Configuring a Write Action

You define the default settings for write access to storage devices in the Removable Media Write Access window. This action can let users:

• Create new files
• Copy or move files to devices
• Delete files from devices
• Change file contents on devices
• Change file names on devices

The default predefined write actions are:

Action	Description
Allow writing any data to storage devices	Users can write all file types to storage devices.
Encrypt business related data written to storage devices	All Files that are defined as Business related data must be written to the encrypted storage. Non-business related data can be saved to the device without encryption. See Configuring Business Related File Types.
Encrypt all data written to storage devices	All files written to a storage device must be encrypted. This includes both Business and Non-Business Related data.
Do not allow writing any data to storage devices	Users cannot write any file types to storage devices.
Do not allow writing any data to storage devices, allow user override	By default, users cannot write any file types to storage devices. But. UserCheck lets users override the policy and write to a storage device, after entering justification for the action.

You can define custom write actions as necessary. Your new custom actions are always available in addition to the default actions.

To configure a storage device Write Action:

1. Right-click a Write Access action and select Edit Properties.

   The Removable Media Access window opens.

2. Optional: Select a different action from the list.

   Click New to create a custom action.

3. Select one of these Storage device write access options:
   • Allow any data - Users can write all data types to storage devices.
   • Encrypt business related data - Users can write all data types to the storage devices. Only Business Related data must be encrypted.
   • Encrypt all data - Users can write all data types to storage devices. All data must be encrypted, including Non-Business Related data.
   • Block any data - Users cannot write to the storage devices.
4. Select one or more of these options:
   • Log device events - Select this option to create a log entry when a storage device is attached (Event IDs 11 and 20 only).

     Note: If you do not select the Log device events option in the Media Encryption & Port Protection rule, log entries are not created even if the Audit device events option is selected in this window.

   • Allow encryption - Select this option to let users encrypt storage devices. If this option is cleared, no storage devices can be encrypted.

     Click Additional Encryption Options to configure additional encryption settings as necessary.

   • Enable deletion - Select this option to let users delete files on devices with read only permissions.
5. Configure these settings for User Overrides (UserCheck)
   • Allow user to override company policy - Lets users override the assigned policy by sending written justification to an administrator. Click Configure Message to create your own user message.

     Note - The Allow user to override company policy option is not supported for CD/DVD ROM devices.

6. If necessary, click Configure file types to define custom business related file types.

Configuring Business Related File Types

If you enable the Encrypt business-related data written to storage devices option, users must encrypt all file types that are defined as business-related. Users can save non business-related file types without encryption.

If you enable the Force encryption of all outgoing data option, all data, including Non-Business related data, must be encrypted.

• Business Related data - Confidential data file types that must be encrypted on removable media. Examples include: word processor files, spreadsheet files, presentations and drawings.
• Business Related drive - The encrypted portion of a drive (up to 100% of the device). All data that is stored on the Business Related portion is encrypted.
• Non-Business Related data or Plain - File types that are not confidential and do not require encryption on storage devices.
• Non-Business Related drive - The unencrypted portion of a drive (if less than 100% is encrypted). Data stored on the Non-Business Related portion is not encrypted.

There are predefined categories of similar file types. You cannot change the file types included in these groups, but you can create your own custom groups. This list includes some of the predefined file type groups:

These groups are defined as Business Related by default:

• Word - Word processor files, such as Microsoft Word.
• Spreadsheet - Spreadsheet files, such as Microsoft Excel
• Presentation - Presentation files, such as Microsoft Power Point
• Database - Database files, such as Microsoft Access or SQL files.
• Drawing - Drawing or illustration software files, such as AutoCAD or Visio
• Graphic - Graphic software files such as Photoshop or Adobe Illustrator
• Viewer - Platform independent readable files, such as PDF or Postscript
• Archive - Compressed archive files, such as ZIP or SIT.
• Markup - Markup language source files, such as HTML or XML
• Email - Email files and databases, such as Microsoft Outlook and MSG files.
• Text - Plain text files

Groups defined as Non-Business Related by default

• Multimedia - Music and video files, such as MP3 or MOV
• Image - Vector image files such as JPG or PNG
• Executable - Executable program files, such as EXE or COM.

To classify groups as Business or Non-Business Related:

1. Click a write action and select Edit Properties.
2. In the Removable Media Write Access window, select Encrypt business related data written to storage devices.
3. Click the Configure Business Related file types link.
4. On the Business Related File Types page, select Business-related or Non business-related.
5. Click Add to add a group to the list.
6. Click Remove to remove a group from the list.

Creating a Custom User Message

You can customize the text that shows in all sections of the user message window, including the banner and the option buttons. You cannot change the Check Point logos. This feature is useful for translating user messages into different languages.

To create a custom user message:

1. In the Select User Message list, select New.
2. Enter a name and description in the applicable fields in the Policy Action Single Page Form window.
3. Optional: Select a language from the Language list.

   You can click Add to add another language to the list.

4. Select one or more text elements and enter your custom text.
5. Click Preview to see how the custom message shows on the screen.