Emerging USB storage technology allows massive amounts of data to be transferred at lightning speeds. Devices continue to decrease in size (now the size of a key chain), and the storage capacity keeps multiplying (currently up to 1 GB).
All this makes for fast, efficient, and convenient information exchange, but there is a downside--security. Employees can use these tiny, portable USB storage devices to download sensitive data and upload potentially harmful apps or viruses.
How should an IT pro address these security concerns? TechRepublic member mrs_doctor_jones would most certainly like to know.
"I was wondering whether or not it is possible to disable USB ports on workstations. If so, is there a way to do it so that 'smart' workstation users could not easily enable them again?"
Mrs_doctor_jones says, "In an interest of network security, I think it would be prudent for us to disable the ports on all workstations in the office so that no one could use USB drives to put stuff onto or pull stuff off of the network".
Block those USB ports with BIOS settings
Members TheChas and DR The Corporate Groups both think the BIOS is the place to start. BIOS settings can be modified so that USB functionality is disabled on a workstation.
In DR's words, "Most newer motherboards have a disable feature in the BIOS to disable the two [or four] built-in USB ports located next to the mouse and keyboard connectors". Furthermore, "add-on USB ports via a PC card or bracket can simply be unplugged".
TheChas elaborates. "Your best option is to disable the USB ports in BIOS settings. Then, set a BIOS password. Finish up with case locks or other security hardware so that users cannot open the case, and then reset the CMOS memory."
An extreme remedy
TheChas also offers a "truly foolproof option". To completely disable the USB ports (for good), he suggests "carefully filling the USB connectors with a thick epoxy adhesive".
This is a radical (and creative) solution and will render the ports unusable. If USB will never be used on the workstation again, this might be the way to go. But TheChas warns: "Use extreme caution not to allow the epoxy to seep into other connectors or motherboard components". Good advice; you must be careful not to "gum up" an entire system just to disable one component.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
4%
2%
Ref: http://www.zdnet.com.au/itmanager/technology/story/0,2000029587,20271340,00.htm
I had been looking for a way of disabling the majority of PCs from using USB mass storage devices - for obvious reasons. Not wanting to disable settings in the bios, due to usb mice, keyboards, digital cameras, scanners and so on, I had to delve deeper to stop these additional drives appearing. For a non-poweruser (i.e normal desktop user) plugging in a usb storage device while the PC is switched on will stop the user installing the device due to security - but not so when the device is plugged in and then the PC powered up....the system will take it upon itself to install the unit.
One method was extending the range of 'disallowed' drives, from the likes of A, C, D to A, C, D, E &F for example) but would be easy way out.
Realising that the usbstor.inf file was used when a usb storage device is inserted, creating the necessary "usb mass storage devices" device service. This file could be changed so the service is disabled (Start =4, from Manual =3) but this file would change with service packs.
A policy *can* be created an applied to the machine through active directory....the following policy does the trick:
CLASS MACHINE
CATEGORY "USB Mass Storage Devices"
POLICY "Service Start Up"
KEYNAME "Software\Policies\Microsoft\Windows\System"
PART "Service Start Mode" DROPDOWNLIST NOSORT
KEYNAME "System\CurrentControlSet\Services\USBSTOR"
VALUENAME "Start"
ITEMLIST
NAME "Boot" VALUE NUMERIC 0
NAME "System" VALUE NUMERIC 1
NAME "Automatic" VALUE NUMERIC 2
NAME "Manual" VALUE NUMERIC 3
NAME "Disabled" VALUE NUMERIC 4 DEFAULT
END ITEMLIST
END PART
END POLICY
END CATEGORY
Note1: The first Keyname is planted as a red herring. If the 2nd Keyname (the one that is needed) is put in its place, then the policy will not be loaded correctly by gpedit!
Note2: The policy is successfully applied upon the 2nd reboot of the PC with such a device applied. The 1st time it detects the new device and applies the settings from the usbstor.inf file *after* the policy from AD has been applied.