blocking USB drives in company
hello, i've been trying to find either a product or through GPO that will allow me to achieve the following:
1. block flash drives that are not encrypted and only allow the ones that are.
Any idea would be greatly apreciated.
1. block flash drives that are not encrypted and only allow the ones that are.
Any idea would be greatly apreciated.
when one is the, the one will be the being of willing to be the one.
Comments
-
RobertKaucher Member Posts: 4,299 ■■■■■■■■■■
-
colemic Member Posts: 1,569 ■■■■■■■□□□Technical restrictions can be applied through Domain Security Policy, HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.
Also check out gfi.com/endpointsecurity, and Symantec Endpoint protection.Working on: staying alive and staying employed -
Everyone Member Posts: 1,661Technical restrictions can be applied through Domain Security Policy, HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.
Also check out gfi.com/endpointsecurity, and Symantec Endpoint protection.
McAfee has a product for this too. Pick your poison. -
shaqazoolu Member Posts: 259 ■■■■□□□□□□LanDesk and Desktop Authority from ScriptLogic are other options I believe.:study:
-
colemic Member Posts: 1,569 ■■■■■■■□□□McAfee has a product for this too. Pick your poison.
Hey, I'm just throwing out suggestions... he didn't say they had to be good ones.Working on: staying alive and staying employed -
waltdee Member Posts: 122thanks guys!, this will really help me get started.when one is the, the one will be the being of willing to be the one.
-
jtoast Member Posts: 226I looked at doing this a few months ago and found the below thread helpful. Yes its old but most of the info is still valid.
How to disable USB Drives (jump/flash/external/etc.) - Petri.co.il forums by Daniel Petri
We decided against putting a block in place though because its all or nothing. If you block flash drives, you also block smartphones, external HD's, and all other USB storage devices. This can be an issue as external HD's especially often have a valid business purpose.
3rd party applications such as McAfee mentioned above will give you a little more flexibility but you then have to create a whitelist with manufacturer ID's which could become a nightmare to manage if you are in a large company (we have over 50,000 machines worldwide in our environment.) -
MickQ Member Posts: 628 ■■■■□□□□□□You can also place restrictions via GPOs based on hardware identity. Maybe you'd clear one particular batch of USB sticks which are encrypted. The only problem would be that the same model would be allowed to operate, even if unencrypted.
-
Asif Dasl Member Posts: 2,116 ■■■■■■■■□□Use Bitlocker To Go and GPOs if you have Windows 7. You might need to install the Bitlocker To Go Reader on Vista & XP.
-
ChooseLife Member Posts: 941 ■■■■■■■□□□To those who did/tried to implement USB device blocking at work - care to share your non-technological part of the experience? Did it actually last as a solution, does everyone hate you with passion now, do you still get little cards on a Sysadmin day?...“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs -
jtoast Member Posts: 226We discussed it and decided that it just wouldn't be feasable but our problem wasn't really our local users. They could transfer files via VPN when needed. The problem was our local support guys. We discovered that it was standard procedure for our techs to carry around troubleshooting/malware/virus remediation tools on flash drives. Denying access would have required a change in process world wide.
We are also in the process of converting our ZTI build from CD to Flash drive for windows 7 with the goal being faster buildtimes.
After about 2 months of discussion and basic testing, we came to the conclusion that disabling autorun combined with user education and an effective AV solution (we use McAfee ePO and its associated client security suite) was our best option. -
colemic Member Posts: 1,569 ■■■■■■■□□□Finally found the email, this will turn off just the mass storage part of USBs. It works, (at least for us) and is very effective. We had this built into our images, as opposed to pushing via GPO.
Here are the Regkeys that are modified to turn off USB Mass Storage devices.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start", "00000004"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Type", "00000001"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\ErrorControl", "00000001"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\ImagePath", "system32\DRIVERS\USBSTOR.SYS"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DisplayName", "USB Mass Storage Driver"
Set Start to 1.Working on: staying alive and staying employed -
waltdee Member Posts: 122so i came across this application which will do exactly what i'm looking for, is called eUSB by cryptzone. What it does is forces any unincrtypted flash drive to be encrypted, or else it only allows read and not write access to it.
I just wish there was a free way to achieve this or at least much cheaper. its $31/license and we have 300 machineswhen one is the, the one will be the being of willing to be the one. -
colemic Member Posts: 1,569 ■■■■■■■□□□Test out the registry hacks above. It worked absolutely perfectly for us. You may have to go to each machine, but at least it's free.Working on: staying alive and staying employed
-
Forsaken_GA Member Posts: 4,024ChooseLife wrote: »To those who did/tried to implement USB device blocking at work - care to share your non-technological part of the experience? Did it actually last as a solution, does everyone hate you with passion now, do you still get little cards on a Sysadmin day?...
Well, I can't speak as an implementor, but I can speak as someone who's forced to live with it.
It's annoying, but I've adapted. I've just been forced to implement network storage repositories to replace the portability of USB devices.
If your company ever starts using the term "Data Loss Prevention", you can be sure this is coming to an enterprise near you!
There was alot more pushback generated from migrating our squid proxies to IronPort's (which I am responsible for) than there was about the USB lockout. -
mikedisd2 Member Posts: 1,096 ■■■■■□□□□□My experience with the technology is about 3x years old but here are the issues we found with it.
There's a heap of apps out there that can be applied and all claim to block a raft of removable storage and it can be configured as complex as you want. They all did the job in blocking USB, CD burning, firewire etc and could be applied through GPO.
There was also the feature of whitelisting serial numbers of USB keys to allow a controlled set to be used.
The problem was that all the tested solutions failed in reporting. None gave a comprehensive report on what data was being blocked, when/where it was blocked, what was trying to copy data and what was being accessed.
If you are trying to curb data leakage you need to know who is trying download files from the company and what those files are. Simply blocking isn't enough.
We let the vendors know this and maybe the technology has improved since then. -
mikedisd2 Member Posts: 1,096 ■■■■■□□□□□I just wish there was a free way to achieve this or at least much cheaper. its $31/license and we have 300 machines
Don't be cheap, you get what you pay for. If you want an enterprise solution, expect to pay for it. -
Fugazi1000 Member Posts: 145Consider user education.
People will ALWAYS find ways around technical controls if they prevent them getting work done.
With 300 machines, it sounds a small firm. They are likely to be more engaged and 'happy to help', so tell them why encrypting flash devices prevents data loss should the flash drive be lost. Make it easy for them to get/use encrypted devices. i.e. don't just tell them to use encrypted devices, actually supply them configured with your chosen encryption method. Make password/key management part of that education process. -
Forsaken_GA Member Posts: 4,024Fugazi1000 wrote: »Consider user education.
People will ALWAYS find ways around technical controls if they prevent them getting work done.
With 300 machines, it sounds a small firm. They are likely to be more engaged and 'happy to help', so tell them why encrypting flash devices prevents data loss should the flash drive be lost. Make it easy for them to get/use encrypted devices. i.e. don't just tell them to use encrypted devices, actually supply them configured with your chosen encryption method. Make password/key management part of that education process.
It all depends on the business. For companies that are following some kind of best practices for DLP, allowing access to removable media may be non-negotiable, and may very well be a compliance issue (this is the case with my employer). In that case, no matter how well reasoned your argument, it may not fly.
Finding ways around the DLP policy is certainly possible (I'm a big fan of reverse ssh tunnels), but with us, doing so is an offense that will very likely lead to termination.