Securing USB Memory Sticks
Hi all.
I need to stop users from running ANY executable from a USB Memory Stick.
We have a 2k3 Server, and we are running Ranger Suite.
Basically we have users bringing programs in on their USB memory sticks and running them. We can't stop the sticks being used because they transport documents.
Either a solution using the Rangersuite or Group Policies would be welcomed above third party software.
I need to stop users from running ANY executable from a USB Memory Stick.
We have a 2k3 Server, and we are running Ranger Suite.
Basically we have users bringing programs in on their USB memory sticks and running them. We can't stop the sticks being used because they transport documents.
Either a solution using the Rangersuite or Group Policies would be welcomed above third party software.
ASKER
the disabling of USB devices is not possible.
They MUST be able to use them as they transfer documents to and fromt heir place of residence.
They MUST be able to use them as they transfer documents to and fromt heir place of residence.
You could configure windows to disallow users without Admin privileges from installing new programs. This would stop them from installing programs off the USB memory sticks. You'll probably need a procedure to allow exceptions to this policy because users may sometimes need to legitimiately install new programs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
srikrishnak, you're right. And I knew that was an issue while I put in my comments. Sure users can still copy the files over from the USB drive to the hard drive and run them, but 'technically' my response is correct. I'm a student in Computer Networking right now, and I have been taking a lot of Microsoft certification tests lately, so I guess I answered it with Microsoft in mind. ;)
Yes, users can still copy files to hard drive and run them. If you want to make your network absolutely secure from outside exectuables, my advice would be to set the software restriction group policy to disallow ALL executables unless they are on the exception list. This would be a little pain to set up, but you would have control of what can and can't be run on your network.
Yes, users can still copy files to hard drive and run them. If you want to make your network absolutely secure from outside exectuables, my advice would be to set the software restriction group policy to disallow ALL executables unless they are on the exception list. This would be a little pain to set up, but you would have control of what can and can't be run on your network.
djdingo69,Yes you are right.Technically YES. I didnt said thts not the right answer. My comments are just complementing your responce earlier..Good to know buddie...and me too..although finished my formal uni studies quite some time back still am a Student in many things..still learning a lot of things...anyway my best wishes to you..
Forget it.
If you want to prevent users from using memory sticks, you can't let them near the computer.
If you let them near the machine they can:
turn it off
unplug it
spill coffee on it
put a floppy disk in it
put a cd/dvd in it
set it on fire
pull the network cable
yes, they can even plug stuff into ports
The only way to prevent it is to lock up the machine. That's why God invented data centers.
The only way to make it truly secure is to lock it up, and disconnect it from the network.
The important thing is to put your real data assets where they are safe
and make frequent backups and store the backups offsite.
Expect a disaster, plan for it, and minimize its impact.
If you want to prevent users from using memory sticks, you can't let them near the computer.
If you let them near the machine they can:
turn it off
unplug it
spill coffee on it
put a floppy disk in it
put a cd/dvd in it
set it on fire
pull the network cable
yes, they can even plug stuff into ports
The only way to prevent it is to lock up the machine. That's why God invented data centers.
The only way to make it truly secure is to lock it up, and disconnect it from the network.
The important thing is to put your real data assets where they are safe
and make frequent backups and store the backups offsite.
Expect a disaster, plan for it, and minimize its impact.
On access virus scanners will prevent executables causing damage ?
Otherwise there really is no other way to get round this, other than turning off USB ports, but that's not a very nice thing to do !
Otherwise there really is no other way to get round this, other than turning off USB ports, but that's not a very nice thing to do !
What kind of programs are you expecting (or experiencing) users to bring on their USB sticks? If you're really *reeally* concerned, perhaps a switchover to another O/S environment is the answer. This cannot possibly be a USB memory stick problem as executables can be brought in on CD's and floppies just as well... or downloaded from the internet.... or sent as e-mail attachments. I realise this is not answering your question, but the general situation isn't quite clear: what kind of damage are you worrying about?
/RID
/RID
ASKER
Our "security" software - Rangersuite already stops them from copying files to the HDD and they do not have access to the CDROM.
As most programs that we are having problems with are larger than 1.44 mb the only other way is for them to use the USB memory sticks.
The programs in them selves are not harmful, they are just inapropriate. "Trillian" "Super Soccer Manager" etc. I have used Ranger to block any executable from the "H:" drive, however if the file is in a sub folder then it is not caught.
The AV software is on access (Sophos 3.89)
I will attempt the GPO as above. will pass on my findings.
Paul
As most programs that we are having problems with are larger than 1.44 mb the only other way is for them to use the USB memory sticks.
The programs in them selves are not harmful, they are just inapropriate. "Trillian" "Super Soccer Manager" etc. I have used Ranger to block any executable from the "H:" drive, however if the file is in a sub folder then it is not caught.
The AV software is on access (Sophos 3.89)
I will attempt the GPO as above. will pass on my findings.
Paul
djdingo69,
Don't forget there are computer savvy users out there. They can just change the drive letter of the removable disk from say E: to F: ....then there are all the other reasons everyone has mentioned since your post...but i just wanted to add my 2 cents.
Leo
Don't forget there are computer savvy users out there. They can just change the drive letter of the removable disk from say E: to F: ....then there are all the other reasons everyone has mentioned since your post...but i just wanted to add my 2 cents.
Leo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> employee whack-a-mole
LOL
LOL
One week, no action. C661jmb, did my post answer your question?
Your problem isn't one of a specific technology, it's of any technology that permits files to be installed.
As an aside, this is really an issue of managerial courage -- when a manager has an employee load crap on the network, they need the courage to discipline the employee. (Presuming you have appropriate policy established, communicated and aligned with HR).
Good luck,
1cissp
Your problem isn't one of a specific technology, it's of any technology that permits files to be installed.
As an aside, this is really an issue of managerial courage -- when a manager has an employee load crap on the network, they need the courage to discipline the employee. (Presuming you have appropriate policy established, communicated and aligned with HR).
Good luck,
1cissp
ASKER
The reason there has ben no action from me yet is because we are all on holiday. Will attempt the policy editor when we return.
We do have the policy where we can discipline offenders, however, no use closing the door after the horse has bolted. I am looking at a preventative measure not a response.
We do have the policy where we can discipline offenders, however, no use closing the door after the horse has bolted. I am looking at a preventative measure not a response.
Whatever technical solution you apply to prevent execution of files on the USB stick must also be applied to all other drives (HDD, CD etc).
The OS simply sees the USB stick as another drive.
You could always format all USB sticks using NTFS and apply file-level permissions, but this would require a lot of leg work and pre-securiing USB sticks before releasing them to users, plus the share-level permissions on a default FAT memory sticks will allow users to run executables anyway, so probably not much point.
Another idea would be to use a global app such as Websense Client Application Manager, or Windows Group Policy, to take hashes of all GOOD programs and only allow them to run on your network.
Alternatively, enforce a policy that says only executables digitally signed (and approved) by Microsoft can run. This should be pretty easy, and will ensure that only programs pre-approved by MS (and hence safe) can run.
The OS simply sees the USB stick as another drive.
You could always format all USB sticks using NTFS and apply file-level permissions, but this would require a lot of leg work and pre-securiing USB sticks before releasing them to users, plus the share-level permissions on a default FAT memory sticks will allow users to run executables anyway, so probably not much point.
Another idea would be to use a global app such as Websense Client Application Manager, or Windows Group Policy, to take hashes of all GOOD programs and only allow them to run on your network.
Alternatively, enforce a policy that says only executables digitally signed (and approved) by Microsoft can run. This should be pretty easy, and will ensure that only programs pre-approved by MS (and hence safe) can run.
".....programs pre-approved by MS (and hence safe)...."
Hmm... Like Outlook Express, you mean?
/RID
Hmm... Like Outlook Express, you mean?
/RID
I was thinking more Internet Explorer... ;)
Having been in this exact situation before, I'll elaborate as to why I call this a personnel problem and not a technical problem.
We performed in-depth analysis, to see if we could determine a technical solution, and it was butt ugly. The technical solutions are rather drastic and draconian, and include options like this:
1) Physically lock down desktop and laptops so the USB ports are inaccessible, such as a cage or plate.
2) Fill USB ports with epoxy, or cut pins on motherboard. (tends to make USB mice and USB keyboards unusable, likely voids warranty)
3) Disable USB in BIOS, lock down BIOS (partial solution, since it can be reset on the motherboard, plus disables other USB devices)
4) Degauss employees on entry to building (tends to fry cell phones, PDAs, laptops, not pretty)
5) Frisk and confiscate USB drives (human issues there)
6) Cripple OS to prevent adding hardware of any kind (tends to cripple more than just USB drives)
7) Write custom code to install in stealth mode, and monitor drives. Take offensive action against mounted USB drives.
There actually are some COTS programs to achieve #7, but they are REALLY expensive, since they're designed to do a lot more.
This is really an issue of managerial courage on the part of the managers of employees who are committing rogue acts. Get it covered by policy, educate, and then treat the action the same as if they brought in barbituates, porn, a handgun, pet skunk, switchblade, or other contraband. Surely, if the employee showed up in fish boots, tube top and thong, their manager would send them home to have more appropriate apparel for a work environment (in most professional work locations). If they stood on their desk and urinated on their PC, they'd be disciplined, fired, and or jailed. Why not the same issues when they have knowingly degraded your corporate IT capability by installing rogue applications, possibly with disastrous legal, regulatory, reputational and financial results? This should be handled the same as any other malicious employee issue.
Again, cf the "employee whack-a-mole" comment -- even if you fix this, what about digital cameras, SD cards, PDA, infrared communications, WiFi, iPod, CD-RW, DVD-RW, firewire drives, or adding a hard drive to their PC, ftp connection, e-mail, modem, cellular modem, bluetooth, cellphone download, installing games from CD, etc. etc.
Trust me, you don't want to fight this one technology at a time. Address it as a policy, provide for security templates and scanning tools to detect the rogue behavior, and enforce as an HR issue.
I might also point out that it doesn't seem like your actual goal is to prevent any and all USB drive use. Someone in your organization (perhaps even you) might find it enormously useful to be able to share files via fast and convenient sneakernet, such as when auditors come into your site, and run two laptops, with only one on the network. It seems like you don't want to really stop all USB drive use, but just the installation of unauthorized software.
1cissp
We performed in-depth analysis, to see if we could determine a technical solution, and it was butt ugly. The technical solutions are rather drastic and draconian, and include options like this:
1) Physically lock down desktop and laptops so the USB ports are inaccessible, such as a cage or plate.
2) Fill USB ports with epoxy, or cut pins on motherboard. (tends to make USB mice and USB keyboards unusable, likely voids warranty)
3) Disable USB in BIOS, lock down BIOS (partial solution, since it can be reset on the motherboard, plus disables other USB devices)
4) Degauss employees on entry to building (tends to fry cell phones, PDAs, laptops, not pretty)
5) Frisk and confiscate USB drives (human issues there)
6) Cripple OS to prevent adding hardware of any kind (tends to cripple more than just USB drives)
7) Write custom code to install in stealth mode, and monitor drives. Take offensive action against mounted USB drives.
There actually are some COTS programs to achieve #7, but they are REALLY expensive, since they're designed to do a lot more.
This is really an issue of managerial courage on the part of the managers of employees who are committing rogue acts. Get it covered by policy, educate, and then treat the action the same as if they brought in barbituates, porn, a handgun, pet skunk, switchblade, or other contraband. Surely, if the employee showed up in fish boots, tube top and thong, their manager would send them home to have more appropriate apparel for a work environment (in most professional work locations). If they stood on their desk and urinated on their PC, they'd be disciplined, fired, and or jailed. Why not the same issues when they have knowingly degraded your corporate IT capability by installing rogue applications, possibly with disastrous legal, regulatory, reputational and financial results? This should be handled the same as any other malicious employee issue.
Again, cf the "employee whack-a-mole" comment -- even if you fix this, what about digital cameras, SD cards, PDA, infrared communications, WiFi, iPod, CD-RW, DVD-RW, firewire drives, or adding a hard drive to their PC, ftp connection, e-mail, modem, cellular modem, bluetooth, cellphone download, installing games from CD, etc. etc.
Trust me, you don't want to fight this one technology at a time. Address it as a policy, provide for security templates and scanning tools to detect the rogue behavior, and enforce as an HR issue.
I might also point out that it doesn't seem like your actual goal is to prevent any and all USB drive use. Someone in your organization (perhaps even you) might find it enormously useful to be able to share files via fast and convenient sneakernet, such as when auditors come into your site, and run two laptops, with only one on the network. It seems like you don't want to really stop all USB drive use, but just the installation of unauthorized software.
1cissp
harbor235