USB Security 1

[RLK1983UK]

Hi All,

I was after any opinions on USB Locking Tools... With all of the latest security threats coming from within companies these days we (a UK recruitment agency) have decided that now is the best time to start restricting users from using USB Keys / MP3 Players / PDA's ect.

has anyone else implemented this and what software did you use? any advice / opinions / recommends ...

Thanks In Advance!
Ria

 

[Scotsdude]

Since you will still need the USB ports for printers/scanners/etc you're going to need software to do the job.

The two main players in this field are Securewave and Pointsec. Both offer excellent products, and I suggest speaking to the companies, or downloading a trial, to see which would suit you best.

In the end, we went for Pointsec’s offering, a product called DisknetPro. We found it far more granular and configurable, and has a rather useful facility for those people who are authorized to use USB keys to perhaps take stuff home.

DiskNet will encrypt the USB key, and will also place a checksum file on it. If the user takes it home, alters anything on it, and brings it back, as soon as they plug it into to a company PC, disknet will detect that the checksum has changed and will log this, and can be configured to notify the IT dept to allow access once more. It will also scan the device for viruses using your own AV and also for malicious programs.


------------------------------------------------------
Matt
Life is all shadows and dust.
Live it up with women and wine while you can

 

[RLK1983UK]

thanks

i was thinking of trialling DeviceWall and Safend - have you heard of these?

 

[stefanwagner]

On linux, you would simply edit a file in /etc/udev/rules.d/ .


don't visit my homepage:

http://home.arcor.de/hirnstrom/bewerbung

 

[smartin35]

GFI has a pretty decent product at a reasonable price.

http://www.gfi.com

I evaluated Devicewall and although simple, IIS was required for reporting to work properly.

 

[RLK1983UK]

ok, will take a look at GFI - the website looks good

thanks!

 

[gb0mb]

Why not just disable all USB ports in the bios. Unless your systems do not have ps2 connectors for mouse and keyboard.

On a side note I think windows XP will autorun a usb key even when locked.

Gb0mb

........99.9% User Error........

 

[RLK1983UK]

We cannot just disable USB ports (big task for 100+ PC's) & we need flexibility.

We want to control what they can use and who can use it and when.

We are trying to protect ourselves against viruses getting in and data getting out

 

[gb0mb]

That is a tough task. When viruses and malware can exploit web browsers and other common services users need, how do you defend against them.

A few thought on what I would do:

Lock down traffic leaving your network. Why would a typical user need to FTP out? Send SMTP out without using a Network controlled relay, ect.

Use something like MRTG to monitor bandwidth. I use it as a quick overview of traffic flow on my network. If I come in Monday morning and I see some end-user machine was using bandwidth over the weekend it is a good idea to check it out.

I am sure you can also lock down users so they do not have install privileges and so on.

And I guess the number one thing to do is educate your users. A one hour employee lecture on security will probably be the best defense that you can institute.










Gb0mb

........99.9% User Error........

 

[jet042]

In Windows XP you can set a registry key that will disable USB disk drives but still allow the use of USB printers and such. It is in HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies. You need to create a dword called WriteProtect and give it a value of 1.

 

[RLK1983UK]

thanks gb0mb

we have covered all areas and have protection and monitoring tools inplace, except for the 'physical' i.e usb keys, ipods, pda's etc...

i was just after opinions on the software out there that helps with this.

Ria

 

[Atavar]

Of course the best USB security tool is a hot glue gun.. fill em up!