Blocking access to USB flash drives/external firewire devices

I've been looking and looking for a way to block access to USB/firewire
external devices via group policy, as these devices can be a big sucurity
risk. I know that there are several third party programs out there that can
do this, but to be honest, I really do not like the idea of having to add
more software onto our users' workstations (as well as the servers).

Thanks in advance.

Marc

What are you trying to protect here?

If you are afraid that I will steal your data I can find so many more ways
to do it (e.g. LPT port, PS2 port, ...). Will you disable those too?
Do users have access to the internet? If yes, they can open up Gmail account
and upload up to 2GB of data (this is only one service)...

--
Mike
Microsoft MVP - Windows Security

"Marc Hoffman" <(E-Mail Removed)> wrote in message
news:BF0D3AD6.B88E%(E-Mail Removed) m...
> I've been looking and looking for a way to block access to USB/firewire
> external devices via group policy, as these devices can be a big sucurity
> risk. I know that there are several third party programs out there that
> can
> do this, but to be honest, I really do not like the idea of having to add
> more software onto our users' workstations (as well as the servers).
>
> Thanks in advance.
>
> Marc
>

Here are some resources, but note these can be bypassed if I want to.

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120
drivers
http://support.microsoft.com/default...b;en-us;555324

How to disable the use of USB storage devices
http://support.microsoft.com/default...b;en-us;823732

To bypass these policies all one would have to do is e.g. boot into
alternative operating system (even from CD). Not even 3rd party tools won't
prevent that.

--
Mike
Microsoft MVP - Windows Security

"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What are you trying to protect here?
>
> If you are afraid that I will steal your data I can find so many more ways
> to do it (e.g. LPT port, PS2 port, ...). Will you disable those too?
> Do users have access to the internet? If yes, they can open up Gmail
> account and upload up to 2GB of data (this is only one service)...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Marc Hoffman" <(E-Mail Removed)> wrote in message
> news:BF0D3AD6.B88E%(E-Mail Removed) m...
>> I've been looking and looking for a way to block access to USB/firewire
>> external devices via group policy, as these devices can be a big sucurity
>> risk. I know that there are several third party programs out there that
>> can
>> do this, but to be honest, I really do not like the idea of having to add
>> more software onto our users' workstations (as well as the servers).
>>
>> Thanks in advance.
>>
>> Marc
>>
>
>

> What are you trying to protect here?

Information, period.

> If you are afraid that I will steal your data I can find so many more ways
> to do it (e.g. LPT port, PS2 port, ...). Will you disable those too?
> Do users have access to the internet? If yes, they can open up Gmail account
> and upload up to 2GB of data (this is only one service)...

So I should do nothing? Just because there are many ways to circumvent
security measures is not any reason to completely leave the doors wide open.
If users are going to try and get information, I'm not going to make it easy
for them. And, not all of the users on a corporate network are as "sneaky"
as you?

I understand your point, but we as administrator cannot sit by and twiddle
the ol' thumbs thinking, oh, well, they'll get the information any way. Whey
should I do anything to prevent them? This is the same logic the fuels the
spiraling teen pregnancy rate (ok...that's for another forum).

Marc

On 7/27/2005 15:19, Marc Hoffman wrote:
> So I should do nothing? Just because there are many ways to circumvent
> security measures is not any reason to completely leave the doors wide open.

+1

To do otherwise is just like asking the respondent to come and visit your
network LOL, and all the ways he mentioned can be protected against
too.

> [...] This is the same logic the fuels the
> spiraling teen pregnancy rate (ok...that's for another forum).

Actually, in the US, teen pregnancy is down for a few years.[1]

~Jason

[1] See this week's issue of _The_Economist_ on censoring T.V.

--

> Actually, in the US, teen pregnancy is down for a few years.[1]

That's GREAT news!!! Makes me more optimistic ;-) Thanks for the feedback.

> So I should do nothing? Just because there are many ways to circumvent
> security measures is not any reason to completely leave the doors wide
> open.
> If users are going to try and get information, I'm not going to make it
> easy
> for them. And, not all of the users on a corporate network are as "sneaky"
> as you?

I never said you shouldn't do anything. Sit down, think what you want to do
and if you want to really protect your information, do it the right -- all
the way not just half of the way. Since you are talking about open and
closed doors -- how much information can users take out with half open doors
(or e.g. upload it to web e-mail accounts or burn it on CD, etc...)?

--
Miha Pihler, MCSA, MCSE, MCT, CISSP
Microsoft MVP - Windows Security

http://www.microsoft.com/technet/com...mt/sm0405.mspx

Myth 8: Security Tweaks Can Fix Physical Security Problems

There is a fundamental concept in information security that states that if
bad guys have physical access to your computer, it is not your computer any
longer! Physical access will always trump software security -- eventually.
We have to qualify the statement, though, because there are valid software
security steps that will prolong the time until physical access breaches all
security. Encryption of data, for instance, falls into that category.
However, many other software security tweaks are meaningless. Our current
favorite is the debate over USB thumb drives. After the movie "The Recruit,"
everyone woke up to the fact that someone can easily steal data on a USB
thumb drive. Curiously, this only seems to apply to thumb drives. We have
walked into military facilities that confiscated our USB thumb drives but
let us in with 80-GB i1394 hard drives. Apparently, those are not as bad.

One memorable late evening one author's boss called him frantically asking
what to do about this problem. The response: Head on down to your local
hardware store, pick up a tube of epoxy, and fill the USB ports with it.
While you are at it, fill the i1394 (FireWire), serial, parallel, SD card,
MMC, Memory Stick, CD/DVD-burner, floppy drive, and Ethernet jack with it
too. You'll also need to make sure nobody could carry the monitor off and
make a photocopy of it. You can steal data using all of those interfaces.

The crux of the issue is that as long as there are these types of interfaces
on the system and bad guys have access to them, all bets are off. There is
nothing about USB that makes it any different. Sure, the OS manufacturer
could put a switch in that prevents someone from writing to a USB thumb
drive. That does not, however, prevent the bad guy from booting to a
bootable USB thumb drive, loading an NTFS driver, and then stealing the
data.

In short, any software security solution that purports to be a meaningful
defense against physical breach must persist even if the bad guy has full
access to the system and can boot into an arbitrary operating system.
Registry tweaks and file system ACLs do not provide that protection, but
encryption does. Combined with proper physical security, all these measures
are useful. As a substitute for physical security, they are usually not.


"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>> So I should do nothing? Just because there are many ways to circumvent
>> security measures is not any reason to completely leave the doors wide
>> open.
>> If users are going to try and get information, I'm not going to make it
>> easy
>> for them. And, not all of the users on a corporate network are as
>> "sneaky"
>> as you?
>
> I never said you shouldn't do anything. Sit down, think what you want to
> do and if you want to really protect your information, do it the right --
> all the way not just half of the way. Since you are talking about open and
> closed doors -- how much information can users take out with half open
> doors (or e.g. upload it to web e-mail accounts or burn it on CD, etc...)?
>
> --
> Miha Pihler, MCSA, MCSE, MCT, CISSP
> Microsoft MVP - Windows Security
>
>

.....and now back to the original question......

You can't without disabling USB and Firewire completely.

This is more of a "human" problem. The company simply should not hire
people it cannot trust with information that they have access to. I know
that is easier said than done, but it is the way it is. Technology is not
going to be the answer to everything concerning security, that is why Social
Engineering is the most effective and the most common "hacking technique".

If a user has access to certain files,...then those files are simply
"insecure" concerning that one user,...period, end of story. It doesn't
matter if they can carry it out on a Memory Stick, a "burned" CD/DVD, and
Floppy Disk, or just simply "memorized" from reading it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



"Marc Hoffman" <(E-Mail Removed)> wrote in message
news:BF0D516B.BD44%(E-Mail Removed) m...
>
> > Actually, in the US, teen pregnancy is down for a few years.[1]
>
> That's GREAT news!!! Makes me more optimistic ;-) Thanks for the feedback.
>

On 7/27/2005 16:08, Miha Pihler [MVP] wrote:
> http://www.microsoft.com/technet/com...mt/sm0405.mspx
>
> Myth 8: Security Tweaks Can Fix Physical Security Problems

That may be true, but they sure can raise the bar as far as what type of
person with physical access will be able to do something malicious. The
author even says this.

My take is that they're trying to cover up a missing feature that other
operating systems have had for decades, control over who can mount a drive.

The more difficult a task is to do, the less likely it is to get done.
That's just plain old common sense. I totally agree that one can never
plug all security holes but the admin can make it as difficult as possible
in their environment for an incident to occur. Sweeping generalizations
about what is reasonable for security are worthless. Your users may need
to use removable storage to bring work home and have been thoroughly
screened at hiring time by a team of experts. The OP may have public
kiosks, etc...

Same concept:
>90% of my users have no Internet access and can only send and receive
email from Internal parties. There is also very strict checking on file
attachments at the server. Does this mean that there will never be a
virus attack on the computers? Of course not, but I'll wager it's highly
unlikely. Hey I can have this kind of policy and it's blessed by the
PHB's too; other admins don't have that luxury.

~Jason

--