darlodge

How does everyone block USB storage keys?

Whilst trying to find a cost effective (i.e. free ) solution to block USB keys being plugged into our PC's to protect company data. I found a product called Utimaco which looks very good, has a nice managment console etc.

However for free you can add the following string dword value and it will make all USB storage devices read only

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\StorageDevicePolicies]
"WriteProtect"=dword:00000001

Note, this dword only works with XP SP2

Darren

Dracoro

Is the data particularly sensitive? Seems overkill and will pi$$ off your staff. The devices are useful in copying files and having backups of important docs. That excel sheet with the yearly figures, put on USB pen and give pen to boss so he can look at home etc. People who wanna work on 'that doc' at home and so on.

I assume you'll also want to remove floppy drives and writable CD's and iPods and e-mail and web access etc. as these can all be used to transfer/copy files etc.

Would have thought it far better to disable access to the sensitive files, make them hidden etc.

darlodge

Dracoro,

The data is as sensitive as any company's data, in the wrong hands it would be a big issue.

Senior Managers would always have the access to save to USB keys as I know how important this is for backup etc.

We already block webmail as I'm aware of the security risk, only remote users and senior managers have CD-RW drives, we monitor ALL internet traffic so we can easily check if someone is uploading files to a secure site somewhere. There is no FTP access from the building (apart from a secure range of IP addresses). I’m quite happy with the questions from staff about a file that they want to take home to work on at the weekend, simple, bring me the key and I’ll put it on there.

We already restrict departments data to that department i.e. marketing can only see the marketing folder, however we have had a few staff leave very recently and I’m concern they may have taken company files with them via USB keys.

Do you not worry about what is leaving the building?
Until we put our mail and web monitor in a year ago, we had no idea at all what was being looked at and sent around. Its quite worrying that we had no idea at all.

Darren

Dracoro

Fair enough. You have to evaluate the risk I suppose.

http://www.petri.co.il/forums/showthread.php?t=3299

Assuming you can stop users accessing regedit etc.

darlodge

Thanks,

Our users can't fart without asking us first, let alone use regedit

Darren

Stueyb

Well depending how **** you wanna be, do like the MOD, at the recent conf we had at Sophos. Easy solution they use, called superglue in the usb ports

darlodge

That is the worst solution I've ever heard of.

Darren

David_Wallis

At my last place we wrote a script that did it via group membership.

David_Wallis

Removing physical access is the best way to secure..

I used to lock the boot order to be hdd.
Disable booting from removable devices.
Screw the users in windows with a visible drive mask (dynamically showed the cd if they were in the correct group)

Darren, remember to secure against booting from the pen itself!!

molko

Have you tried disabling USB in the BIOS. Most PC's will still allow the keyboard and mouse to work even if USB is disabled and as far as i am aware no other USB device will work

If the BIOS is password protected then all the better

darlodge

All valid points David, thanks for the info.

molko, we can't disable all USB devices as all the keyboards and mice are usb

Darren

bob269

You can however remove access to removable storage, forget it being a usb socket and think of it as a drive, its in gpedit.msc somewhere i think.

Our users dont get access to any drives other than the network f: drive