Kaspersky Security for Virtualization 5.2 Light Agent

Device Control

The Kaspersky Security functionality described in this section is available only if the application is installed on a virtual machine with a Windows desktop operating system.

Device Control ensures the security of confidential data by restricting user access to devices that are installed on the protected virtual machine or connected to it:

  • Storage devices (hard drives, removable drives, CD/DVDs)
  • Network devices (modems, external network cards)
  • Printing devices (printers)
  • Connection buses (also referred to as "buses"), i.e. interfaces for connecting devices to the protected virtual machine (such as USB or FireWire)

Device Control manages user access to devices by applying device access rules (also referred to as "access rules") and connection bus access rules (also referred to as "bus access rules").

Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times.

If you have added a device to the list of trusted devices and created an access rule for this type of device which blocks or restricts access, Kaspersky Security decides whether or not to grant access to the device based on its presence in the list of trusted devices. Presence in the list of trusted devices has a higher priority than an access rule.

When the virtual machine user attempts to access a blocked device, Kaspersky Security displays a message stating that access to the device is blocked or that the operation with the device contents is forbidden. If the user believes that access to the device was mistakenly blocked or that an operation with device contents was forbidden by mistake, the user can send a complaint to the corporate LAN administrator by clicking the link in the displayed message about the blocked action. Special templates are available for messages about blocked access to devices or forbidden operations with device contents, and for complaints sent to the administrator. You can modify the message templates. On the protected virtual machine, the user can request and obtain temporary access to a blocked device.

This section describes how to configure Device Control settings using the Administration Console and the Light Agent for Windows local interface. You can also configure Device Control settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application SettingsEndpoint controlDevice Control).

In this Help section

About rules of access to devices and connection buses

Standard decisions on access to devices

Enabling and disabling Device Control

Editing a device access rule

Editing a connection bus access rule

Actions with trusted devices

Editing templates of Device Control messages

Providing access to a blocked device

Page top
[Topic 65734]

About rules of access to devices and connection buses

A device access rule is a combination of parameters that define the following functions of the Device Control component:

  • Allowing selected users and / or user group to access specific types of devices during specific periods of time.

    You can select a user and / or user group and create a device access schedule for them.

  • Setting the right to read the content of memory devices.
  • Setting the right to edit the content of memory devices.

By default, access rules are created for all types of devices in the classification of the Device Control component. Such rules grant all users full access to the devices at all times, if access to the connection buses of the respective types of devices is allowed.

The user that belongs to the group of local administrators is allowed to access local disks even when the Hard drives devices access rule was configured, which has the Restrict access status.

The connection bus access rule allows or blocks access to the connection bus.

Rules that allow access to buses are created by default for all connection buses that are present in the classification of the Device Control component.

You cannot create or delete device access rules or connection bus access rules; you can edit them.

Page top
[Topic 65737]

Standard decisions on access to devices

Kaspersky Security makes a decision on whether to allow access to a device after you connect the device to the protected virtual machine.

 

Standard decisions on access to devices

 

Initial conditions

Interim steps to take until a decision on access to the device is made

Decision on access to the device

Checking whether the device is included in the list of trusted devices

Testing access to the device based on the access rule

Testing access to the bus based on bus access rule

The device is not present in the device classification of the Device Control component.

Not on the list.

No access rule.

Not subject to scanning.

Access allowed.

The device is trusted.

On the list.

Not subject to scanning.

Not subject to scanning.

Access allowed.

Access to the device is allowed.

Not on the list.

Access allowed.

Not subject to scanning.

Access allowed. 

Access to the device depends on the bus.

Not on the list.

Access depends on the bus.

Access allowed.

Access allowed. 

Access to the device depends on the bus.

Not on the list.

Access depends on the bus.

Access blocked.

Access blocked. 

Access to the device is allowed. No bus access rule is found.

Not on the list.

Access allowed.

No bus access rule.

Access allowed. 

Access to the device is blocked.

Not on the list.

Access blocked.

Not subject to scanning.

Access blocked. 

No device access rule or bus access rule is found.

Not on the list.

No access rule.

No bus access rule.

Access allowed. 

There is no device access rule.

Not on the list.

No access rule.

Access allowed.

Access allowed. 

There is no device access rule.

Not on the list.

No access rule.

Access blocked.

Access blocked. 

You can edit the device access rule after you connect the device.

If the device is connected and the access rule allows access to it, but you later edited the access rule and blocked access to the device, Kaspersky Security blocks access the next time that any file operation is requested from the device (viewing the folder tree, reading, writing). A device without a file system is blocked only the next time that the device is connected.

Page top
[Topic 65739]

Enabling and disabling Device Control

By default, Device Control is enabled. You can disable Device Control, if necessary.

To enable or disable Device Control in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, do one of the following:
    • If you want to enable Device Control component, select the Device Control check box.
    • If you want to disable Device Control component, clear the Device Control check box.
  7. Click the Apply button.

In the local interface of Light Agent for Windows, you can enable or disable a component in two ways:

To enable or disable Device Control on the Protection and Control tab of the main application window:

  1. On the protected virtual machine, open the main application window.
  2. Select the Protection and Control tab.
  3. Open the Endpoint control section.
  4. Open the context menu of the Device Control item and perform one of the following actions:
    • To enable Device Control, select Enable in the menu.
    • To disable Device Control, select Disable in the menu.

    If this menu item is unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

To enable or disable Device Control from the application settings window:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

    If component settings are unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

  3. Do one of the following:
    • If you want to enable Device Control component, select the Enable Device Control check box.
    • If you want to disable Device Control component, clear the Enable Device Control check box.
  4. To save changes, click the Save button.
Page top
[Topic 65736]

Editing a device access rule

To edit a device access rule in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, select the Device types tab.

    The Device types tab contains access rules for all devices that are included in the classification of the Device Control component.

  7. Select the access rule that you want to edit.
  8. Click the Edit button. This button is only available for device types which have a file system.

    The Configuring device access rules window opens.

    By default, a device access rule grants all users full access to the specified type of devices at any time. In the Users and/or groups of users list, this access rule contains the All group. In the Rights of the selected group of users by access schedules table, this access rule contains the overall time interval of access to devices, with the rights to perform all kinds of operations with devices.

  9. Edit the settings of the device access rule:
    1. Select a user and/or group of users from the Users and/or groups of users list. To edit the Users and/or groups of users list, use the Add, Edit, and Delete buttons.
    2. In the Rights of the selected group of users by access schedules table, configure the schedule for access to devices for the selected user and / or group of users. To do this, set the check boxes next to the names of the access schedules for devices that you want to use in the device access rule that is to be edited. To edit the list of access schedules to devices, use the Create, Edit, Copy, and Delete buttons in the Rights of the selected group of users by access schedules table.
    3. For each device access schedule used in the rule being edited, specify the operations that are allowed when working with devices. To do so, in the Rights of the selected group of users by access schedules table, set the check boxes in the columns with the names of the relevant operations.
    4. In the Configuring device access rules window, click OK.

    After you have edited the default settings of a device access rule, the setting for access to the type of device in the Access column in the table on the Device types tab is changed to the Restrict by rules value.

  10. Click the Apply button.

To edit a device access rule in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Complete steps 6–9 of the previous instructions.
  4. To save changes, click the Save button.
Page top
[Topic 65740]

Editing a connection bus access rule

To edit a connection bus access rule in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, select the Connection buses tab.

    The Connection buses tab displays the access rules for all connection buses that are classified in the Device Control component.

  7. Select the bus connection rule that you want to edit.
  8. Change the value of the access parameter:
    • To allow access to a connection bus, open the context menu in the Access column and select Allow.
    • To block access to a connection bus, open the context menu in the Access column and select Block.
  9. Click the Apply button.

To edit a connection bus access rule in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Complete steps 6–8 of the previous instructions.
  4. To save changes, click the Save button.
Page top
[Topic 65741]

Actions with trusted devices

You can perform the following actions while working with trusted devices:

If you have added a device to the list of trusted devices and created an access rule for this type of device which blocks or restricts access, Kaspersky Security decides whether or not to grant access to the device based on its presence in the list of trusted devices. Presence in the list of trusted devices has a higher priority than an access rule.

In this section:

Adding devices to the Trusted list based on the device model or ID

Adding devices to the Trusted list based on the mask of the device ID

Adding devices to the list of trusted devices in a local interface

Configuring user access to a trusted device

Removing a device from the list of trusted devices

Page top
[Topic 65742]

Adding devices to the Trusted list based on the device model or ID

In Kaspersky Security Center, you can add devices to the trusted list based on their model or ID.

By default, when a device is added to the list of trusted devices, access to the device is granted to all users (the Everyone group of users).

To add devices to the Trusted list based on their model or ID:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, select the Trusted devices tab.
  7. Open the context menu of the Add button and do one of the following:
    • Select the Adding a rule by ID item to add to the list those trusted devices whose unique IDs are known.
    • Select the Adding a rule by model item to add to the list those trusted devices whose VID (vendor ID) and PID (product ID) are known.
  8. In the window that opens, in the Device type drop-down list select the type of devices to be displayed in the table below.
  9. Click the Refresh button.

    The table displays a list of devices for which device IDs and/or models are known and which belong to the type selected in the Device type drop-down list.

  10. Select check boxes next to the names of devices that you want to add to the list of trusted devices.
  11. If necessary, enter a brief comment in the Comment field.
  12. Click the Select button.

    The standard Select Users or Groups window in Microsoft Windows opens.

  13. Specify users and/or groups for whom Kaspersky Security should recognize the selected devices as trusted.

    The names of users and/or groups of users that are specified in the Select users and/or groups of users window are displayed in the Allow to users and/or groups of users field.

  14. Click OK.

    Lines with the parameters of the added trusted devices appear in the table of devices on the Trusted devices tab.

  15. Click the Apply button.
Page top
[Topic 129584]

Adding devices to the Trusted list based on the mask of the device ID

In Kaspersky Security Center, you can add devices to the trusted list based on a mask of their IDs.

By default, when a device is added to the list of trusted devices, access to the device is granted to all users (the Everyone group of users).

To add devices to the Trusted list based on an ID mask:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, select the Trusted devices tab.
  7. Open the context menu of the Add button, and select the Devices by ID mask item.
  8. In the Adding trusted devices by ID mask window that opens, in the Mask field, enter a device ID mask.
  9. If necessary, enter a brief comment in the Comment field.
  10. Click the Select button.

    The standard Select Users or Groups window in Microsoft Windows opens.

  11. Specify the users and/or groups of users for whom Kaspersky Security should recognize devices whose models or IDs meet the specified mask as trusted devices.

    The names of users and/or groups of users that are specified in the Select users and/or groups of users window are displayed in the Allow to users and/or groups of users field.

  12. In the Adding trusted devices by ID mask window, click OK.

    In the table of devices on the Trusted devices tab a line appears with the settings of the rule for adding devices to the list of trusted devices by the mask of their IDs.

  13. Click the Apply button.
Page top
[Topic 129583]

Adding devices to the list of trusted devices in a local interface

In the local interface, you can add devices that are connected to the protected virtual machine to the list of trusted devices.

By default, when a device is added to the list of trusted devices, access to the device is granted to all users (the Everyone group of users).

To add a device to the list of trusted devices in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

  3. Select the Trusted devices tab.
  4. Click the Select button.

    The Select trusted devices window opens.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  5. Select the check box next to the name of a device that you want to add to the list of trusted devices.

    The list in the Devices column depends on the value that is selected in the Display connected devices drop-down list.

  6. If necessary, enter a brief comment in the Comment field.
  7. Click the Select button.

    The standard Select Users or Groups window in Microsoft Windows opens.

  8. Specify users and/or groups for whom Kaspersky Security should recognize the selected devices as trusted.

    The names of users and/or groups of users that are specified in the Select users and/or groups of users window are displayed in the Allow to users and/or groups of users field.

  9. In the Select trusted devices window, click OK.

    A line containing the settings of the added trusted device will appear in the table of devices on the Trusted devices tab.

  10. To save changes, click the Save button.
Page top
[Topic 65743]

Configuring user access to a trusted device

By default, when a device is added to the list of trusted devices, access to the device is granted to all users (the Everyone group of users). You can configure the access of users (or user groups) to a trusted device.

To configure user access to a trusted device in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, select the Trusted devices tab.
  7. In the list of trusted devices, select a device whose settings you want to edit.
  8. Click the Edit button.
  9. In the Configuring device access rules window that opens, click the Select button.

    The standard Select Users or Groups window in Microsoft Windows opens.

  10. Edit the list of users and/or groups of users for whom the device must be a trusted device.
  11. Click OK in the Select Users or Groups window.

    The names of users and/or groups of users that are specified in the Select Users or Groups window are displayed in the Configuring device access rules window.

  12. In the Configuring device access rules window, click OK.

    In the table of devices on the Trusted devices tab, the names of selected users and/or groups of users are displayed in the line containing the trusted device settings in the Users column.

  13. Click the Apply button.

To configure user access to a trusted device in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Complete steps 6–12 of the previous instructions.
  4. To save changes, click the Save button.
Page top
[Topic 65744]

Removing a device from the list of trusted devices

To remove a device from the list of trusted devices using Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, select the Trusted devices tab.
  7. In the list of devices, select the device that you want to remove from the list of trusted devices.
  8. Click the Delete button.
  9. Click the Apply button.

To remove a device from the list of trusted devices in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Complete steps 6–8 of the previous instructions.
  4. To save changes, click the Save button.

     

Kaspersky Security makes a decision regarding access to a device that was removed from the list of trusted devices based on device access rules and connection bus access rules.

Page top
[Topic 65745]

Editing templates of Device Control messages

Special templates are available for messages about blocked access to devices or forbidden operations with device contents, and for complaints sent to the administrator regarding unnecessary blocking. You can edit these templates.

To modify a Device Control message template in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Device Control section in the list on the left.
  6. In the right part of the window, click the Templates button.
  7. In the Message templates window that opens, do one of the following:
    • To modify the template of the message about blocked access to a device or a forbidden operation with device content, select the Blocking tab.
    • To modify the complaint template that is sent to the LAN administrator, select the Complaint tab.
  8. Modify the template of the blocking message or the complaint template. To do this, use the Default and Variables buttons.
  9. Click OK in the Message templates window.
  10. Click the Apply button.

To modify a Device Control message template in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select Device Control.

    In the right part of the window, the Device Control component's settings are displayed.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  3. Complete steps 6–9 of the previous instructions.
  4. To save changes, click the Save button.
Page top
[Topic 65746]

Providing access to a blocked device

Providing access to a blocked device consists of the following steps:

  1. The user of the protected virtual machine requests access to the device. For this purpose the user creates a file with an access key to the device and transfers this file to the administrator.
  2. The administrator creates a file with an access code to the device and transfers this file to the user.
  3. The user of the protected virtual machine activates the access code.

The user of a protected virtual machine can request and obtain temporary access to a blocked device from the local interface of Light Agent for Windows by using one of the following two methods:

Temporary access to a device from the local interface can be obtained only if the virtual machine is managed by a policy and the Allow request for temporary access check box is selected in the policy properties within Device Control settings.

To request access to a blocked device:

  1. On the protected virtual machine, open the Request access to device window in one of the following ways:
    • On the Protection and Control tab of the main application window:
      1. On the protected virtual machine, open the main application window and select the Protection and Control tab.
      2. Open the Endpoint control section.
      3. Open the context menu of the Device Control line and select Access to device.
    • From the application settings window:
      1. On the protected virtual machine, open the application settings window.
      2. In the left part of the window, in the Endpoint control section, select Device Control.
      3. In the right part of the window, click the Request access button.
  2. From the list of connected devices, select a device to which you want to gain access.
  3. Click the Get access key button.
  4. In the Receive device access key window that opens, in the Access duration field, specify the time interval for which you want to have access to the device.
  5. Click the Save button.

    The standard Save access key window of Microsoft Windows opens.

  6. Select the folder in which you want to save a file with a device access key, and click the Save button.
  7. Pass the device access key file to the LAN administrator.

After receiving the request, the organization LAN administrator creates a file with the access code to the device.

To create an access code for a blocked device:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, select the folder with the name of the administration group that contains the virtual machine whose user needs to be granted access to the device.
  3. In the workspace, select the Devices tab.
  4. In the list, select the virtual machine, open the context menu, and select Access to devices and data in offline mode.
  5. In the Granting access to devices and data in offline mode window that opens, use the Browse button to select the file with the device access key received from the user of the protected virtual machine.

    Information about the blocked device to which the user has requested access will be displayed.

  6. If necessary, modify the device access settings and save the access code for the device.
  7. Pass the file with the access code to the blocked device to the user of the protected virtual machine.

After receiving the file with the access code from the organization LAN administrator, the user of the protected virtual machine activates the access code.

To activate access to a blocked device:

  1. On the protected virtual machine, open the Request access to device window on the Protection and Control tab of the main application window or in the application settings window.
  2. In the Request access to device window, select the device to which you want to gain access in the list of connected devices and click the Activate access code button.

    The standard Open access key window in Microsoft Windows opens.

  3. Select the file with the device access code that was received from the administrator, and click the Open button.

    The Activating the access code for the device window opens and displays information about the provided access.

  4. In the Activating the access code for the device window, click OK.

The time period for which access to the device is granted may differ from the amount of time that you requested. Access to the device is granted for the time period that the LAN administrator specifies when generating the device access code.

Page top
[Topic 65747]