Storage Control Guide

What is ThreatLocker® Storage Control?

ThreatLocker® takes storage control beyond just blocking USB hard drives and gives you granular control over what happens on external storage devices, including network attached storage, USB drives and even secondary hard drives directly connected to your computer.

 

How can ThreatLocker® Storage Control help my business?

ThreatLocker® Storage Control is an advanced storage control solution that protects information. We give you the tools to control the flow and access of data. You can choose what data can be accessed, or copied, and the applications, users, and computers that can access said data. By using ThreatLocker®, you are in control of your file servers, USB drives, and your data.

 

Using ThreatLocker® Storage Control will help you to keep track of all your Storage Devices. ThreatLocker® Storage Control allows your business to create your own Policies, which will enable the control of any Storage Control such as files on your servers, USB drives and any data located on any storage drive.

 

Viewing your Audit log trails was never easier. With ThreatLocker® Storage Control, you will find all the entries from all computers and users, regardless of the policy and action.

ThreatLocker® Storage Control Policies

What is a Policy?

With ThreatLocker® firewall like policies, you can configure powerful policies that give granular control of everything from file servers to USB hard drives. 

You can control what happens on your file servers, and what  devices are being used in your business. This allows you to audit and control access to storage devices. Storage devices can be local hard drives, external hard drives, file servers, card readers, USB drives, DVD-ROM / BD-ROM drives, etc.

Policies can be set to meet your exact requirements and can be configured based on user, computer, file types, device interfaces (e.g. USB, SATA) or serial numbers, and even what application needs access to the device .

Policies run in order until one is hit. When a policy is matched, processing is stopped. Policies run the order is:

  1. Organization policies;

  2. Computer policies; and

  3. Group policies.

 

How to add a Storage Policy?

1_addStoragePolicy.png

1. Select Storage Control > Policies from the navigation menu;

2. Select  the New Storage Policy button;

3. The New Policy window will be displayed;

4. Enter a name for the policy - The name is an easy name, for example, “Permit Read and Write to the File Server”;

5. What should this policy do? - Select an Action for the Storage Policy. The action can be permitted or deny and can apply to read and/or writes. Policies actions can either permit or deny an action: -

a. If the policy is set to Permit Read & Write, then all reads, deletes, moves and writes that match the policy will be permitted.

b. If the policy is set to Permit Read, then only read will be permitted.

c. If the policy is set to Deny Write, any matching writes, moves or deletes will be denied.

d. If the policy is set to Deny Read, then both read and writes will be denied.

e. If no policy is matched, then the action will be permitted by default.

6. Allow the user to request permission when blocked. - If the policy has been set to deny, you will be presented with an option to allow a user to request permission. If you want the user to get a dialog box with a request option, select this option. If you do not check this box, the user will be presented with the standard operating system “Access is Denied” message;

2_applies_to.png

7. Do you want this to apply to the entire organization or a selected computer group?You can either select to apply this policy to the entire organization or select an individual computer or group from the dropdown list;

8. What paths should this apply to? – Policies can be applied to storage devices, which match the device serial number or a path. When creating policies for a file server or NAS you must use the device path. Select either “Apply to all file paths” or “Let me select file paths”. When select file paths you can add multiple paths. E.g.\\server1\share\sales\*;

9. Which storage devices should this apply to? – If you are creating a storage policy for a specific USB Drive based on its serial numbers, you can add these devices here. Storage Devices are configured from the Storage Device page. But can also be automatically created from the ThreatLocker Tray or Approval Center. You can add multiple storage devices to a policy;

10. What type of interface should this apply to? – If you want to create a policy to block or permit a specific type of drive, you can select the interface type here. For example – you may want to create a default policy to block all USB drives, and they have explicit policies to permit them. To select a specific interface, pick the interface type from the dropdown box;

11. Which users and groups should this policy apply to? – Policies can apply to all users and groups, or just specific users. You can permit users based on their login username. If you have Active Directory integration enabled, you can synchronize group memberships with ThreatLocker and permit based on Group Memberships;

12. What types of file should this apply to? – You can permit or deny certain types of files being read or changed. For example – you may want to prevent users from saving anything other than docx, xlsx, or jpg to the file server. In this case, you could create a policy to permit those types of file, and then other policy to deny anything else. To limit the policy to specific files, select the “Let me select the file types” option, and add permitted file types into the listbox;

13. What applications should this policy apply to? – It is important to restrict which applications can access your storage devices. It is a good idea to prevent any unknown applications from accessing your file servers, as it reduces the risk of a successful cryptolocker attack. It is a good idea to only permit trusted applications such as winword.exe. To restrict access to certain applications. Select “Only the following programs” and add the application full paths into the listbox;

14. Should the policy expire at a certain date and time? – If you want to give temporary access to a storage device, you can configure a temporary policy. To set a policy to expire automatically, select the date and time you wish the policy to expire

15. Do you want to record this policy in the audit when it is matched? – ThreatLocker keeps a database of all file access. Depending on your plan, you can keep data up to 7 years of file changes. If you want to record this information in the audit, select “Yes”; and

16. Once you have answered all of the questions, you can select the Save button to save all your policy. Policies can then be reordered (see Policy Ordering). The policy will not take until you deploy policies. 

Policy ordering

Policies are processed in the order they are in listed. Three are three objects a policy can be applied to: -

a. Entire Organization

b. Individual Computer

c. Computer Group

The policies at the Organization level are processed first, followed by individual computer policies, followed by the computer group. If the conditions of a policy are matched, the policy action will be taken, and further policy processing will stop.

Tip:

For example, if under the organization[DJ6] , the order is:

  1. Deny access to path D:\

  2. Allow access to path D:\

when hitting policy number (1), processing will stop.

No other policies will be processed when a policy is hit, regardless of policies being setup for a different path, computer or group. For example, if under the organization, the order is:

  1. Deny access to path D:\

  2. Deny access to path C:\test\

The policy number (2) will not be processed.

SAMPLE

Sample 1

If you create an organization policy that permits access to everything, and a group policy that denies access to a group. Computers in group will still be permitted access to all storage because organization policies always run first.

If:

Whatever policies are under the TECHNIC group, they will not be hit. Group policies will not be processed, because a policy was hit under the Organization, so policies processing stops.

If:

  • Under PC1, you have a policy “Deny access to \\server1\share\hr*”;

  • And a user from HR group is logged on to PC1

Whatever policies are under the logged-in user, they will not be hit. When hitting a policy under a group, policies processing stops.

If:

The logged-on user will have access to \\server1\share\hr* because the processing order is: Organization (no policy), Computer (allow access) and Group (deny access). Group policies will not be processed because a policy was hit under Computer.

Make sure to order the policies in the exact order you want them to be processed; Permit policies first, Deny policy last - for example:

  1. Allow access to path D:\;

  2. Allow access to path C:\test\; and

  3. Deny access to server \\server1\share\sales*.

 

TIP: Policies processing order is: Organization -> Computer -> Group. Once a policy is hit, processing other policies will stop. Always create policies on specific Group, then for Computers and only afterward for Organization.

 

How to edit a Storage Policy?

To edit a Storage Policy:

1. Select Storage Control > Policies from the navigation menu;

2. Select the Edit button for any policy;

3. Make all the changes you need – e.g. update policy name; and

4. Once you finished with the changes, you can select the Save button to update all the policy.

Note: Policy edit will not take until you deploy policies.

 

How to delete a Storage Policy?

To delete a Storage Policies:

1. Select Storage Control > Policies from the navigation menu;

2. Select the checkboxes for the policy or policies you want to delete;

3. Select the Delete button; and

4. Confirm the deletion by selecting OK.

Warning: Once a policy was deleted, it cannot be recovered. For deletion to take effect, you must deploy policies.

 

How to deploy policies?

To deploy Storage Policies:

1. Select Storage Control > Policies from the navigation menu;

2. Select Deploy Policies; and

3. A confirmation message is displayed informing that the client PC’s will download the latest policies.

After any policy change (add, edit, delete), you must deploy the policies, for them to be effective.

 

How to search for policies?

To search for Storage Policies:

1. Select Storage Control > Policies from the navigation menu;

2. Enter policy name or any part of the policy name;

3. Select Search or hit the Enter key; and

4. A list of found policies matching the search terms is displayed.

 

How to sort/filter policies?

To sort Storage Policies:

1. Select Storage Control > Policies from the navigation menu;

2. Select the ‘Applies To:’ dropdown from the upper right screen; and

3. Choose the desired filter – Can view Entire Organization policies or computer group policies.