To correctly configure Device Control:
- Log on to the WFBS console.
- Navigate to Security Settings (for WFBS 9.5 and below), or Devices (for WFBS 10).
- Select a desktop or server group.
- Click Configure (for WFBS 9.5 and below), or Configure Policy (for WFBS 10).
- Click Device Control.
- Update the following as required:
- Enable Device Control
- Enable USB Autorun Prevention
- Permissions: Set for both USB devices and network resources.
Device Control Permissions Permissions Files on the Device Incoming Files Full access Permitted operations: Copy, Move, Open, Save, Delete, Execute Permitted operations: Save, Move, Copy.
This means that a file can be saved, moved, and copied to the device.Modify Permitted operations: Copy, Move, Open, Save, Delete
Prohibited operations: ExecutePermitted operations: Save, Move, Copy Read and execute Permitted operations: Copy, Open, Execute
Prohibited operations: Save, Move, DeleteProhibited operations: Save, Move, Copy Read Permitted operations: Copy, Open
Prohibited operations: Save, Move, Delete, ExecuteProhibited operations: Save, Move, Copy No access Prohibited operations: All operations The device and the files it contains are visible to the user (for example, from Windows Explorer). Prohibited operations: Save, Move, Copy - Exceptions: If a user is not given read permission for a particular device, the user will still be allowed to run or open any file or program in the Approved List.
However, if AutoRun prevention is enabled, even if a file is included in the Approved List, it will still not be allowed to run.To add an exception to the Approved List, enter the file name including the path or the digital signature and click Add to the Approved List.Specifying a Digital Signature ProviderSpecify a Digital Signature Provider if you trust programs issued by the provider. For example, type Microsoft Corporation or Trend Micro, Inc. You can obtain the Digital Signature Provider by checking the properties of a program. (e.g: right-click the program and select Properties)Digital Signature Provider for the Trend Micro security agent program (PccNTMon.exe)Specifying a Program Path and NameA program path and name should have a maximum of 259 characters and must only contain alphanumeric characters (A-Z, a-z, 0-9). It is not possible to specify only the program name.You can use wildcards in place of drive letters and program names. Use a question mark (?) to represent single-character data, such as a drive letter. Use an asterisk (*) to represent multi-character data, such as a program name.Important: Wildcards cannot be used to represent folder names. The exact name of a folder must be specified.Correct Usage of Wildcards:Example Matched Data ?:\Password.exe The "Password.exe" file located directly under any drive. C:\Program Files\Microsoft\*.exe Any .exe file in C:\Program Files\Microsoft. C:\Program Files\*.* Any file in C:\Program Files that has a file extension. C:\Program Files\a?c.exe Any .exe file in C:\Program Files that has 3 characters starting with the letter "a" and ending with the letter "c". C:\* Any file located directly under the C:\ drive, with or without file extensions. Incorrect Usage of Wildcards:Example Reason ??:\Buffalo\Password.exe ?? represents two characters and drive letters only have a single alphabetic character. *:\Buffalo\Password.exe * represents multi-character data and drive letters only have a single alphabetic character. C:\*\Password.exe Wildcards cannot be used to represent folder names. The exact name of a folder must be specified. C:\?\Password.exe - Click Save.