Blocking USB storage devices
#1
Scooby Regular
Thread Starter
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
Blocking USB storage devices
How does everyone block USB storage keys?
Whilst trying to find a cost effective (i.e. free ) solution to block USB keys being plugged into our PC's to protect company data. I found a product called Utimaco which looks very good, has a nice managment console etc.
However for free you can add the following string dword value and it will make all USB storage devices read only
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\StorageDevicePolicies]
"WriteProtect"=dword:00000001
Note, this dword only works with XP SP2
Darren
Whilst trying to find a cost effective (i.e. free ) solution to block USB keys being plugged into our PC's to protect company data. I found a product called Utimaco which looks very good, has a nice managment console etc.
However for free you can add the following string dword value and it will make all USB storage devices read only
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\StorageDevicePolicies]
"WriteProtect"=dword:00000001
Note, this dword only works with XP SP2
Darren
#2
Scooby Regular
Join Date: Sep 2001
Location: A powerslide near you
Posts: 10,261
Likes: 0
Received 0 Likes
on
0 Posts
Is the data particularly sensitive? Seems overkill and will pi$$ off your staff. The devices are useful in copying files and having backups of important docs. That excel sheet with the yearly figures, put on USB pen and give pen to boss so he can look at home etc. People who wanna work on 'that doc' at home and so on.
I assume you'll also want to remove floppy drives and writable CD's and iPods and e-mail and web access etc. as these can all be used to transfer/copy files etc.
Would have thought it far better to disable access to the sensitive files, make them hidden etc.
I assume you'll also want to remove floppy drives and writable CD's and iPods and e-mail and web access etc. as these can all be used to transfer/copy files etc.
Would have thought it far better to disable access to the sensitive files, make them hidden etc.
Last edited by Dracoro; 31 January 2006 at 10:43 AM.
#3
Scooby Regular
Thread Starter
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
Dracoro,
The data is as sensitive as any company's data, in the wrong hands it would be a big issue.
Senior Managers would always have the access to save to USB keys as I know how important this is for backup etc.
We already block webmail as I'm aware of the security risk, only remote users and senior managers have CD-RW drives, we monitor ALL internet traffic so we can easily check if someone is uploading files to a secure site somewhere. There is no FTP access from the building (apart from a secure range of IP addresses). I’m quite happy with the questions from staff about a file that they want to take home to work on at the weekend, simple, bring me the key and I’ll put it on there.
We already restrict departments data to that department i.e. marketing can only see the marketing folder, however we have had a few staff leave very recently and I’m concern they may have taken company files with them via USB keys.
Do you not worry about what is leaving the building?
Until we put our mail and web monitor in a year ago, we had no idea at all what was being looked at and sent around. Its quite worrying that we had no idea at all.
Darren
The data is as sensitive as any company's data, in the wrong hands it would be a big issue.
Senior Managers would always have the access to save to USB keys as I know how important this is for backup etc.
We already block webmail as I'm aware of the security risk, only remote users and senior managers have CD-RW drives, we monitor ALL internet traffic so we can easily check if someone is uploading files to a secure site somewhere. There is no FTP access from the building (apart from a secure range of IP addresses). I’m quite happy with the questions from staff about a file that they want to take home to work on at the weekend, simple, bring me the key and I’ll put it on there.
We already restrict departments data to that department i.e. marketing can only see the marketing folder, however we have had a few staff leave very recently and I’m concern they may have taken company files with them via USB keys.
Do you not worry about what is leaving the building?
Until we put our mail and web monitor in a year ago, we had no idea at all what was being looked at and sent around. Its quite worrying that we had no idea at all.
Darren
Last edited by darlodge; 31 January 2006 at 11:10 AM.
#4
Scooby Regular
Join Date: Sep 2001
Location: A powerslide near you
Posts: 10,261
Likes: 0
Received 0 Likes
on
0 Posts
Fair enough. You have to evaluate the risk I suppose.
http://www.petri.co.il/forums/showthread.php?t=3299
Assuming you can stop users accessing regedit etc.
http://www.petri.co.il/forums/showthread.php?t=3299
Assuming you can stop users accessing regedit etc.
Trending Topics
#9
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
I assume you'll also want to remove floppy drives and writable CD's and iPods and e-mail and web access etc. as these can all be used to transfer/copy files etc.
I used to lock the boot order to be hdd.
Disable booting from removable devices.
Screw the users in windows with a visible drive mask (dynamically showed the cd if they were in the correct group)
Darren, remember to secure against booting from the pen itself!!
#10
Have you tried disabling USB in the BIOS. Most PC's will still allow the keyboard and mouse to work even if USB is disabled and as far as i am aware no other USB device will work
If the BIOS is password protected then all the better
If the BIOS is password protected then all the better
#11
Scooby Regular
Thread Starter
Join Date: Oct 2001
Location: Lovely Lancing in West Sussex
Posts: 3,449
Likes: 0
Received 0 Likes
on
0 Posts
All valid points David, thanks for the info.
molko, we can't disable all USB devices as all the keyboards and mice are usb
Darren
molko, we can't disable all USB devices as all the keyboards and mice are usb
Darren
#12
molko, we can't disable all USB devices as all the keyboards and mice are usb
Our users dont get access to any drives other than the network f: drive
Thread
Thread Starter
Forum
Replies
Last Post
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM