in a computer. These drives are displayed under DVD/CD-ROM drives in Device by type in the Device Manager window. The enumerator of the DVD/CD-ROM drive must be IDE or SCSI. |
Built-in FD drives |
The target devices are FD drives built in a computer. These drives are displayed under Floppy disk drives in Device by type in the Device Manager window. The enumerator of the floppy disk drive must be FDC. |
IEEE1394 devices |
The target devices are the devices connected to the computer with IEEE1394#3. These drives are displayed under Disk drives in Device by type in the Device Manager window. The enumerator of the disk drive must be SBP2. |
Built-in SD cards |
The target devices are SD cards connected to the computer via a built-in SD card slot#3. A device other than an SD card connected via the SD card slot might be regarded as a built-in SD card and subject to restriction. These drives are displayed under Disk drives in Device by type in the Device Manager window. The enumerator of the disk drive must be SD or RIMMPTSK, or PCISTOR. Note that an SD card slot that is built in a computer but uses a USB controller might not be regarded as a built-in SD card. |
Bluetooth devices |
The target devices are Bluetooth devices connected to the computer via USB. These drives are displayed under Bluetooth in Device by type in the Device Manager window. The enumerator of the Bluetooth must be USB, and the class of the device must be BTW or BTM. |
Imaging devices |
The target devices are imaging devices connected to the computer via USB#4. These devices are displayed under Imaging Devices in Device by type in the Device Manager window. The enumerator must be USB. |
Windows portable devices |
The target devices are Windows portable devices connected to the computer#5. These devices are displayed under Portable Devices in Device by type in the Device Manager window. |
#1: The displayed items might differ depending on the OS settings and other configurations.
#2: The target devices are devices that have one of the following device setup classes:
Class |
ClassGuid |
---|---|
CDROM |
{4d36e965-e325-11ce-bfc1-08002be10318} |
DiskDrive |
{4d36e967-e325-11ce-bfc1-08002be10318} |
FloppyDisk |
{4d36e980-e325-11ce-bfc1-08002be10318} |
The Class and ClassGuid device setup classes are, in Windows 7, the text string displayed by opening the properties of the device from the Device Manager window, clicking the Details tab, and selecting Device class or Device class guid from the pulldown menu.
If you cannot find the Class and ClassGuid device setup classes, ask the developer of the device.
#3: The target devices are devices that have one of the following device setup classes:
Class |
ClassGuid |
---|---|
DiskDrive |
{4d36e967-e325-11ce-bfc1-08002be10318} |
The Class and ClassGuid device setup classes are, in Windows 7, the text string displayed by opening the properties of the device from the Device Manager window, clicking the Details tab, and selecting Device class or Device class guid from the pulldown menu.
If you cannot find the Class and ClassGuid device setup classes, ask the developer of the device.
#4: The target devices are devices that have one of the following device setup classes:
Class |
ClassGuid |
---|---|
Image |
{6bdd1fc6-810f-11d0-bec7-08002be2092f} |
The Class and ClassGuid device setup classes are, in Windows 7, the text string displayed by opening the properties of the device from the Device Manager window, clicking the Details tab, and selecting Device class or Device class guid from the pulldown menu.
If you cannot find the Class and ClassGuid device setup classes, ask the developer of the device.
#5: The target devices are devices that have one of the following device setup classes:
Class |
ClassGuid |
---|---|
WPD |
{eec5ad98-8080-425f-922a-dabf3de3f69a} |
The Class and ClassGuid device setup classes are, in Windows 7, the text string displayed by opening the properties of the device from the Device Manager window, clicking the Details tab, and selecting Device class or Device class guid from the pulldown menu.
If you cannot find the Class and ClassGuid device setup classes, ask the developer of the device.
#6: Regardless of the device's outer shape, judgment of the restricted device is performed based on whether the device, as recognized by Windows, matches the condition.
Related Topics:
(2) Devices on which only the write operations can be restricted
In prohibited operation settings in the security policy, only write operations can be restricted on an agent-installed computer. You must restart the computer after you change the write restriction security policy.
The following table shows the devices on which only write operations can be restricted, the relevant device type, and conditions for the deterrence targets.
Device |
Example applicable device#1 |
Condition for the deterrence targets#2 |
---|---|---|
Removable disk |
|
The target drives include a drive whose drive type is displayed as Removable Disk in Windows Explorer, and a drive whose drive type is displayed as Local Disk in USB or IEEE1394 connections. The target includes both the built-in drives and USB or IEEE1394-connected drives. |
CD/DVD drive |
|
The target drives are drives that are displayed under DVD/CD-ROM drives in Device by type in the Device Manager window. The target includes both the built-in drives and USB-connected drives. |
FD drive |
|
The target drives are drives that are displayed under Floppy disk drives in Device by type in the Device Manager window. The target includes both the built-in drives and USB-connected drives. |
#1: If an applicable device is recognized by the OS as a different device, the device is treated according to the OS recognition and not subject to the write-operation restriction.
#2: The displayed items may vary depending on the OS settings or other configurations.
- Tip
-
-
Write operation to DVD-RAM might not be restricted.
-
If a tool tries to access a device under write-operation restriction, the tool might encounter an error, or an event or error dialog box may appear.
-
If write-operation restriction is enforced, some devices including encryption-supported USB devices, might not be started or used.
-
By writing restriction of CD/DVD, it might not be able to suppress the write operation to CD/DVD by the third-party software. In order to prevent file transfering by these softwares, please use Blocking startup of software of prohibited-operation suppression function, and block startup of third-party softwares.
-
Devices on which write operations can be restricted differ depending on the OS. The following table shows the relationship between the restricted devices and the OSs.
Device |
Windows 8.1, Windows 8 No edition |
Windows 10, Windows 8.1, Windows 8 Pro, Enterprise |
Windows Server 2019, Windows Server 2016, Windows Server 2012 |
Windows 7, Windows Server 2008, Windows Vista |
Windows Server 2003 |
Windows XP (Service Pack 2 or later) |
---|---|---|---|---|---|---|
Removable disk |
N |
Y #1, #2 |
Y#1, #2 |
Y #1 |
N |
S#4 |
CD/DVD drive |
N |
Y #1, #2 |
Y#1, #2 |
Y #1 |
S#3 |
S#3 |
FD drive |
N |
Y #1, #2 |
Y#1, #2 |
Y #1 |
N |
N |
Legend: Y: Can be restricted. S: Some devices might not be restricted. N: Cannot be restricted.
#1: The Windows service, Portable Device Enumerator Service, must be set to Manual or Automatic.
#2: Writing operation will not be restricted if a USB device is assigned to a memory pool.
#3: Whether the write operation can be restricted or not depends on the writing software. Only software programs that support Windows IMAPI are subject to restriction.
#4: USB devices, including USB-connected hard disks, CD/DVD drives, and FD drives, can be restricted.
When the use of USB devices are restricted
If write restriction for CD/DVD drives, FD drives, or removable disks is set on a computer that restricts the use of USB devices, enabled restriction item and JP1/IT Desktop Management 2 behavior vary depending on the registration status of the connected device. The following table describes the details.
- Behavior when USB-connected hard disks, CD/DVD drives, FD drives are connected to a computer that is set to restrict the use of USB devices
-
Restriction item
Registration status of a connected device (USB device)
Behavior of JP1/IT Desktop Management 2
Write restriction of CD/DVD drive, removable disk, or FD drive
Not registered
Read and write operations are restricted (a restriction event is sent, and a restriction message is displayed).
Registered
Write operation is restricted.
Related Topics:
(3) Types of USB devices that can be allowed for use
When the use of USB devices has been restricted by the setting of prohibited operations in a security policy, you can configure the settings so that only USB devices registered as hardware assets are allowed for use.
- Tip
-
The device instance ID (which is acquired when a USB device is registered) is used for identifying a USB device. The device instance ID is an ID set to a USB device. Some USB devices have unique IDs that can be identified individually, and other USB devices have IDs that change depending on the connecting ports or environments.
You can allow the use of the following two types of USB devices:
- USB devices that can be allowed for individual devices
-
The USB devices that have unique device instance IDs can be allowed for use for individual devices.
Note that, when you display the Details tab of the device properties (from the Windows Device Manager) and select Capabilities from the pull-down menu, the USB devices that have unique IDs are displayed as CM_DEVCAP_UNIQUEID.
- USB devices that can be allowed for individual products
-
The USB devices whose device instance IDs change depending on the connecting ports or environments can be registered and allowed for use for individual products. For example, if you have multiple USB memory devices of the same model of the same manufacturer, and if the device instance IDs for those USB memory devices are not unique, registering one of those devices allows the use of all of those devices.
A USB device whose device instance ID may change is identified based on a part of the ID. If the beginning part of the device instance ID for a USB device matches the registered device instance ID (which was specified when another USB device was registered), the two devices are regarded as the same product. Note that for a USB device that can be allowed for use for individual products, a message is displayed when the USB device is registered.
You can use the following conditions to limit assets that can use the USB device based on the hardware asset information items of the USB device:
-
The department of the asset is the same as the department of the USB device.
-
The location of the asset is the same as the location of the USB device.
-
The asset is associated with the USB device.
With these conditions configured, you can specify USB devices to be allowed for use for each department, location, or asset (device).
- Important
-
Use a computer managed online to register USB devices to be allowed for use.
- Important
-
If you have registered a USB device to be allowed for each product, another device of the same product is treated as the same hardware asset when it is registered. Therefore, if the use of USB devices is restricted in a security policy, the use of USB devices is allowed for individual products.
- Important
-
When a device has multiple ways for connecting to a computer (for example, connecting interfaces and modes), the device might be identified differently depending on the connection method.
- Important
-
To allow the use of a USB device that connects to a computer via multiple devices, you must allow the use of all the devices on the connection path.
- Important
-
When you connect a device with no device instance ID to a computer, the OS generates an arbitrary device instance ID. The device instance ID for such a device changes depending on the connecting computer or port, so the use of the device might not be allowed.
- Tip
-
If you connect a USB device that has already been registered and is individually identified to a computer managed offline, information about the files stored in the USB device is collected. The collected information is displayed on the Title File List tab of the Hardware Assets view (of the Assets module). Note that the Title File List tab is displayed only when the Device Type is USB Device. However, if acquisition of a list of files is prohibited by the security policy, Title File List displays a message that a file list cannot be acquired.
(4) Notes on when prohibited operations are restricted
The following are notes on individual restriction targets when you set a policy for prohibited operations in a security policy.
Related Topics:
(5) Notes on restricting startup of software
-
The total characters for the file name and folder name of the software program to be restricted must be less than 260 characters.
-
If a software program finishes its processing immediately after it starts up, startup of the program might not be blocked because it might finish before it is blocked.
-
If the same software program is restricted by JP1/IT Desktop Management 2 and another program, that software program might not be restricted by JP1/IT Desktop Management 2.
-
If a target program starts during the approved time and then the system time of the device is changed, the program might not be blocked even outside the approved time.
-
If a program is started during an approved time for which it is set, and the computer goes into a sleep or hibernation state, the program will not be restricted after the approved time has passed. The program will be restricted a while after the computer wakes from the sleep or hibernation state.
-
If version information for the executable file of the target program is corrupted or contradicted, the program might not be blocked even if the Original File Name setting in Windows Explorer matches the File Name setting for the program.
-
If startup of a program is repeatedly restricted during a short period of time, OS might display the message below. In this case, the user must terminate the program as instructed by the message, and then restart the OS.
The application failed to initialize properly (0xc0000142). Click on OK to terminate the application.
-
The startup of other programs that share the specified process might be restricted.
(6) Notes on restricting printing
-
The table below shows the printers for which printing can be restricted.
Printer type
Printing restriction
Local printer
Y
Network shared printer
Y
Internet printer
N
Virtual printer
Y
Legend:
Y:Printing can be restricted for this type of printer.
N:Printing cannot be restricted for this type of printer.
-
In the properties for each printer, Print and Manage Documents must be allowed for all logged on users.
-
When printing is restricted by Hibun, printing cannot be restricted by JP1/IT Desktop Management 2.
-
If printing is performed immediately after a printer is added, the printing might not be restricted.
-
If printing is performed immediately after you log on to the OS, the printing might not be restricted.
-
If a print job is finished before the print operations are notified to the agent, the printing cannot be restricted.
-
Depending on the printer, multiple printing restriction logs are collected at a single printing.
For the network shared printer, the following notes are added.
-
The table below shows the supported combination of the agent and the print server.
Agent
Print server
Printing restriction
Windows 7 or later
Windows XP/2003
N
Windows 7 or later
Windows Vista or later
Y
Any
Others
N
Legend:
Y:Printing can be restricted for this type of printer.
N:Printing cannot be restricted for this type of printer.
-
RPC communication must be possible between the print server and the agent PC. If RPC communication is not possible, the problem might be caused by one of the following:
-
The print server is a server based on the Internet Printing Protocol (IPP).
-
A firewall, proxy or NAT is present between the print server and the agent PC.
-
The agent PC's Windows firewall is enabled and File and Printer Sharing is not set to Exceptions.
-
-
The agent PC's File and Printer Sharing for Microsoft Networks must be enabled.
-
The print server must be able to resolve the name of the agent PC.
-
If the agent PC is Windows 7 or later, the agent PC and the print server must be joined in the same domain, or the credential of the print server must be registered on the Credential Manager of the agent PC. The agent PC needs to be rebooted after the credential is registered.
-
If IPv6 is enabled and rendering of the print job does not work on the client computer, the printing might not be restricted. To operate rendering of print jobs on the client computer, the following settings are required:
-
Render print jobs on client computers is enabled.
-
Enable advanced printing features is enabled.
-
-
With the Citrix XenApp and Microsoft RDS server, printing restriction can only be canceled by a console session. This means that you cannot cancel printing restriction by entering your password even when the Password Protected option is enabled.
(7) Notes on restricting the use of devices
-
JP1/IT Desktop Management 2 controls devices according to Windows rules (it cannot control devices that do not comply with Windows rules). We recommend that you check whether the target device can be controlled in advance. For specifications of a device, contact the manufacturer.
-
A device might not be identified depending on the OS running on the computer the device is connected to. Therefore, we recommend that you check in advance whether a device can be properly controlled by the OS being used.
-
How Windows identifies devices cannot be judged only by the device configuration and the product name. Check the properties in the Windows Device Manager.
-
Use of a device might not be restricted in the following case, despite the specified security policy:
-
When the device is connected to a computer before the JP1/IT Desktop Management 2 process starts (for example, immediately after the computer has started).
-
-
The device restriction feature cannot be used with other products that restrict the use of devices, for example, Windows group policy or Active Directory policy. If you use the device restriction feature with other device-restricting products, settings in each of the products might not work properly.
-
The computer must be restarted in the following cases:
-
When you want to restrict the use of a device that was connected to the computer before the security policy was applied, and the device is not a USB device.
-
When you want to restrict the use of a working device, and the device is not a USB device.
-
If you want to allow the use of a device whose use was restricted by the previous security policy but the restriction was removed by the updated security policy.
-
If you want to restrict the use of a device whose use was not restricted by the previous security policy but the restriction was added by the updated security policy.
-
-
If you change the security policy (to start restricting the use of a device) while file operation logs are collected, file operation logs collected just before the policy change might not be acquired.
-
An error might appear in the following situations:
-
When a device with Autoplay enabled is restricted.
-
When a restricted device is accessed by a tool.
-
If you connect a deterrence-target device to a computer for the first time.
-
If a device is restricted during a file operation.
-
-
If a setting on a device performed in other products violates the security policy, change the setting according to the security policy.
-
You cannot acquire system information or hardware information from deterrence-target devices.
-
If you connect a deterrence-target device to a computer for the first time, the device driver might not be able to be installed. You cannot use the device if the device driver cannot be installed.
-
If the device has been connected to the computer before, installation of the device driver might be performed if the device is connected to a different port, or connected by a different user. If the device was connected to the computer before the device was restricted, the restriction of the device is activated after the computer is restarted.
-
If a deterrence-target device (whose restriction will be activated after the computer is restarted) is connected to the computer, and you connect another device, a restriction dialog box for the deterrence-target device might reappear, or a warning message might appear.
-
If a deterrence-target device is identified by the OS as a different device, the device cannot be restricted. However, if the device was identified by the OS as another deterrence-target device, the device is restricted as the device identified by the OS.
-
If you apply a security policy restricting one or more devices to a computer running Windows Server 2019, Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows Server 2012, Windows 7, Windows Server 2008, or Windows Vista, an error-level event might be recorded in the event logs.
-
If you access a deterrence-target device by a tool, an event might be output in the event logs, or an error dialog box might appear.
-
If you re-connect a non-USB device that has already been connected to the computer and then put into restricted status, a restriction message is not displayed, and you cannot collect connection, disconnection, or restriction logs, and suppression events.
-
With the Citrix XenApp and Microsoft RDS server, the type of drive that exists on the source device is displayed as Other by the session at the connection destination. You cannot restrict the use of devices for such drives.
-
To use the Suppression of Device Usage feature of Other Access Restrictions, the service "Portable Device Enumerator Service" must be running on an agent computer. If this service is not running, the operations might become unstable, for example, the use of a device is not suppressed or it continues to be suppressed.
This symptom might occur when all of the following conditions are met:
-
Portable Device Enumerator Service is not running.
-
In a security policy Other Access Restrictions - Suppression of Device Usage - List of devices for which the write operation is suppressed tab, any of the following settings are enabled and the security policy is (or was) applied to an agent computer:
-
Removable Disk - Restrict reading/writing
-
CD/DVD Drive - Restrict writing
-
FD Drive - Restrict reading/writing
-
To work around this symptom, check the Startup Type of the Portable Device Enumerator Service. If the setting is Disabled, set it to Manual or Automatic, and restart the agent computer.
-
-
When security policy with device connection suppression disabled is applied, disabled device# that exists might become enabled.
#: Device described in this note include all of those which could be restricted, such as USB device, Bluetooth device.
Notes on restricting the use of USB devices
-
When a USB-connected CD/DVD drive is restricted, the tray on the restricted CD/DVD drive might open.
-
A USB device that was connected before the restriction-setting security policy was applied is not restricted. In this case, removing the device and then connecting it again activates the restriction.
-
A scanner might be identified as an imaging device if it is a USB-connected device.
-
If a device is a USB-connected device, it cannot be restricted if it is not identified as a USB device, Bluetooth device, or an imaging device.
-
If you connect a deterrence-target USB device to a computer on which AutoPlay is enabled, the AutoPlay might fail, and an error message will be output.
-
If AutoPlay is enabled, you cannot restrict use of a USB-connected hard disk drive or FD drive. To restrict the use of these devices, disable the AutoPlay feature.
-
If AutoPlay is enabled in Windows Server 2019, Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows Server 2012, Windows 7, Windows Server 2008, or Windows Vista, use of a USB-connected hard disk drive or FD drive might not be restricted.
-
When Restrict the use or Allow registered USB device usage is enabled for USB devices in a security policy, auto play of removable drives and fixed drives is disabled. Even if Restrict the use or Allow registered USB device usage is disabled for USB devices or the agent is uninstalled when auto play is disabled, auto play remains disabled.
-
When both the following conditions are met, while copying files to or from a USB-connected hard disk drive or FD drive, use of USB devices cannot be restricted until the file copy operation finishes.
-
The OS of the computer is Windows Server 2019, Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows Server 2012, Windows 7, Windows Server 2008, or Windows Vista.
-
You applied a security policy that restricts use of USB devices while a file is being copied.
-
-
When a security policy that excludes a USB device from deterrence targets depending on its Connection Name is applied, a USB device that was connected to a computer for the first time might be restricted. This is because the Connection Name cannot be acquired. In this case, connect the USB device again.
-
If the computer is running Windows Server 2019, Windows Server 2016, Windows 10, Windows 8.1, Windows 8 or Windows Server 2012, any USB devices that are allocated to a memory pool are not restricted.
-
If you reconnect a device that was once connected to a computer and restricted by the computer, restriction message display, logs for connection, disconnection, or restriction, or restriction event might not be acquired.
-
The OS assigns different enumerators and device instance IDs to the same individual device, depending on if the device is normally recognized or UASP-recognized. Therefore, to allow connection for both recognitions, asset registration must be performed for both recognitions.
Notes on restricting the use of Bluetooth devices
-
If you configure to restrict Bluetooth devices, use of a Bluetooth-connected mouse or keyboard will also be restricted.
-
If you connect a Bluetooth device to a computer, a registry of the following Bluetooth device hardware ID is created:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\
JP1/IT Desktop Management 2 regards a device as a Bluetooth device if the Class value of this registry is Bluetooth, BTW, or BTM. You can check the hardware ID from the Device Manager window of the OS.
Notes on restricting the use of Windows portable devices
A USB device, identified as a Windows portable device on a computer on which a Windows portable device is configured as a deterrence target, is restricted as a Windows portable device. (In this case, registered USB devices whose use is allowed and USB devices connected with USB Device Registration are also restricted as Windows portable devices.)