Blocking access to USB flash drives/external firewire devices

Discussion in 'Server Networking' started by Marc Hoffman, Jul 27, 2005.

  1. Marc Hoffman

    Marc Hoffman Guest

    I've been looking and looking for a way to block access to USB/firewire
    external devices via group policy, as these devices can be a big sucurity
    risk. I know that there are several third party programs out there that can
    do this, but to be honest, I really do not like the idea of having to add
    more software onto our users' workstations (as well as the servers).

    Thanks in advance.

    Marc Hoffman, Jul 27, 2005
    1. Advertisements

  2. What are you trying to protect here?

    If you are afraid that I will steal your data I can find so many more ways
    to do it (e.g. LPT port, PS2 port, ...). Will you disable those too?
    Do users have access to the internet? If yes, they can open up Gmail account
    and upload up to 2GB of data (this is only one service)...
    Miha Pihler [MVP], Jul 27, 2005
    1. Advertisements

  3. Miha Pihler [MVP], Jul 27, 2005
  4. Marc Hoffman

    Marc Hoffman Guest

    What are you trying to protect here?

    Information, period.
    So I should do nothing? Just because there are many ways to circumvent
    security measures is not any reason to completely leave the doors wide open.
    If users are going to try and get information, I'm not going to make it easy
    for them. And, not all of the users on a corporate network are as "sneaky"
    as you?

    I understand your point, but we as administrator cannot sit by and twiddle
    the ol' thumbs thinking, oh, well, they'll get the information any way. Whey
    should I do anything to prevent them? This is the same logic the fuels the
    spiraling teen pregnancy rate (ok...that's for another forum).

    Marc Hoffman, Jul 27, 2005
  5. Marc Hoffman

    Jason Gurtz Guest


    To do otherwise is just like asking the respondent to come and visit your
    network ;) LOL, and all the ways he mentioned can be protected against
    too. :)
    Actually, in the US, teen pregnancy is down for a few years.[1] :)


    [1] See this week's issue of _The_Economist_ on censoring T.V.

    Jason Gurtz, Jul 27, 2005
  6. Marc Hoffman

    Marc Hoffman Guest

    That's GREAT news!!! Makes me more optimistic ;-) Thanks for the feedback.
    Marc Hoffman, Jul 27, 2005
  7. So I should do nothing? Just because there are many ways to circumvent
    I never said you shouldn't do anything. Sit down, think what you want to do
    and if you want to really protect your information, do it the right -- all
    the way not just half of the way. Since you are talking about open and
    closed doors -- how much information can users take out with half open doors
    (or e.g. upload it to web e-mail accounts or burn it on CD, etc...)?
    Miha Pihler [MVP], Jul 27, 2005

    Myth 8: Security Tweaks Can Fix Physical Security Problems

    There is a fundamental concept in information security that states that if
    bad guys have physical access to your computer, it is not your computer any
    longer! Physical access will always trump software security -- eventually.
    We have to qualify the statement, though, because there are valid software
    security steps that will prolong the time until physical access breaches all
    security. Encryption of data, for instance, falls into that category.
    However, many other software security tweaks are meaningless. Our current
    favorite is the debate over USB thumb drives. After the movie "The Recruit,"
    everyone woke up to the fact that someone can easily steal data on a USB
    thumb drive. Curiously, this only seems to apply to thumb drives. We have
    walked into military facilities that confiscated our USB thumb drives but
    let us in with 80-GB i1394 hard drives. Apparently, those are not as bad.

    One memorable late evening one author's boss called him frantically asking
    what to do about this problem. The response: Head on down to your local
    hardware store, pick up a tube of epoxy, and fill the USB ports with it.
    While you are at it, fill the i1394 (FireWire), serial, parallel, SD card,
    MMC, Memory Stick, CD/DVD-burner, floppy drive, and Ethernet jack with it
    too. You'll also need to make sure nobody could carry the monitor off and
    make a photocopy of it. You can steal data using all of those interfaces.

    The crux of the issue is that as long as there are these types of interfaces
    on the system and bad guys have access to them, all bets are off. There is
    nothing about USB that makes it any different. Sure, the OS manufacturer
    could put a switch in that prevents someone from writing to a USB thumb
    drive. That does not, however, prevent the bad guy from booting to a
    bootable USB thumb drive, loading an NTFS driver, and then stealing the

    In short, any software security solution that purports to be a meaningful
    defense against physical breach must persist even if the bad guy has full
    access to the system and can boot into an arbitrary operating system.
    Registry tweaks and file system ACLs do not provide that protection, but
    encryption does. Combined with proper physical security, all these measures
    are useful. As a substitute for physical security, they are usually not.
    Miha Pihler [MVP], Jul 27, 2005
  9. .....and now back to the original question......

    You can't without disabling USB and Firewire completely.

    This is more of a "human" problem. The company simply should not hire
    people it cannot trust with information that they have access to. I know
    that is easier said than done, but it is the way it is. Technology is not
    going to be the answer to everything concerning security, that is why Social
    Engineering is the most effective and the most common "hacking technique".

    If a user has access to certain files,...then those files are simply
    "insecure" concerning that one user,...period, end of story. It doesn't
    matter if they can carry it out on a Memory Stick, a "burned" CD/DVD, and
    Floppy Disk, or just simply "memorized" from reading it.

    Phillip Windell [MCP, MVP, CCNA]
    Understanding the ISA 2004 Access Rule Processing

    Microsoft Internet Security & Acceleration Server: Guidance

    Microsoft Internet Security & Acceleration Server: Partners

    Phillip Windell, Jul 27, 2005
  10. Marc Hoffman

    Jason Gurtz Guest

    That may be true, but they sure can raise the bar as far as what type of
    person with physical access will be able to do something malicious. The
    author even says this.

    My take is that they're trying to cover up a missing feature that other
    operating systems have had for decades, control over who can mount a drive.

    The more difficult a task is to do, the less likely it is to get done.
    That's just plain old common sense. I totally agree that one can never
    plug all security holes but the admin can make it as difficult as possible
    in their environment for an incident to occur. Sweeping generalizations
    about what is reasonable for security are worthless. Your users may need
    to use removable storage to bring work home and have been thoroughly
    screened at hiring time by a team of experts. The OP may have public
    kiosks, etc...

    Same concept:
    email from Internal parties. There is also very strict checking on file
    attachments at the server. Does this mean that there will never be a
    virus attack on the computers? Of course not, but I'll wager it's highly
    unlikely. Hey I can have this kind of policy and it's blessed by the
    PHB's too; other admins don't have that luxury.


    Jason Gurtz, Jul 27, 2005
  11. Controls are there that can help you disable USB and other devices (look at
    my previous posts), but they will not help you prevent stealing of data if
    the user is determent enough.

    Just like mounting permissions will not prevent me from:
    * booting into Single-User Mode and taking off anything I want
    * using another operating system (e.g. on CD) and boot from it (and then
    copying data to USB or .

    The only way you can prevent this kind of thefts is with:
    * physical security of computer (or other devices - routers are no
    exceptions here. If I can get physical access to the router I can do
    whatever I want with routes and access list etc.)
    * encryption of information and proper delegation of what (which documents)
    users can see and change
    Miha Pihler [MVP], Jul 27, 2005
  12. Marc Hoffman

    Jason Gurtz Guest

    Did you even read my post? I think you're missing my point; I said
    exactly that in different words. :)
    Can't always do that depending on what OS you're talking about. Linux?
    Lol, it sucks just as bad as windows in different ways, but there's a lot
    of unixes that don't and a lot of OSes that aren't unix at all. ;)
    ....and I suppose disabling other boot devices in a passworded bios
    wouldn't have any effect (yea man, the case is locked)?
    Problem is, even physical secure computers aren't secure. Your
    hypothetical physically "secure" computer is no more secure than one in
    the wide open for your hypothetical "determined user." All they need is
    basic burglary tools and all that security is out the window. Unlikely?
    Hey, you're the one talking about determination here.

    Security is all about making it harder. Stop ignoring what I and others
    are saying.


    Jason Gurtz, Jul 27, 2005
  13. Marc Hoffman

    Chris Leiter Guest

    Dynamic Disks might, though.
    Chris Leiter, Jul 28, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.