USB3 Thumb Drive question

[spaulding]

This may be a dumb question, but here goes.
With the proliferation of USB thumb drives that allow you to have an operating system on them, what's to stop somebody from sticking one in a networked computer and using his operating system to bypass security policies on the domain. For instance, we block access to the run command. What's to stop them from putting XP on the flash drive and running it from there?

 

[smah]

There is a way to boot a small XP operating system from a flash drive, so the the solution to that is to disable booting from flash drives. If applicable, this would be a bios setting for each machine.

 

[Stevehewitt]

Yeah, you can stop booting from the BIOS, and prevent USB pens from running using registry keys / GPO's.




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[spaulding]

I probably didn't state my question very well. Perfection would be a person could use his USB drive to store and access his data, but could not use it to run programs. Is that possible?

 

[tfg13]

The solution that smah and Stevehewitt offer is actually going to work for you. The BIOS setting will not allow boot from the USB, yet still allow the functionality to work if it's still plugged in (still be able to store and access his data)....This will of course rely on the BIOS version, and type of computer. As far as I know, most, if not all, BIOS allow this type of setting.

As far as running programs, I think Steve's idea should work with this one. I think you can limit what get's accessed with a GPO from a USB drive.

 

[spaulding]

I appreciate the help. Could somebody give me a vector to where to look in order to set up the GPO? Thanks