Endpoint Restriction Catalog

By CtrlOne Team ·

Ask two administrators what restrictions they enforce and you will get two different lists, both incomplete. A catalog fixes that by laying out the restrictions available to a Windows estate in clear categories, so you can decide deliberately what to apply rather than discovering gaps during an incident. This article organises endpoint restrictions into the categories CtrlOne governs - removable media, applications, browsers, and device lockdown - and explains what each one buys you, when it fits, and how it stays enforced once switched on.

Endpoint Restriction Catalog - CtrlOne blog illustration

Why catalog restrictions at all

Restrictions applied ad hoc tend to be inconsistent and invisible. One machine blocks USB storage, another does not, and nobody can say why, which is exactly the confusion an auditor exposes.

A catalog makes the full range of choices visible so decisions are deliberate. It also gives restrictions a shared vocabulary, so a control means the same thing on every device and every administrator is talking about the same lever.

Removable media and USB restrictions

Removable storage is often the widest opening on an endpoint, both for data leaving and for unmanaged files arriving. The catalog treats it as its own category because the choices are richer than simply on or off.

CtrlOne can block removable storage, allow only approved device classes, or restrict access to read-only, applied per role and enforced continuously. That granularity lets a finance machine permit a specific approved device while a kiosk blocks storage entirely.

  • Block removable storage outright for locked-down roles.
  • Allow only approved device classes where a role needs them.
  • Restrict to read-only to permit reading but prevent exfiltration.

Application launch restrictions

The next category controls what software can run. Application launch control holds a device to its approved set, closing off a broad class of risk before any detection tool becomes involved.

The catalog frames this as a spectrum from permissive to strict. A general workstation might block a known-bad set, while a single-purpose device permits only the applications its role requires and nothing else.

Browser and website restrictions

Browsers are where most work and most risk now live, so they deserve their own category. Restrictions here range from limiting which browsers run to constraining the sites and functions available within them.

For shared and public-facing devices, browser restrictions keep a machine to its intended purpose and reduce the ways a user can wander into trouble. Applied through CtrlOne, they are enforced as policy rather than relying on a browser setting a user can undo.

Device lockdown and kiosk restrictions

The final category is the whole-device level: lockdown and kiosk modes that reduce a machine to a defined function. This is the tightest restriction available and suits reception PCs, information terminals, and single-app stations.

Lockdown is powerful because it collapses the entire attack surface to one purpose. The less a device can do, the less there is to govern and the more clearly any deviation stands out, which is why kiosk restrictions pair so well with drift correction.

  • Kiosk mode presents a single application or function.
  • Lockdown removes access to settings and extraneous features.
  • Drift correction restores the locked state after tampering.

Choosing from the catalog by role

The catalog is a menu, not a mandate. Not every restriction fits every role, and over-restricting a general workstation creates friction that pushes users to work around policy.

Match restrictions to what each role genuinely needs, apply them as named policy, and let CtrlOne version and enforce the result. The catalog then becomes a repeatable way to reason about restrictions rather than a set of switches someone flips from memory.

Frequently asked questions

Do these restrictions replace antivirus?

No. Restrictions reduce the surface an attacker or mistake can use, but they do not detect or remove malware. They complement your antivirus and EDR by giving them less to catch.

Can restrictions be applied per device role?

Yes. The catalog is designed to be applied by role, so a kiosk, a finance machine, and a general workstation each receive only the restrictions that fit their job.

What stops a user from undoing a restriction?

Restrictions are pushed as policy and re-asserted on drift, so a setting a user or update reverts is restored automatically rather than staying open.

Choose restrictions deliberately

See how CtrlOne turns a catalog of restrictions into named policy that stays enforced across every role.