Enforce read-only access to external drives on Windows hosts - Githubissues

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.09k stars 426 forks source link

Enforce read-only access to external drives on Windows hosts #16401

Open noahtalerman opened 9 months ago

noahtalerman commented 9 months ago

Goal

User story
As an IT admin,
I want to enforce read-only access to external drives on my Windows hosts
so that I can meet NIST SC-34.

Context

Product designer: @marko-lisica

Changes

Product

[ ] UI changes: TODO
[ ] CLI usage changes: TODO
[ ] REST API changes: TODO
[ ] Permissions changes: TODO
[ ] Outdated documentation changes: TODO
[ ] Changes to paid features or tiers: TODO

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman commented 8 months ago

Heads up @pintomi1989, this feature request was brought to feature fest on 2024-02-15 and wasn't prioritized for the current design sprint.

noahtalerman commented 7 months ago

Hey @pintomi1989 heads up, this story was prioritized during feature fest. Aiming to ship an improvement in the next 6 weeks.

noahtalerman commented 7 months ago

Marko: Fleet doesn't use the BitLocker CSP (we use WMI). Likely there's another WMI API we could use.

noahtalerman commented 7 months ago

Hey @pintomi1989 heads up, we didn't get to this in the last design sprint.

Bringing it back to feature fest.

noahtalerman commented 7 months ago

Noah: The customer is going to address this w/ their EDR (ex. Crowdstrike)

Noah: Maybe this is an override option to specify a custom BitLocker configuration profile. Currently, Fleet blocks any BitLocker profiles because we don't want them to step on our built in disk encryption feature.

noahtalerman commented 7 months ago

Hey @pintomi1989, heads up, we reviewed this during feature fest.

We don't have the space to take this one in the upcoming design sprint (4.49).

Removing this from the feature fest board.

pintomi1989 commented 6 months ago

Removing customer-flacourtia, as they stated this is no longer something they need.

noahtalerman commented 6 months ago

Thanks @pintomi1989.

Pulling this one off feature fest.