USB Jumpdrives

[schmit]

I think I would have to agree with Nihil on this...I would never put "techies" (administration) before security. I'm sure they can find a work around.

[Tiger Shark]

I think I would have to agree with Nihil on this...I would never put "techies" (administration) before security. I'm sure they can find a work around.

The issue isn't that they will bitch - it's that they will enable USB support and leave it enabled for the next time they come back - thus leaving it enabled for the unwashed masses - thus defeating the whole point of the exercise.

But let's think laterally:-

You need to make it easy for the Techs to do their job and look cool too but block the (L)users from the USB. It has to be quicker than rebooting and changing the BIOS etc.

The clue is in Phish's Link;-

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000003

I'm wondering if you can't play with the concept so that a tech can run services.msc as an admin, (runas), and having altered the key with admin only executable .reg files, (one to open and one to close the USB), restart a USB service which would block/unblock the USB at will....

Just a thought... I don't want to mess with this laptop at the moment.....

[xierox]

Give the first post in this thread a look, Djm. http://www.antionline.com/showthread...=disabling+usb
Hope that's useful.

- Xierox

[Dhej]

<off_topic>
Answers that you find in places you completely didn't expect...

Originally posted here by Tiger Shark
... a tech can run services.msc as an admin, (runas)...

Being a Linux junky, I've always wanted a command that would work like sudo on Windows..., but being a Linux junky, I never cared enough to look for the solution..., now I find "runas."

I probably could have solved a lot of problems significantly quicker knowing that.

Guess it's a sign that I should try to visit the forums more..., I can't think how many months it has been since I came here.

Thanks Tiger Shark!!!
</off_topic>

I don't know how it is at your companies, but if we didn't have access to USB Sticks, a significant portion of work would be hampered...

I was actually embarrassed at one of our Primes' sites because they needed to give me a file and I didn't have a thumbdrive... Nothing like looking out of date in the eyes of a customer...

Heck, when I go to a big meeting the main form of files transport is thumbdrive, my little sandisk saved my buttocks once, because the meeting coordinator had forgotten to burn my company's slides onto the meeting cd. If I hadn't had them on my stick, we would have had to present to a room full of a couple hundred people, and who knows how many teleconned in, and present without any pretty pictures to distract them...

Granted, the people I primarily deal with aren't your average company schmucks, so I can see taking access away from those that have no right in the world to have it.

I guess if you can take anything out of what I've just babbled it's to be careful what luser's computer you take USB stick access off of.

You can pry my thumbdrive out of my cold dead hands!! And even then I might fight back... :-P

Take it easy,
Dhej

[thehorse13]

Give the first post in this thread a look, Djm. http://www.antionline.com/showthrea...t=disabling+usb
Hope that's useful.

Yep, this will work for the machine but not the user. The same goes for the link that Phisshy posted too.

We did a study on the risks to the organization relating to USB flash drives. The bottom line is that short of filling the USB ports with super glue, you cannot effectively defend against these devices. They are far more simple to use than CD-Rs and the like, much faster, much easier to conceal, etc..

That said, we had to rethink where classified and sensitive data can be accessed. If data of these types could be displayed on machines that could save, forward or otherwise capture the data without an accounting trail, then it was repositioned.

See here for more infoz:
http://www.enterpriseitplanet.com/se...le.php/3486161

[phishphreek]

Being a Linux junky, I've always wanted a command that would work like sudo on Windows..., but being a Linux junky, I never cared enough to look for the solution..., now I find "runas."

I probably could have solved a lot of problems significantly quicker knowing that.

Just a FYI. If when you right click on an application/shortcut and it doesn't have the "runas" listed as an option, hold down left shift (right may work too) and right click. The "runas" should appear.

I beleive that the "secondary logon" service must be running in order to use the "runas" feature.

One program/shortcut that would be an example is the 2003 admin pack that you would install on an XP workstation. If you just right click on "active directory users and computers" then runas option isn't there. But if you shift, right click, it will be there.

Another quick tip.

Ever wanted to run the "explorer" program as another user just to find out that it doesn't work? Use Internet Explorer. runas the user that has more privledges and then you can use UNC paths to navigate the filesystems of the machines you want to manage. Just be sure to set your homepage to "about:blank" so it doesn't open any page on the internet. Otherwise you'll be visiting a website as the user with the elevated privledges... (eg. local admin/domain admin)

[zENGER]

Not sure about XP, but in 2000 its the "Runas service" that has to be started to do this.

[scratchONtheBOX]

Guys,

Getting back to the topic, I think DjM's real inquiries on specific scenario has not been addressed,

No AD, Novell shop.

-Novel shop? What OS is it? (Pardon me)

In W2K, one observation in a public facility that I am using (the cafe), I always bring my USB HD, sometimes, when I plug it into the BoX, it is not detected right away, most of the time it is easy, do USB's really act like this (HARDWARE ISSUES), or it falls on the AD configuration of specific BoX? Some BoX really don't detect it at all.

Yo!

[thehorse13]

-Novel shop? What OS is it? (Pardon me)

Is this a joke?

[ZT3000]

[PERTAINS TO MICROSOFT OPERATING SYSTEMS]

The solution is easy enough, at least to me:

Simply add my registry fix (as noted in previous linked thread) for "DISALLOW COPYING" to the USB device (machine level) to the logoff script of administrator accounts and the "ALLOW COPY TO" to the logon script of adminstrators from either local policy (for workgroups) or push it to each machine in a group policy.

Here's the amazingly simple way it works:

1) User is logged on and cannot copy ANYTHING to the USB port because of the standard "DISALLOW COPYING" registry entry. Now along comes the administrator.

2) Administrator logs on locally using "Switch user" or logs in from the welcome screen, as normal. (I have not tested "RunAs")

3) Upon logging in, the logon script in the Administrator "USER" local policy section automatically enables the ALLOW USB COPYING".

4) The administrator performs file transfers to and from the USB device, then logs off.

5) Upon logging off, the logoff script in the Administrator "USER" section automatically returns the registry entry to it's previous "DISALLOW COPYING" value.

PROS:
Any registry changes are immediately effective and don't require a reboot or refresh.
No difficult registry hacking or programming needed. A simple .cmd or .bat file.
Cannot be changed by anyone except an administrator level account.
It's machine level effective, so no worrying about how it effects new users.
Set up and forget it, it works every time.
Extremely easy and time effective to add the logon and logoff file.
No out of pocket expense.

CONS:
"Something this easy can't work" mentality. (Duhhh...)
"But I have 500 machines" excuse (uhh...try a group policy push..)
"This doesn't disable the entire USB functioning which I need" (uhh...substitute Microsoft's suggestion into the .cmd or .bat file)
"I just don't like you or your silly working solutions" (Can't please everyone!)

Have I missed something here?