Topic: «Problem with content-aware rules», Grant access to file content if access is denied at device type level
this time we have some strange problems with content-aware rules.
- certain white listed usb removable devices (usb sticks): full access for corresponding users
- certain other white listed usb removable devices (card readers, mobile phones, digicams): read access to picture files (e.g. jpg) for corresponding users,
no access to all other file types
- all other not authorized usb removable devices: no access
We used the following settings referring to the manual, which normally should work:
Deploying with Group Policy
Security Settings: Access control for USB storage devices enabled
Permissions: USB Port: no access for users
Removable: no access for users
White list: full access devices are white listed for corresponding users with control as type unchecked; restricted accress devices are white listed for corresponding users with control as type checked
Content-aware rules: rule for corresponding users: Images, CAD and Drawing; Permissions; Allow Read, Deny Write
Strange Result (tested on XP and Windows 7 clients, same effect):
The user has access to the device itself, but can not open ANY file types, including picture files which should have read access.
Even stranger: For testing we changed the content-aware rules for images to allow read and allow write. Then the user doesnt even have
access to the device itself any more !? Exactly the same happens when we only check "allow read" and leave "write" completely unchecked.
By the way, in all these cases also the configured content-aware blocked read/write messages never appear, only the windows error messages.
When we did the whole thing the other way round for testing (Permissions removable full access for users; content-aware rules Allow read, Deny Write for certain file type and full deny for some other file types) everything worked like expected (including blocked messages). But this is no option for us as we only have few file types on few devices which should be allowed. Plus if we grant full access to users in removable permissions, we can of course deny access to unauthorized usb removable devices by configuring no access on usb port, but non-usb removable devices such as built-in card readers in notebooks would stay accessible.
So we would be thankful, if you could give us some help or hint in this case. I think we configured everything correctly. Normally it should have worked, can't explain the strange result...
Thanks a lot!
|Posted: 05/24/2011 18:25:48|
Technical Support Engineer
|Forwarding to Technical Support.|
|Posted: 05/24/2011 18:40:16|