use of USB drives

Printable View

July 21st, 2005, 03:45 PM
ghostmachine

use of USB drives

hi
in my organisation, we have alot PC's installed with Windows and comes with USB slots
I have to come up with a way or some tools that can help me to secure
USB drives such that the staff cannot use the drive for unauthorized copying of
files and bring back home.
any recommendations on software or hardware solutions ?
thanks
July 21st, 2005, 03:50 PM
Kthln01

Someone please correct me if I am wrong,

But I believe via the Device Manager, you can disable USB ports?
I think.....
July 21st, 2005, 04:00 PM
SirDice

Have a look here.
July 21st, 2005, 04:46 PM
nihil

ghostmachine

Please remember that this needs to be part of a comprehensive solution. There are read/write CDs and the 3.5" floppy as well. And you need to watch your e-mail for large attachments.

:)
July 21st, 2005, 04:59 PM
TechGrunt

Quote:

Originally posted here by nihil
ghostmachine

Please remember that this needs to be part of a comprehensive solution. There are read/write CDs and the 3.5" floppy as well. And you need to watch your e-mail for large attacments.

:)

I agree with nihil. If you have an environment where this is an issue, you need to look at a holistic solution to plug all holes. Also you need to essentially look for a balance of functionality of your system and the level of security. Some of this you can obtain via technology and some you obtain via policy. I work in an environment with similar requirements. Some of the things we have in place are:
1. CD/DVD R/W drives are controlled and only installed on machines that are in open office and in full view. They are not permitted in private offices
2. In very sensitive areas, data transfer points are used. I am not familiar with the tech behind it, but essentially it is a common device, once again in open office area, where people can transfer data to and from disks
3. In the areas mentioned in point 2, a electronic controlled documents register is used. Basically any disk used for storing data is put on a register and tracked during its use until it is destroyed

As I mentioned, you need to weigh up exactly how much protection you need to provide your data and adjust your policy/technology accordingly. The previous suggestion of disabling the USB ports in Device Manager is probably your simpliest option, however you need to make sure the users don't have the ability to re-enable the ports and also don't have a use for any other USB devices.

Hope this helps
July 21st, 2005, 05:43 PM
DjM

Check out the following thread, this was discussed at length there. There maybe some ideas for you, but I would read TH13's comment re: jumpdrives, I think he pretty well sum's it up. ;)

http://www.antionline.com/showthread...hreadid=267446

Cheers:
July 21st, 2005, 06:03 PM
Katja

Let me see what options I have to take a file from my PC...

One, I could use a floppy, ZIP disk or a CD/DVD writer and put the file on it.
Two, I could just email it to my home address, using an encrypted ZIP file format.
Three, I can but an USB device and store it there. This is real interesting since these USB devices can be hidden as anything.
Four, I could connect my PDA through USB or other port and use the storage on my PDA.
Five, if the PC has an CF/SD/Memory stick reader, I could use that for storage.
Six, I could print it out on paper and use OCR software to scan all pages at home again, converting it to text again.
Seven, I could hook up a laptop or PDA to the network (!) and use the network to send the file to my system.

And finally, if an employee does want to take something home with them, you will not be able to stop them anyway. Even if they have to open the PC, take out the harddisk or whatever and then close it... If they want it, they will take it. Do you realise that they could even open the PC, install a second harddisk on any available IDE connector and then start copying files that way?

Personally, I would just tell your employees to NOT copy any files back home and warn them. When caught, it will be considered the same as theft. (And people have been fired for stealing some tape or tipp-ex or a pen or whatever!)
July 22nd, 2005, 03:11 AM
oofki

I personally have heard good things about device lock.
http://www.protect-me.com/dl/
take a look
August 2nd, 2005, 10:18 PM
Katja

Actually, in my opinion, if you want to block USB access then there's only one option: buy PC's that don't have any USB ports. That should take care of any USB devices that users are installing.
Also keep in mind that if users are administrators on their own system, they will be able to simply bypass any protection on that system. Something like that devicelock would only work with regular user accounts.

And again, it still doesn't stop someone who attempts to steal data from your system. You just stop the regular people from making copies of data. But by making sure the employees understand that they could lose their job if they are making unauthorized copies, you will probably get a positive effect. People will try to bypass security but in general they will be careful not to lose their jobs...

There is another alternative, though... Use Terminal servers. Your employees would just have a dummy terminal while the real hardware is locked away in a safe location.
August 2nd, 2005, 11:51 PM
Highlander

Disconnect USB ports or disable them in the Bios....
Warning... You may have a USB Mouse on there so
be ready to use the older style mouse.
Same with CD Roms and Floppy Drives.....
I would pull the ribbon cable then lock the case.

There is other things to consider like Net Access.....
August 3rd, 2005, 02:58 AM
avdven

I recently helped migrate a small business to Sanctury Device Control by Kanguru Solutions. It was simple to set up, very cost effective and, at least so far, very efficient at locking out unwanted access to devices attached to the networked systems. Everyone else has made valid points as well, but if you need an all-in-one solution that's simple to manage, this may be a good way to go.

AJ
August 3rd, 2005, 12:22 PM
nihil

I forgot to mention this, but squirting epoxy resin into the ports is probably the quick and nasty solution.

But don't forget the other vectors that have been mentioned.

Perhaps you should review your security policy as well, and make sure that only people who actually need to have access to your data can access it, and with the minimum authority appropriate to their function.

You might also get HR to review their recruitment and vetting policy and your terms and conditions of employment.

At defence sites over here you bring an unauthorised recording device, computer device, camera, thumb drive etc onto the site, then it is instant dismissal at the very least.

:)
August 3rd, 2005, 03:39 PM
Katja

You want a simple solution? Lock up the hardware! Literally!
What you need to have is some safe or a closet with a lock on it. Put the PC in this safe and drill a few holes in the safe so the keyboard, mouse, power, network and monitor cables can still be connected to this system. And maybe an opening for the user to press the Power switch of the computer. Then lock this safe...

The advantage of this system is that whomever is responsible for the hardware maintenance, they can still access the computer since they have the key. The user, however, cannot. Even if the user has administrator rights, he still can't connect any hardware to the system thus he has no "physical" access to it. Yet the system is in no way crippled by some software or hardware solution.

And what if the user breaks open the lock of the safe? Well, it doesn't have to be strong enough to keep out any thieves. A simple wooden box would be more than enough. But when you discover that a user has been tampering with the lock, you should have a serious discussion with that employee, about breaking office materials...

And keep in mind, a system can always be hacked, especially if the hacker has physical access to the system. By building it into a safe, this physical access will be denied.
Of course, make sure your users aren't administrators on their own machines or they could bypass many other security measures you've set up. And make sure that any hubs and switches are also locked away safely, so no user can plug out a cable and replace it with it's own...