Discussion on:
View:
Show:
Is there not a market for USB Port Locks then - with a key needed to remove such a device!!. Much like the old floppy drive locks seen before.
I would love to see a way whereby the USB port can be disabled by the operating system, and dynamically enabled if you have sufficient local priveliges or perhaps group membership. Microsoft gave us the "FloppyLock" service, surely it should not beto strenuous to code a "USBLock" service?
Whatever happened to trusting and respecting your employees? Locking down machines, whether applied to hardware or software, may look like it saves money but that is only because IT does not measure all of the costs and gains they should. Is lost worker productivity measured because I have to call IT to have data put on a floppy? Is affect on employee morale (and hence retention) factored in when they realize how little they are trusted by IT and company policy? These are the real issues that are neglected and wipe out any gains from such petty policies like locking ports, preventing software installs, etc. IT should not be a joke at the office. They should not stand in the way of an employee getting the tools they need to do their job. ITused to have something called the "Help Desk". Hiring good people and keeping them is a challenge all parts and policies of a company must be working towards. This will also help take care of the average disgruntled employee damaging a system or stealing data. Besides, IT can do nothing against a truly dedicated opponent.
Aldrich Aimes! Remember him? Fine up standing citizen that stole government secrets on his PDA? Remember 80% of all malicious attacks occur at the hands of "trusted" employees, not outside hackers. Its sad, but it is very true. Are you willing to bet your business on that?
The real problem with IT PR in these situations is that corporate management doesn't understand and/or properly communicate the ramifications of not locking systems down. Much of that due to poor IT Management. Manycompanies have policies to lock-up office supplies because they are often stolen and cost money, much more than people realize. The same holds true for data only it has a much greater cost when stolen. Couple that with software audits that find non-company owned applications to incur a serious fine.
These reasons are why such measures are necessary. Its not that we like being Fascists, it just a fact of business life.
The real problem with IT PR in these situations is that corporate management doesn't understand and/or properly communicate the ramifications of not locking systems down. Much of that due to poor IT Management. Manycompanies have policies to lock-up office supplies because they are often stolen and cost money, much more than people realize. The same holds true for data only it has a much greater cost when stolen. Couple that with software audits that find non-company owned applications to incur a serious fine.
These reasons are why such measures are necessary. Its not that we like being Fascists, it just a fact of business life.
And what about all the other peripherals which are using USB? Serial ports and parallel ports are referred to as "legacy" connections for a reason. Disabling USB makes it more difficult or impossible to hook up most modern peripherals. For most clients I have supported, this would cause more headaches than it's worth.
And if you want to prevent users from removing data from the premises, then you will need to lock floppy drives, eliminate internet access (there's too many ways to sneak data out, even through a firewall), disallow printing, etc. "Smart" thieves will find a way to get the data they want (even out of Top Secret facilities!) unless your systems are locked down so tight they're unusable. Sooner or later it comes down totrust and knowing your employees.
And if you want to prevent users from removing data from the premises, then you will need to lock floppy drives, eliminate internet access (there's too many ways to sneak data out, even through a firewall), disallow printing, etc. "Smart" thieves will find a way to get the data they want (even out of Top Secret facilities!) unless your systems are locked down so tight they're unusable. Sooner or later it comes down totrust and knowing your employees.
A clever user can unplug a USB mouse and use that port for his Pen Drive.
If you know your way around the keyboard, you don't need to use the mouse at all.
Plus, what about the devices that plug into a single USB port and expand it to four others? Will the BIOS settings affect those also?
If you know your way around the keyboard, you don't need to use the mouse at all.
Plus, what about the devices that plug into a single USB port and expand it to four others? Will the BIOS settings affect those also?
Yes, disabling the motherboard-mounted USB ports will disable these devices.
The device you're talking about is a powered USB hub, and it's got all sorts of nasty potentials.
If the user's system has a USB mouse, all a user needs to do is to simply hook the hub up to the computer and then hook the mouse up to the hub, andthat user now has 3 or more extra USB ports to work with. In most cases the device is also transparent to Windows, meaning the user doesn't need to install additional software. So much for security.
The fact is that if there's even one working USB port on a system, a smart user can increase that number by adding a simple $20 device. Because of this, the best solution seems to be to disable USB in the BIOS as described earlier and use PS/2 or serial mice instead. My preference would be to usePS/2 mice, since I've got an older Sharp PDA that uses a serial port for PC data transfer, and that's just as big a security risk.
If the user's system has a USB mouse, all a user needs to do is to simply hook the hub up to the computer and then hook the mouse up to the hub, andthat user now has 3 or more extra USB ports to work with. In most cases the device is also transparent to Windows, meaning the user doesn't need to install additional software. So much for security.
The fact is that if there's even one working USB port on a system, a smart user can increase that number by adding a simple $20 device. Because of this, the best solution seems to be to disable USB in the BIOS as described earlier and use PS/2 or serial mice instead. My preference would be to usePS/2 mice, since I've got an older Sharp PDA that uses a serial port for PC data transfer, and that's just as big a security risk.
Here is an adm file i have written. Import this into Active Direcotry the make two groups of allowed and disallowed PC's. Saves fiddling with 2000 PC's as we do this automatically through AD.
Enable the GPO's for users you dont want to use usb and disable for those you do. Save the text below as a .adm file:
;USB Controller Security Template (JM 17/11/04)
#if version = 4
EXPLAIN !!Usbdeviceshelp2
#endif
KEYNAME "SYSTEM\CurrentControlSet\Services\usbhub"
VALUENAME "Start"
VALUEON NUMERIC 4
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
USBDevices="HBS USB Security Settings"
usbehci="USB Controller Security"
usbhub="USB Root Hub Security"
Usbdeviceshelp ="Contains settings to control the behavior of USB controller. Enabling this setting will disable USB for all users."
Usbdeviceshelp2 ="Contains settings to control the behavior of USB Root Hub. Enabling this setting will disable USB for all users."
Enable the GPO's for users you dont want to use usb and disable for those you do. Save the text below as a .adm file:
;USB Controller Security Template (JM 17/11/04)
#if version = 4
EXPLAIN !!Usbdeviceshelp2
#endif
KEYNAME "SYSTEM\CurrentControlSet\Services\usbhub"
VALUENAME "Start"
VALUEON NUMERIC 4
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
USBDevices="HBS USB Security Settings"
usbehci="USB Controller Security"
usbhub="USB Root Hub Security"
Usbdeviceshelp ="Contains settings to control the behavior of USB controller. Enabling this setting will disable USB for all users."
Usbdeviceshelp2 ="Contains settings to control the behavior of USB Root Hub. Enabling this setting will disable USB for all users."
i used just a part of this adm file and a noticed a small err. after you disable (in fact you enable the policy) the usbstor you cannot enable it just saying "not configured", because the value stored in "start" key remains 4. the value for this must be 3. so the last part of the adm must be:
POLICY !!usbstor
#if version >= 4
EXPLAIN !!Usbdeviceshelp2
#endif
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
VALUENAME "Start"
VALUEON NUMERIC 4
VALUEOFF NUMERIC 3
END POLICY
and u hv 2 disable not 2 select "not configured"
POLICY !!usbstor
#if version >= 4
EXPLAIN !!Usbdeviceshelp2
#endif
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
VALUENAME "Start"
VALUEON NUMERIC 4
VALUEOFF NUMERIC 3
END POLICY
and u hv 2 disable not 2 select "not configured"
Or you can just disable it in the registry. The key you want is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. in that key there is a value called "start" you want to change the value data of this from 3 to 4. this will disable all USB Storage devices from this machine. I believe you can create a Group Policy to use this. Also if you are really paranoid you can disable USB Hubs also, They are the the keys above USBSTOR (usbhub and usbhub20) this is done the same way. This makes it so you can not use a USB Hub on the machine also.
What about the newer motherboards that do not have PS2 connectors on them? All of the new Dell machines have only USB connectors for mouse/keyboard, etc. I believe that this is called a "non-legacy" system....If you disabled the USB ports, then you would disable the user's ability to perform any work.
Also, whenever users were given more power, they have done nothing but abused it. That's why they lost it. I know there are power users who deserve more freedom and in out IT dept. we try our best to give them power. I've got a manager who installedhis kids games on his laptop. Not one but 3 games. His excuse, "I don't have a PC." He's got a Mac. Think about IM, P2P software etc., too. No one likes to run around to install little software/hardware on a locked down machine but in the bigger picture this little hassle saves bigger hassle caused by employees who treat their work machine like they own it.
Locking down USB ports and/or floppy drives cannot deter determined thieves from stealing data. The primary motive must be to deter users who would casually install new software or "take work home" to their insecure home machines, simply because it is easy.
If you make something difficult, the vast majority of users will not bother with it. However, don't be deluded that you have somehow stopped the tiny malicious minority; you haven't.
I would lock down USB ports in my enterprise. When keychain storage shows up in Costco, dozens of employees will start "bring things from home," or "taking work home" just for the fun of it, and there goes our desktop integrity and our data security. I don't think that our employees are malicious, just that they will do whatever we allow them to do.
If you make something difficult, the vast majority of users will not bother with it. However, don't be deluded that you have somehow stopped the tiny malicious minority; you haven't.
I would lock down USB ports in my enterprise. When keychain storage shows up in Costco, dozens of employees will start "bring things from home," or "taking work home" just for the fun of it, and there goes our desktop integrity and our data security. I don't think that our employees are malicious, just that they will do whatever we allow them to do.
The only way to stop Aldrich Ames would have been to deny him all access to the sensitive data. A pencil and paper or a sharp mind are good substitutes for the electronic media you're preventing them from using.
You won't stop data theft. If they can see it and they want it, they'll find a way to get it out of the building.
You can only increase the penalties so it's not worth doing.
You won't stop data theft. If they can see it and they want it, they'll find a way to get it out of the building.
You can only increase the penalties so it's not worth doing.
I understand what you are saying. But that's a poor stance to take if you call yourself an IT professional, much less so if you are in a management position - as it is a poor show of leadership.
There's another saying similar to yours about data theft that goes "If someone really wants you dead, you will be dead."
So that means you don't try and prevent it from happening? You show zero resistance?
Never.
Never just "give up" - that's one of the reasons that make us the IT "professionals" and technology managers of our respective companies, anyone else can just say "Oh if someone wants the data that bad we can't stop them so don't worry about security...."
I think the best solution with security issues in the workplace is three fold: Policies in place (that are supported), Education (explain the reasons for the security/policy) and Technology (to lock down, secure or report).
There's another saying similar to yours about data theft that goes "If someone really wants you dead, you will be dead."
So that means you don't try and prevent it from happening? You show zero resistance?
Never.
Never just "give up" - that's one of the reasons that make us the IT "professionals" and technology managers of our respective companies, anyone else can just say "Oh if someone wants the data that bad we can't stop them so don't worry about security...."
I think the best solution with security issues in the workplace is three fold: Policies in place (that are supported), Education (explain the reasons for the security/policy) and Technology (to lock down, secure or report).
You have obviously never worked in an environment that placed any value on security or its own intellectual property.
MP
MP
I run a help desk. We have employees doing anything and everything they can to work around our PC policies. Trust is great if you have only yourself to support. Why do you think operating systems are built with policies that allow lockdown in the first place? You can't trust users.
The cost of implementing lock down policies or software on a system or network may run into hundreds ot thousands of pounds, but what is the cost of a ruined company?
It may sound dramatic but, just for fun, hackers are out there to do just that. Competitors and generally nasty people will take advantage of your trust and abuse it. Trust is the human action, distrust is the natural reaction.
It may sound dramatic but, just for fun, hackers are out there to do just that. Competitors and generally nasty people will take advantage of your trust and abuse it. Trust is the human action, distrust is the natural reaction.
I am a system admin and my goal is to serve and make my customers more productive. I always try to accomodate them and explain the pros and cons of anything they might want to do on their systems.
I get a great deal of cooperation that way. IT isn't the dog it is the tail and the tail shouldn't be trying to wag the dog!!!
I get a great deal of cooperation that way. IT isn't the dog it is the tail and the tail shouldn't be trying to wag the dog!!!
It sounds like you have the budget to staff enough IT support for everything your users want to do. A lot of places don't have a corresponding increase in staff to deal with an increase in software deployed. What if I am already maxed out? Users wanting to download and install programs is an everyday situation that can quickly get out of control. You mentioned your "customers". If they are outsourcing with you then maybe your goal IS to increase their support needs. I tell people their PCs are just tools to perform specific jobs the company needs them to do. They aren't toys for them to use as instant messaging platforms, media centers, or gaming systems.
Alternative solutions:
DeviceLock - http://www.devicelock.com/
LANDesk System Manager 8 - http://www.landesk.com/
OptimAccess WorkSpy -
SecureNT - http://www.securewave.com/
http://www.sodatsw.cz/english/index.htm (description only in czech language)
DeviceLock - http://www.devicelock.com/
LANDesk System Manager 8 - http://www.landesk.com/
OptimAccess WorkSpy -
SecureNT - http://www.securewave.com/
http://www.sodatsw.cz/english/index.htm (description only in czech language)
This upgrade really does the trick.
reports an all.
from:
Trial at:
http://www.advansysperu.com/usb_lock_remote_protect.htm
reports an all.
from:
Trial at:
http://www.advansysperu.com/usb_lock_remote_protect.htm
Linux security is built-in for this issue. You can permit/deny access to resources by user login. Does 2000 or XP have this?
Please, stop this paranoid thinking. If you can't trust your employees with simple things, don't give them a computer.
When PC's just arrived at the company in the late 80's, our CIO decided that he couldn't trust the employees with a PC that has a HDD. So all machines had to boot over the network. I think they had floppy drives (Don't ask me why.) All these pseudo PC's could do was to run terminal emulations, WP, and Spreadsheet, also from the network.
Guess what, the CIO became the mosthated man in the company. He didn't last very long after that.
I understand your data is very valuable, but there are better ways to protect you most valuable jewels.
Good luck
Rog
When PC's just arrived at the company in the late 80's, our CIO decided that he couldn't trust the employees with a PC that has a HDD. So all machines had to boot over the network. I think they had floppy drives (Don't ask me why.) All these pseudo PC's could do was to run terminal emulations, WP, and Spreadsheet, also from the network.
Guess what, the CIO became the mosthated man in the company. He didn't last very long after that.
I understand your data is very valuable, but there are better ways to protect you most valuable jewels.
Good luck
Rog
This has got to be one of the stragest articles/discussions I've seen! I've worked in a number of large corporations, including a major bank and a major insurance company. I've never been anywhere where they took floppy drives and CD-ROM drives out of employees' computers, or disabled USB ports, etc. This is the craziest thing I've heard of.
Even if you take away my floppy drives, etc., what's to stop me from e-mailing sensitive data to my home e-mail address? Or FTPing the data to an outside FTP site? If you block my e-mail and FTP access, what's to stop me from staying late one day, taking the hard drive out of my computer, and then taking it home and using my home computer to transfer the data off the hard drive? And if that sounds like too much work, maybe I'll just print the data you're worried about me stealing and take a stack of papers home with me... Or I'll bring in my Parallel Port Zip Drive and use that to offload the data...
What kind of companies do peoplework at where they really think disabling USB ports and taking away floppy drives is a good idea?
Rick
http://www.Hogans-Systems.com
Even if you take away my floppy drives, etc., what's to stop me from e-mailing sensitive data to my home e-mail address? Or FTPing the data to an outside FTP site? If you block my e-mail and FTP access, what's to stop me from staying late one day, taking the hard drive out of my computer, and then taking it home and using my home computer to transfer the data off the hard drive? And if that sounds like too much work, maybe I'll just print the data you're worried about me stealing and take a stack of papers home with me... Or I'll bring in my Parallel Port Zip Drive and use that to offload the data...
What kind of companies do peoplework at where they really think disabling USB ports and taking away floppy drives is a good idea?
Rick
http://www.Hogans-Systems.com
I agree with that, at my company if they don't trust you enough to have a floppy they sure wouldn't hire you in the first place. Our company has a very good system of security background checks, constant reminders and training of security rules andregulations, required encryption, etc. Not trusting your employees at all is a rather ridiculous way of running a business
You could also hook up your laptop to the network printer and download all you want from wherever you want into your laptop. So I agree with you, disabling the USB port does not make sense.
With all the goings on at many companies and government offices, a little paranoia on data security is a good thing.
Many government and private facilities have very strong user security designed to prevent users from taking data from the facility.
The relatively large CD, ZIP, and other portable drives are fairly easy to notice at a secured entrance.
The new generation of USB 'pen' drives are not easy to find short of a pat down, or strip search.
Yes, my suggestion to epoxy the USBports was a bit 'off the cuff', and maybe a little facetious.
However, the peer asked how to DISABLE the USB ports, and PREVENT users from reactivating them.
For most installations, disabling the ports in BIOS settings, and securing the PC so that users could not access BIOS setup would do the job.
For a high security area, physically disabling the ports may be a necessary step.
Chas
Many government and private facilities have very strong user security designed to prevent users from taking data from the facility.
The relatively large CD, ZIP, and other portable drives are fairly easy to notice at a secured entrance.
The new generation of USB 'pen' drives are not easy to find short of a pat down, or strip search.
Yes, my suggestion to epoxy the USBports was a bit 'off the cuff', and maybe a little facetious.
However, the peer asked how to DISABLE the USB ports, and PREVENT users from reactivating them.
For most installations, disabling the ports in BIOS settings, and securing the PC so that users could not access BIOS setup would do the job.
For a high security area, physically disabling the ports may be a necessary step.
Chas
...would be some type of USB filter/control list, which would alllow only a pre-defined list of devices to be recognised. eg. mice, keyboards, scanners etc.
I suspect that for this to work, microsoft would have to implement it through their USB drivers though.(?) Any comments/ideas?
Would be sweet to be able to administer this through GPOs : )
I suspect that for this to work, microsoft would have to implement it through their USB drivers though.(?) Any comments/ideas?
Would be sweet to be able to administer this through GPOs : )
Attention software security developer! What a conundrum! Everybody has a point in this discussion. What needs to be seen are for corporations to set up a ?key? that will only enable files to be read within their enterprise and/or with their partners. Files will be unreadable - ?encrypted? if it?s taken out without the ?key?.
USB is a very flexible interface, and that's what makes it so vulnerable.
If the network uses Windows 2K or XP, then Active Directory policies will lessen some problems by blocking new software or hardware installations. Setting up the correct permissions on sensitive files and directories is also a must, and critical data can be locked down even further using firewalls and IP filters. Outgoing email risks can also be controlled at the server level by using filters.
Of course, a good network admin will have already taken these precautions, and these should be enough, right?
There's still a catch. A simple powered USB hub makes it easy to add extra USB devices to any USB port (such as one used for a USB mouse). These hubs are transparent to Active Directory security policies and cannot be blocked by them, and the same goes for many USB storage devices, since neither require additional software.
This leaves a hole in the network's security that you could drive a freight train through. These devices can be installed without the IT department's knowledge, and they cannot be effectively monitored, even with good systems management software. Assuming a malevolent user can get access to sensitive data, that user could have the data downloaded and be out the door before IT even knows about the breach.
Shutting down USB at the BIOS level is more secure, and this means all USB devices including mice. USB can then be re-enabled for certain users as required.
If the network uses Windows 2K or XP, then Active Directory policies will lessen some problems by blocking new software or hardware installations. Setting up the correct permissions on sensitive files and directories is also a must, and critical data can be locked down even further using firewalls and IP filters. Outgoing email risks can also be controlled at the server level by using filters.
Of course, a good network admin will have already taken these precautions, and these should be enough, right?
There's still a catch. A simple powered USB hub makes it easy to add extra USB devices to any USB port (such as one used for a USB mouse). These hubs are transparent to Active Directory security policies and cannot be blocked by them, and the same goes for many USB storage devices, since neither require additional software.
This leaves a hole in the network's security that you could drive a freight train through. These devices can be installed without the IT department's knowledge, and they cannot be effectively monitored, even with good systems management software. Assuming a malevolent user can get access to sensitive data, that user could have the data downloaded and be out the door before IT even knows about the breach.
Shutting down USB at the BIOS level is more secure, and this means all USB devices including mice. USB can then be re-enabled for certain users as required.
As to whether or not to disable USB, it's really a judgment call on behalf of the IT department and the company itself. It's been argued that a good security policy will take care of the problem just as well, but I disagree.
Employee security policies are great for dealing with a breach after it has occurred, but they don't do a lot to prevent the actual breach and won't always stop a determined, malicious user. Good systems management software can help further, but it's expensive, and in the case of USB storage devices it may only help trace the breach to a specific user and/or computer.
That's where physical security comes in. If used in tandem with other good security policies and practices, disabling access to USB closes a major security hole.
Security breaches cost a lot- both in lost time and in actual dollars- and a good security policy needs to focus on preventing security breaches rather than simply dealing with the penalties for the same. Disabling USB can be considered a preventive measure under such a policy.
Trust sometimes just isn't enough, and companies simply cannot afford to rely on employee loyalty alone to keep their information secure. Paranoia may not be a picnic, but it's better than the alternative.
Employee security policies are great for dealing with a breach after it has occurred, but they don't do a lot to prevent the actual breach and won't always stop a determined, malicious user. Good systems management software can help further, but it's expensive, and in the case of USB storage devices it may only help trace the breach to a specific user and/or computer.
That's where physical security comes in. If used in tandem with other good security policies and practices, disabling access to USB closes a major security hole.
Security breaches cost a lot- both in lost time and in actual dollars- and a good security policy needs to focus on preventing security breaches rather than simply dealing with the penalties for the same. Disabling USB can be considered a preventive measure under such a policy.
Trust sometimes just isn't enough, and companies simply cannot afford to rely on employee loyalty alone to keep their information secure. Paranoia may not be a picnic, but it's better than the alternative.
It seems to me that those who won't or can't trust or educate thier users are going to have a problem.
The firm I work for recently purchased over a hundred notebook computers, they have two USB. one Firewire and one Parallel ports. That's right folks - no Serial or PS-2 ports. I'm guessing that these last two ports are on thier way out.
I also have to deal with users installing unauthorized software, some of it necessary for them to function, but through education I've been able to pursuademost of them contact me so that I can deal with the necessary installations.
People, educate your users, in the long term you can't control them.
To paraphrase a quote: You can control some of the people all of the time and all of the people some of the time, but you can't control all of the people all of the time.
The firm I work for recently purchased over a hundred notebook computers, they have two USB. one Firewire and one Parallel ports. That's right folks - no Serial or PS-2 ports. I'm guessing that these last two ports are on thier way out.
I also have to deal with users installing unauthorized software, some of it necessary for them to function, but through education I've been able to pursuademost of them contact me so that I can deal with the necessary installations.
People, educate your users, in the long term you can't control them.
To paraphrase a quote: You can control some of the people all of the time and all of the people some of the time, but you can't control all of the people all of the time.
The one I gave the link to is USB LOCK AP (Auto Protect)To be used for employees authorized to manage their own security.(yes in a corporate environment being that does the job effectivly and dose not require user privileges to run.
I also gave the link for the USB LOCK RP Remote protect that gives the protection remoetely for user not authorized to manage their own security.
If you mean its not complicated, well you are correct is very easy to use.
If you mean is not expensive, well you are correct.
If you mean it doesent do the job, You are wrong.
I also gave the link for the USB LOCK RP Remote protect that gives the protection remoetely for user not authorized to manage their own security.
If you mean its not complicated, well you are correct is very easy to use.
If you mean is not expensive, well you are correct.
If you mean it doesent do the job, You are wrong.
You must be crazy to plug up a usb connector to stop access to computer data.
All you have to do is set the user codes to stop any copying or transfer of files . simple DUhhh
All you have to do is set the user codes to stop any copying or transfer of files . simple DUhhh
Good point. If the user can *see* the data, he can carry it home in his wetware (his brain).
Use basic file access security to protect data from those who shouldn't see it. If your OS can't supply that, get one that will. Ideally it should separate read and execute permissions, so that users can run programs without the ability to read the files containing them.
Use basic file access security to protect data from those who shouldn't see it. If your OS can't supply that, get one that will. Ideally it should separate read and execute permissions, so that users can run programs without the ability to read the files containing them.
I'd like to know more details about your solution... How could I get this done?
Probably the easiest way is to simply unplug the ports from the motherboard and lock the cases. Most USB ports are true 'plug and play' from the hardware!
On a standard ATX motherboard, 2 USB ports are part of the I/O block.
They cannot be unplugged.
Chas
They cannot be unplugged.
Chas
They CAN usually be disabled in the BIOS.
For any of our workstations where this is an issue, we disable the ports in BIOS. In fact, as we don't use USB peripherals, apart from one scanner on a dedicated machine, we disable USB as a matter of course. It frees up IRQ's for one thing. We still have to support older systems and applications too, so one or two of our computers are still running 95 or even WFWG3.11....with no USB support!
For any of our workstations where this is an issue, we disable the ports in BIOS. In fact, as we don't use USB peripherals, apart from one scanner on a dedicated machine, we disable USB as a matter of course. It frees up IRQ's for one thing. We still have to support older systems and applications too, so one or two of our computers are still running 95 or even WFWG3.11....with no USB support!
The solution to this is actually so simple, yet not as drustic as epoxying the USB connectors (Whoa!) or as inflexible as disabling the USBPort in the BIOS and using a pwd (did I hear Paranoia?...).
Here's what we do in our organisation (10K+ users):
Create a GPO, put in it (machine section/startup)a script to remove permissions to the file USBSTOR.DLL to everyone but the SYSTEM account (and possibly Admins), and you're done. The file is located in the winnt\system32 dir.
Elegant, no? Plus,you can still use your USB mouse or anything that's not storage-related (i.e. HD,Flashcards, CD/R/RW, etc).
Enjoy.
Here's what we do in our organisation (10K+ users):
Create a GPO, put in it (machine section/startup)a script to remove permissions to the file USBSTOR.DLL to everyone but the SYSTEM account (and possibly Admins), and you're done. The file is located in the winnt\system32 dir.
Elegant, no? Plus,you can still use your USB mouse or anything that's not storage-related (i.e. HD,Flashcards, CD/R/RW, etc).
Enjoy.
I think there are way to deny hardware changes or report them to administrator.
For USB there are wireless and other clever things
For USB there are wireless and other clever things
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
