Storage optimize

To USB or not to USB, that's the security question

USB Flash drives are everywhere. Not only can you use them to store data, you can also use them to boot secured workstations. Which is more of a hassle, blocking USB drives or supporting them? This entry discusses the problem and the implications of your decisions about flash drives.

In ITDojo, Bill Detwiler just outlined the steps necessary to boot Windows XP from a USB flash drive. Likewise, you can also create bootable flash drives for Linux and other operating systems. Booting from USB is relatively recent development in the PC world, and as such it adds one more headache for security conscious IT professionals.

Flash drives have presented security problems for IT for some time now based on their ability to store and make portable gobs of your sensitive corporate data. It's not just flash drives either. Any device, such as digital cameras or iPods, that can store data and connects to USB present a method for people to remove data from your organization.

The question for IT leaders however, is what to do about flash drives and other USB storage options. Do you allow them in your organization or do you block them? And what are the implications for blocking USB?

More than a technical hurdle

It's not all that hard to disable USB devices. There are all kinds of options to keep flash drives off your systems. You can disable USB in BIOS. All modern operating systems like Windows and OS X allow you to disable USB as well. Using Group Policy in a Windows Server environment, you can set a policy in Active Directory and disable flash drives as well. If you don't have those options, there are third party utilities that can lock out USB devices. You could even go the low tech route and do something silly like gluing the ports closed.

The problem so much isn't blocking flash drives from a technical standpoint as it is convincing users about the need to do so. Many users have a sense of entitlement, and even in organizations where security is important, they may balk at the idea of not being allowed to use flash drives. Or, if they do understand the need, they'll try to convince you why they are the exception to the rule.

Although it's possible to just create a policy on a paper, slap some controls on your network, and be done with it, that's not always the best route to take. The best course of action is to check and see even IF a policy is needed in the first place. If so, then do your best to educate users about the reason why and enlist as much support as possible. People naturally bristle at restrictions, but presented properly, they won't rebel as much.

Remember, if you do decide to block flash drives in your organization, you may need to come up with other options. Naturally any method that makes data portable enough to go around the office can make it portable enough to go out the door, but users won't complain as much if you give them alternatives. It might be more storage space on the server, more portable computers, CD or DVD-RW drives, or something else. Just be aware that blocking flash drives won't necessarily protect data nor lessen your administration headaches.

The bottom line for IT leaders

USB flash drives are as dangerous as they are ubiquitous. Not only can they be used to drain your organization dry, when used as boot devices they can also be used to overcome passwords and other security you have in place. If security is critical in your organization, you have policies and procedures in place to deal with them.  Even in organizations where security isn't as critical, there are lots of good reasons to restrict them. Decide what's best for your organization, but be as clear to users as possible about what the decision is, why,  and that there are no exceptions.

33 comments
Oz_Media
Oz_Media

First of all, treat adults like adults, not possessions of a company. Without the players there is no game to win. The company needs to trust employees as much as they expect employees to trust the company. So write a policy that allows random checks of USB drives and other removable media UPON request and at the employees discretion. In essence you can randomly ask to check a bag leaving, if the employee refuses that's their right but they also risk even greater suspicion for doing so. THEN EXCERCISE IT! Instead of waiting until you have a need for concern, just randomly ask a few employees once a week on odd days if you can have aquick look through their notebook bag or whatever as they leave. If you have greater need for concern, find a new HR manager.

scarville
scarville

Sometimes a USB key increases security. I use a thumb drive to carry my ssh private keys on. I plug it into my workstation in the morning, run a short scripts that loads them after I enter my passphrase and times them out after 10 hours.

trackpads
trackpads

You could block USB but unless you remove the CD boot options it will do you no good.

hktown
hktown

I am trying MyUSBOnly from www.myusbonly.com Tracks data written to authorized portable devices while blocking unauthorized ones.

a.w.g
a.w.g

You can stop the use of usb drives or storage through group policy without disabling other usb devices.

BALTHOR
BALTHOR

You might have to have Administrator permission assigned to a USB drive.You would also need permission to web browse at work too wouldn't you.

david.valdez
david.valdez

I have many users that are completely non-technical. We're rationalizing our AD infrastructure and developing standardized group policies and I'm going to have USB access as well as CD-ROM access and the like disabled by default on all but the office machines. While this may upset some of the more tech savvy users out there, I think they'll understand when I point to their peers generally. Moreover, in our environment, there is an easy division between those in need and those without need.

Forum Surfer
Forum Surfer

Sooner or later a senior manager is going to have one in his pocket and want to know why he can't use it. The only thing you can do is keep your security tight and change with the times. Ido not, however allow the use of thumb drives in areas that could prove disastorous such as hr, legal and payroll. Is it a huge risk to allow them? Absolutely. But it is sadly unavoidable these days I beleive. Even I have one in my pocket when technically it in noway is %100 needed. There are always more secure alternatives, but I still have a 4 gig sandisk on my keychain. I do beleive that one of the best practices to follow in this area is to disable bootable usb devices in bios and lock the bios. It can be defeated by a determined user, but it's still a safe bet. On public terminals all network access should be disabled, no thumb drives, no usb devices at all, and you should lock down windows to the point that the only thing on the start menu is the app needed for public access. In my case it's a website through a proxy. No matter where you try to go it takes you to the same website, lol. Of course I replace alot of keyboards because people get mad at them for not being able to google. The use can't shutdown, right click or pretty much do anything. Basically it's all about security, security, security and changeing with the times reasonably when it is prudent. Sooner or later you have to adapt and adjust your security measures unless you work in a very secure and sensitive enviroment that isn't subject to change unless mandated by a higher authority.

robo_dev
robo_dev

The most complete, IMHO, is CheckPoint DiskNet Pro. There is also GuardianEdge, DeviceLock, Lumension Sanctuary, Zecurion, etc.

gotmilkcrazy
gotmilkcrazy

i am using a software called myusbonly it's easy to work and learn how to manage the usb hub on the pc. get the trial to try first!! www.myusbonly.com

vadivel.murughan
vadivel.murughan

can u please tell me where to code for the groupolicy sothat usb can be dis/en abled. help plz

poundjd
poundjd

Disabling USB completely is one option, but how do you deal with all of the other USB devices that you need? such as keyboards and mice?

robo_dev
robo_dev

DeviceLock, Sanctuary. There are about a dozen players in the field of USB device security (I've evaluated several of these). DiskNet Pro not only blocks devices you don't want, but also forces encryption on those you allow, so the executive can carry his powerpoint presentation without fear of data theft after he passes out drunk and his "date" steals his pants with his wallet, car keys, and the USB memory stick.

ITsteve13
ITsteve13

Improper management of USB usage and data importation/exportation does present all organizations with a major security issue. USB port access control is important to endpoint security, regardless of how protective an antivirus and firewall may or may not be, as theft of sensitive corporate data and protection against harmful malware have proven paramount to all organizations. Products like the NetWrix USB Blocker (http://netwrix.com/usb_blocker_freeware.html ) ease the burden placed on administrators who have to decide whether or not to permit USB flash drives by making responsible management of the said devices possible. The USB Blocker, which relies on built-in Group Policy mechanisms, prevents unauthorized use of removable devices, hardens endpoint security and enables regulatory compliance. The NetWrix USB Blocker is free of charge and carries no time or license restraints. Tools like the NetWrix USB Blocker continue to make deciding whether or not to permit flash devices easy because they promote security and enable central management, while providing an inexpensive solution to a potentially costly issue. Stephen Schimmel, Product Manager, NetWrix Corporation www.netwrix.com

darrenbrinksneader
darrenbrinksneader

You can secure devices (Flash Drives, SD Drives, CD/DVD...) all day long, but a person can still zip up the data send it through e-mail or upload to another site internet site or they could always print out the data they want. If you are in a Microsoft environment, then you need to take a look at Information Rights Management (IRM). Information Rights Management (IRM) allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself. IRM helps individuals enforce their personal preferences concerning the transmission of personal or private information. IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information. What IRM, or device management won't prevent: *Restricted content from being hand-copied or retyped from a display on a recipient's screen *A recipient from taking a digital photograph of the restricted content displayed on a screen *Restricted content from being copied by using third-party screen-capture programs

wesley.stover
wesley.stover

We run a script that changes a line item in reg edit. Under HKey_Local_Machine>System> CurrentControlSet>Services>USBSTOR there is a script name of "Start". This is in default of a number 3. If you change that value to a 4 it will shut down portable media for the machine. This does not effect USB keyboards, mice, or printers. However it will shut down thumbdrives. IPODS can still be charged, but not played through the PC. The only thing to watch for is a monitor or keyboard with a built in USB port. This lockdown can sometimes be bypassed because the keyboard signal is being piggybacked, and the monitor is not using a USB port on the PC to gain access.

andronin
andronin

We have been using Device Control for almost 4 years from Lumension (http://www.lumension.com). ~Great thing with this is the plug into AD and only allowing users, not machines, access to their removable device(s). Biggest problem for us is getting users to understand why.

Lovs2look
Lovs2look

Install NT4 on any and all machines! Easy fix...never have to worry about USB ever again.

robo_dev
robo_dev

It does a couple of very cool things. It can block/disable: usb drives of all types, wifi, CDRW,DvDRW, floppy, bluetooth, modems (including cellular tethering), and any other device you define (flash cards, memory sticks, etc) But here's the cool part: Transparent removable media Encryption For media devices that you allow, or for users who are allowed, it can automatically encrypt the media. Therefore, for those people whose job requires them to move data via USB memory stick or CD-ROM, their data is automatically encrypted, using certificates and/or passwords. I've been working on a pilot implementation that has half the company now running in full-lockdown mode and half in audit-only mode. So far so good. PS, I don't work for checkpoint. http://www.checkpoint.com/reflexmagnetics/products/disknetpro/index.html

abdullah.adam
abdullah.adam

All CD drives, USB disks, and even access to email and internet is blocked from certain machines, its pretty harsh but hey we dont have much of a choice.

angel
angel

you can disable usb storage which will not cause an issue with other devices such as mice and keyboards for example. You can do this through GPO's in an Active Directory environment. If usb storage devices have been used before then you have to make a registry change. I pushed the registry change to computers on my network and then setup a GPO. The only thing I wish would happen is a customizable message would pop up when someone tried to plug in a usb storage device. If anyone knows how to do setup a message when a usb storage device is plugged in I would be very appreciative if it was shared. Thanks! Here are the links to the changes that I made. http://support.microsoft.com/kb/555324 http://www.windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html http://support.microsoft.com/kb/823732

Forum Surfer
Forum Surfer

You can stop the use of usb drives or storage through group policy without disabling other usb devices. A grey area would be a printer with a media card reader, as once it is plugged in the pc recognizes it as a usb drive AND a usb printer seperately. That may be something to test in the lab before implementing such a policy or purchasing a printer like that.

brent2710
brent2710

I am currently working on a ISO27000 project in China. Have anyone evaluated which is the best solution to protect removable media?

IC-IT
IC-IT

You should not use TR posts to advertise your products. Especially by reviving Zombie posts, let them rest in peace.

Neon Samurai
Neon Samurai

partitioning, formating, defragging - all with normal storage area tools. If the system sees it like any other storage, that's how I'll work with it. Sandisk flashdrives stung me once though so backup, backup, backup; rsync is your friend.

hhall1001
hhall1001

Who needs USB? Who cares about NT4? If you provide a connection to the Internet, users can upload to any number of sites. Get an S3 account and you can upload via a firefox extension. Use a secure socket and where's the trail? Boot Linux from a CD and turn USB back on. Disconnect from the network and attach to a laptop via a hub. Disconnect from the network and attach to a wireless router and download from your car. Attach to a laptop via a parallel or serial cable. Take the hard drive home and copy it. etc. etc. --cheers

robo_dev
robo_dev

with separate enums in the registry, therefore you can block the card-reader with policy.