Print Download PDF Send Feedback

Previous

Next

Configuring a Write Action

You define the default settings for write access to storage devices in the Removable Media Write Access window. This action can let users:

The default predefined write actions are:

Action

Description

Allow writing any data to storage devices

Users can write all file types to storage devices.

Encrypt business related data written to storage devices

All Files that are defined as Business related data must be written to the encrypted storage. Non-business related data can be saved to the device without encryption. See Configuring Business Related File Types.

Encrypt all data written to storage devices

All files written to a storage device must be encrypted. This includes both Business and Non-Business Related data.

Do not allow writing any data to storage devices

Users cannot write any file types to storage devices.

Do not allow writing any data to storage devices, allow user override

By default, users cannot write any file types to storage devices. But. UserCheck lets users override the policy and write to a storage device, after entering justification for the action.

You can define custom write actions as necessary. Your new custom actions are always available in addition to the default actions.

To configure a storage device Write Action:

  1. Right-click a Write Access action and select Edit Properties.

    The Removable Media Access window opens.

  2. Optional: Select a different action from the list.

    Click New to create a custom action.

  3. Select one of these Storage device write access options:
    • Allow any data - Users can write all data types to storage devices.
    • Encrypt business related data - Users can write all data types to the storage devices. Only Business Related data must be encrypted.
    • Encrypt all data - Users can write all data types to storage devices. All data must be encrypted, including Non-Business Related data.
    • Block any data - Users cannot write to the storage devices.
  4. Select one or more of these options:
    • Log device events - Select this option to create a log entry when a storage device is attached (Event IDs 11 and 20 only).

      Note: If you do not select the Log device events option in the Media Encryption & Port Protection rule, log entries are not created even if the Audit device events option is selected in this window.

    • Allow encryption - Select this option to let users encrypt storage devices. If this option is cleared, no storage devices can be encrypted.

      Click Additional Encryption Options to configure additional encryption settings as necessary.

    • Enable deletion - Select this option to let users delete files on devices with read only permissions.
  5. Configure these settings for User Overrides (UserCheck)
    • Allow user to override company policy - Lets users override the assigned policy by sending written justification to an administrator. Click Configure Message to create your own user message.

      Note - The Allow user to override company policy option is not supported for CD/DVD ROM devices.

  6. If necessary, click Configure file types to define custom business related file types.

Configuring Business Related File Types

If you enable the Encrypt business-related data written to storage devices option, users must encrypt all file types that are defined as business-related. Users can save non business-related file types without encryption.

If you enable the Force encryption of all outgoing data option, all data, including Non-Business related data, must be encrypted.

There are predefined categories of similar file types. You cannot change the file types included in these groups, but you can create your own custom groups. This list includes some of the predefined file type groups:

These groups are defined as Business Related by default:

Groups defined as Non-Business Related by default

To classify groups as Business or Non-Business Related:

  1. Click a write action and select Edit Properties.
  2. In the Removable Media Write Access window, select Encrypt business related data written to storage devices.
  3. Click the Configure Business Related file types link.
  4. On the Business Related File Types page, select Business-related or Non business-related.
  5. Click Add to add a group to the list.
  6. Click Remove to remove a group from the list.

Creating a Custom User Message

You can customize the text that shows in all sections of the user message window, including the banner and the option buttons. You cannot change the Check Point logos. This feature is useful for translating user messages into different languages.

To create a custom user message:

  1. In the Select User Message list, select New.
  2. Enter a name and description in the applicable fields in the Policy Action Single Page Form window.
  3. Optional: Select a language from the Language list.

    You can click Add to add another language to the list.

  4. Select one or more text elements and enter your custom text.
  5. Click Preview to see how the custom message shows on the screen.