ptilsen wrote: » If you don't do A, I can boot to media other than the hard drive and get files that way. A would of course necessitate password protecting the BIOS for efficacy. It really depends on the true goal. If the idea is to prevent regular end-users from copying files to USB, E will work.
ptilsen wrote: » The better option is to encrypt the hard drives and disable or control removable media through policy.
ptilsen wrote: » This prevents booting to other media as a vector to place data on removable drives as well as negates the need for a more drastic action like disabling USB entirely.
ptilsen wrote: » I don't remember any Sec+ questions providing a selection of answers quite as poor as this, so this might be more reflective of your preparation material's quality than something you're likely to face on the exam.
teancum144 wrote: » So E would not prevent booting from USB drive? I'm not sure I understand why?
teancum144 wrote: » Do you mean group policy (technical control)?
teancum144 wrote: » Please help me understand how this would be accomplished if E were in place.
teancum144 wrote: » I realize that I don't fully understand the limitations of "disabling the USB root hub within the OS".
ptilsen wrote: » E disables USB in the OS. This doesn't prevent a user from booting to other media or accessing the BIOS. It only affects access within the OS. ... The key is that this only disables USB access within the operating system, not outside of it.
ptilsen wrote: » Hard drive encryption negates the need for A, since the drive is inaccessible outside of the BIOS to those who don't know the encryption key and have significant technical ability.
ptilsen wrote: » Technical control over the ability to write to USB media in the OS negates the need to disable USB entirely in the OS (which is not an option you'll see seriously considered in many environments, even military).
ptilsen wrote: » My aside, which is important to understand in real life, is that it is a drastic measure which greatly impacts productivity (no use of other USB peripherals, such as mice, keyboards, and cameras) and as such is a poor alternative to other, more effective measures (ie, the combination of hard disk encryption and technical controls limited writing to removable media in-OS).
pgriffin7 wrote: » On the other hand, potentially a user (regular or nefarious) could re-enable the hub on the OS via privilege escalation while cracking the BIOS password would be much more difficult IMO. Poorly worded question regardless.
teancum144 wrote: » Just to restate what I think you're saying: This type of technical control doesn't prevent USB mice, keyboards, etc. because USB read is allowed, but not write. Therefore, in the case of a USB camera, you could read pictures, but couldn't copy a picture onto your camera's memory (via USB). Again, this doesn't prevent a hacker from booting (outside the OS) via USB, but that is not the purpose of this control. The purpose is to prevent users from writing sensitive data to USB devices for transport. Is my understanding correct?
