USB memory sticks - how to protect

[Petr Kazil]

I have a question about the risks of USB memory sticks. The risks are quite
obvious - a lot of data can be taken away from a computer - viruses can be
introduced - and there are even memory sticks you can boot from. So everyone
with such a stick and physical access to a computer can do nasty things.
(http://www.theregister.co.uk/content/55/32200.html)

Now - is there a way to protect against this other than disabling the USB
service - and losing the use of a USB-mouse, printer and keyboard? I've
asked several administrators but they don't know any soulutions that keep
the service running and still protect against these risks.

One solution would be to run Windows NT since it doesn't seem to support USB
(I never noticed that !)
http://www.directconnectcd.com/memorystickgeneralfaq.html

See also:
http://catless.ncl.ac.uk/Risks/22.87.html#subj17

Greetings, Petr

 

[Steven L Umbach]

This issue comes up a lot. I have yet to see a way to secure them using the operating
system that seems to work well. If it is a concern I would disable them in cmos and
use a mouse/keyboard that does not require usb - not real expensive. Of course you
would need to password protect cmos settings and lock the computer case and possibly
fill usb connectors with epoxy in a high security situation. I would much rather do
that than go back to NT4.0. See the KB article below that refers to XP, however I
have not been able to get it to work for me. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
http://www.labmice.net/articles/usbflashdrives.htm

 

[Taz]

Help

 

[Robert Moir]

I have a question about the risks of USB memory sticks. The risks are
quite obvious - a lot of data can be taken away from a computer -
viruses can be introduced - and there are even memory sticks you can
boot from. So everyone with such a stick and physical access to a
computer can do nasty things.
(http://www.theregister.co.uk/content/55/32200.html)

Now - is there a way to protect against this other than disabling the
USB service - and losing the use of a USB-mouse, printer and
keyboard? I've asked several administrators but they don't know any
soulutions that keep the service running and still protect against
these risks.

One solution would be to run Windows NT since it doesn't seem to
support USB (I never noticed that !)

What about floppy disks? I understand you can even boot from some of those
as well.

Sorry I know thats a cheap shot, but how do you deal with floppy disks?
Because this is the same issue isn't it? If you are not scared about floppy
disks then why are you scared of USB drives? If you are scared of floppy
disks, then what is the solution you adopted for those and what can you do
to adapt it for USB drives.


--

 

[Craig Richardson]

Hello, everyone,

FWIW, besides using a GPO in a W2K Active Directory environment to block
floppy drive access, there are also physical "floppy locks" that can be
inserted into a floppy drive that would need a key to take the lock out.
One challenge with a GPO may be whether the GPO is User based or Computer
based. The challenge with the physical floppy lock is that it is tedious,
especially if you have many users, and key maintenance for the locks.
Everytime a user does get permission to temporarily use a locked floppy, the
numbered key has to be found and someone has to go to the user to unlock it
and then lock it again when the user is finished.

There is, however a software product that I recently found (haven't
thoroughly tested it, though) that gives the option of locking access to
floppies, USB ports, CDROM drives, hard disks, serial ports, and parallel
ports. I'm testing it in eval mode. It provides a "management" console
that allows you to look at all your PCs on the network and remotely install
the software to the necessary PCs. The remote install takes less than 2
minutes, and once you specify a USB to be locked, the result is immediate
without requiring any logon or logoff at the remote computer. Again, my
testing so far is very limited, and I have no connection with the company
that makes this product. However, I am also looking for a solution.

The name of the company is called SmartLine and the product name is
DeviceLock. I am not affiliated with them in any way and cannot vouch for
the company or the product.

Hope this helps.

Craig.

 

[LanceE]

Another solution that I have come across for securing the use of USB
storage devices is a product called Disknet Pro
www.reflex-magnetics.com. We are still in the early stages of testing
so I'll let you know how I get on.