You can configure user access rights by device type or access to trusted devices.
Differentiation of user access rights by device type
Device Control allows configuring user access rights to data on storage devices. For such devices, you can configure read and write permissions. Device Control supports the following types of storage devices:
Hard drives
Removable drives
Floppy disks
CD/DVD drives
Portable devices (MTP) Portable devices (MTP) include, for example, mobile devices, photo cameras, media players, and so on.
This means that you can, for example, allow using removable drives only to the group of administrators. For other device types, you can deny or allow access of all users. You can also configure user access rights to printers.
In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, select Local activity control.
In the Device Control section, click Settings.
Select the Device Control check box.
In the Operating mode for blocking rules block, select Block or Inform.
Under Device Control settings, select the Types of devices tab.
The Types of devices tab shows access rules for all devices that are included in the Device Control component classification.
To configure storage device access rules, double-click to open the list of rules.
Configure the storage device access rule:
In the Access rules block, click the Add button.
This opens a window for adding a new storage device access rule.
In the Priority field, set the priority of the rule entry. A rule includes the following attributes: user account, schedule, permissions (read/write), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Embedded Systems Security regulates device access based on the rule with the highest priority. Kaspersky Embedded Systems Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Embedded Systems Security regulates device access based on any existing block rule.
Under Rule for users and groups, select users or groups of users. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
Click OK.
Under Schedules for the selected access rule, configure a storage device access schedule for users.
For example, you can allow user access to storage devices only during working hours.
Configure users' access permissions to storage devices in the file manager (Read / Write).
Save your changes. To apply the policy on computers, close the locks .
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Embedded Systems Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Local activity control → Device Control and click the Configure button.
The Device Control window opens.
Select the Enable Device Control check box.
In the Operating mode for blocking rules block, select Block or Inform.
In the Device Control Settings block, click Access rules for devices and Wi-Fi networks.
A window opens with access rules for all devices that are included in the Device Control component classification.
In the Access To Storage Devices block, open the properties of the storage device access rule.
Configure the storage device access rule:
In the Users block, click the Add button.
This opens a window for adding a new storage device access rule.
In the Priority field, set the priority of the rule entry. A rule includes the following attributes: user account, schedule, permissions (read/write), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Embedded Systems Security regulates device access based on the rule with the highest priority. Kaspersky Embedded Systems Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Embedded Systems Security regulates device access based on any existing block rule.
Under Users, select users or groups of users. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
Under Schedule for access to devices, configure a storage device access schedule for users.
For example, you can allow user access to storage devices only during working hours.
Configure users' access permissions to storage devices in the file manager (Read / Write).
Click OK.
Save your changes. To apply the policy on computers, close the locks .
In the Kaspersky Embedded Systems Security Console tree, select Computer Control → Device Control.
In the results pane of the Device Control node, click Properties.
The Properties:Device Control window opens.
Select the Device Control check box.
In the Operating mode for blocking rules block, select Block or Inform.
Under Device Control settings, select the Types of devices tab.
A window opens with access rules for all devices that are included in the Device Control component classification.
To configure storage device access rules, double-click to open the list of rules.
Configure the storage device access rule:
In the Access rules block, click the Add button.
This opens a window for adding a new storage device access rule.
In the Rule priority field, set the priority of the rule entry. A rule includes the following attributes: user account, schedule, permissions (read/write), and priority.
A rule has a specific priority. If a user has been added to multiple groups, Kaspersky Embedded Systems Security regulates device access based on the rule with the highest priority. Kaspersky Embedded Systems Security allows to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added to multiple groups and the priority of all rules are the same, Kaspersky Embedded Systems Security regulates device access based on any existing block rule.
Under Rule for users and groups, select users or groups of users. You can select users in Active Directory or enter a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
Click OK.
Under Schedules for the selected access rule, configure a storage device access schedule for users.
For example, you can allow user access to storage devices only during working hours.
Configure users' access permissions to storage devices in the file manager (Read / Write).
Save your changes.
Differentiation of user access rights to trusted devices
Trusted devices are devices to which users that are specified in the trusted device settings have full access at all times. To work with trusted devices, you can grant access to an individual user, to a group of users, or to all users of the organization. You can configure user access rights in the properties of the trusted device.
.
.