Security Settings Description
DeviceLock provides the following security settings for protocols:
•Block unrecognized outgoing SSL traffic - If enabled, causes DeviceLock Service to audit and block all unrecognized outgoing SSL traffic. Otherwise, even if the protocols are locked, all unrecognized outgoing SSL traffic is not blocked and audit is not performed for it.
•Block IP addresses in URL - If enabled, causes DeviceLock Service to block connections by any URL containing an IP address even if the user is allowed to use a protocol. This setting affects all protocols except the following: FTP, IBM Notes, IRC, Jabber, MAPI, SMB, SMTP, Telnet, and Torrent. By default, it is disabled.
For protocols affected by this setting, access control, auditing, and shadowing for URLs that contain an IP address are performed at the HTTP protocol level. When DeviceLock Service is configured to deny access via HTTP, it blocks connections by URLs containing an IP address for all those protocols, regardless of the Block IP addresses in URL setting.
Important: If the Protocols White List allows Any protocol access to certain IP addresses, the Block IP addresses in URL setting will not block connections to those IP addresses. |
•Block proxy traffic - If enabled, causes DeviceLock Service to audit and block all traffic that flows through a proxy server. The following proxy servers are supported: HTTP, SOCKS4, and SOCKS5.
•Block network if BFE service is stopped (Windows 8 and later) - If enabled, causes DeviceLock Service to block all network traffic when the Base Filtering Engine (BFE) system service is stopped. If this setting is disabled and the Base Filtering Engine service is stopped, NetworkLock is unable to control the network traffic on Windows 8 and later systems. To enable this setting, the NetworkLock policy (any protocol-related DeviceLock Service permissions or rules) must be defined. Otherwise, this setting has no effect.
•Intercept MS Lync connections - If enabled, causes DeviceLock Service to intercept network traffic from Microsoft Lync 2010 or Microsoft Office Communicator. To enable this setting, the NetworkLock policy (any protocol-related DeviceLock Service permissions or rules) must be defined. Otherwise, this setting has no effect.
•Block Tor Browser traffic - If enabled, causes DeviceLock Service to block connection to the Tor network, preventing the use of the Tor Browser. To enable this setting, the NetworkLock policy (any protocol-related DeviceLock Service permissions or rules) must be defined. Otherwise, this setting has no effect.
When this setting is in effect, attempts to use the Tor Browser are registered in the Audit Log as connection failure events with Tor Browser specified as the source, and accounted for as denied access requests via the Other protocol in Audit Log reports.
•Intercept draft MAPI messages - If enabled, causes DeviceLock Service to control draft folder messages that Outlook saves to the Exchange Server. With this setting enabled, all DeviceLock rules and permissions specified for the MAPI protocol are applied to such drafts. Disable this setting if you do not want DeviceLock to control draft messages.
•Intercept moved MAPI messages - If enabled, causes DeviceLock Service to control messages being imported to the Exchange Server from e-mail message export files (.msg files) or other (external) mailboxes. With this setting enabled, all DeviceLock rules and permissions specified for the MAPI protocol are applied to e-mail messages from .msg files or external mailboxes that Outlook sends to the Exchange Server. Disable this setting if you do not want DeviceLock to control such messages.