Solved

Prohibiting Use of Floppy Disks on my Network

Posted on 2004-10-01
22
268 Views
Last Modified: 2010-04-11
I manage a W2K Pro Network of 320 PC's and 10  Servers,  half the PC's are staff use and the other half are public users seeking jobs and training through our programs and I have a strict policy and lockdown on Floppy Disk use and USB ports as recommended by my Engineers from Analysts International/SequoiaNet. I need Security support materials supporting my reasoning and so it goes beyond just to protect against viruses as I am having a meeting with the users and they desire to challenge my Policy. I need objective support materials. Thank you.
0
Comment
Question by:westa6969
  • 4
  • 3
  • 2
  • +8
22 Comments
 
LVL 2

Expert Comment

by:b0bmaster
ID: 12204738
To disbale Floppy drives:

Go into the BIOS when booting the computer (usualy press F2 or DEL) look around for the option "floppy 1" or simmilar and change it from "3.5'' 1.44MB" to "None" or "Disabled". It is different for every BIOS so if you want a more clear answer then i need to know the model no./make of the computer or motherboard.

You may also want to password the BIOS so no one can re-enable the drive.  Password option is usualy found under Security.

0
 
LVL 2

Expert Comment

by:b0bmaster
ID: 12204761
Oops - didnt bother reading your question - :) so ignore my last post :)

Well if you have virus protection running on all the systems and server then you have no real argument to disable the floppy drives.
0
 
LVL 4

Expert Comment

by:cyrnel
ID: 12204971
Westa, this sounds like the usual information security issues dealt with by all organizations. I would first check with your analysts. They'll have supporting data for their infosec recommendations even if it's copy & paste. Add to that whatever your organization has for an information policy, relevant employee agreement sections, etc. Having access to previous incidents and management's response would help your case.

Expand your "floppy" spec to include all removable storage such as pen-drives or other USB/1394/IR-mountable devices.

Disabling floppies is something of the last checkbox in a very large map. Keep in mind: How did the company infosec policy originate? What were the motivations? Have those changed? Who made the decisions? If there's a need, and decision makers, policy should be cemented there. User meetings should be to discuss new problems or solutions surrounding the policy, not to decide it. If the policy isn't well supported from on high then you have anarchy and a very difficult job ahead.

Good luck,
Dave
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 12205106
As Cyrnel said, these are issues faced by all organisations. Especially those with confidential and potentially saleable information.

Short of searching everybody on their way in/out use the policies that ship with Win2k server. Lock down every desktop.

To me USB drives are way scarier than floppies.

God luck.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 12205122
I hate to reply to my own post. However:

Write an acceptable usage agreement that is ratified by senior management and make everybody sign it. If they fail to comply have them fired.

It has been my experience that this approach works.
0
 

Author Comment

by:westa6969
ID: 12205346
I develop and write the IT Policy based upon experience and consultation with my Engineer Support and recommendations from Tech Republic and other organizations posting samples/templates there. I have personalized them for my own network and it has evolved over the past couple of years. As I'm also a Degreed ParaLegal and former Monitoring Chief, Grievance/EEO Officer and Policy/Grant Writer over the past 25 years and I have had extensive experience with Policy writing and had my Policy reviewed and approved through Legal Counsel. I've also had to enforce it's provisions which has lead to the firing or suspension/demotion of several staff during the past 3 years. This is not meant to be boastful but the cases of firings were extreme violations. These actions have stood up legally when challenged and I have the support of my Director. My challenge is the persistent whining of inexperienced staff that seem to feel if they bitch enough I'll cave or my Director may. Each user is required to read and sign and agree to it. This has become an issue more pronounced since I implemented GFI Languard software to lock down access.

As to the person assumed because I have Symantec Enterprise anti-virus isn't  an issue forgets that identify theft is also an issue as our Public Customers are developing resumes and other personal data as they are in our offices to search for jobs and training opportunities. Anti-Virus is but one threat and it is not bulletproof when it comes to floppy disks or other devices. I have a real concern for Software Piracy also, which they have demonstrated a disregard for this area as I can view all  PC's  remotely with Netop and I've observed them storing customer data improperly and installing illegal software and under the dogbite rule of the SPA we are liable not the user of our equipment. This is equal to leaving the customers private file laying open on the counter 24/7 and that is in fact illegal and anyone with a USB or Floppy could pull that data and commit identity theft or install unlicensed software.  My Staff users are Degreed staff that have the IT knowledge of about a 4 year old or less. Sorry but that's what I've observed of their capabilities during the past 8 years of growing from 8 PC's to over 300.

I apologize if I did not make myself clear in my question as I wasn't seeking who may agree or disagree - that is subjective, and doesn't matter instead I am looking for Objective Support that cannot be challenged, like Gartner or CSI white papeers you folks may be aware of. Thank you for responses.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 12205420
1st beware I side with users, but for

> so it goes beyond just to protect against viruses

You should also invoke language regarding privacy, both for the users and the company. For example, no employee should have personal diskette copy of information regarding personal information of another company, nor any copies of company secrets.

Companies with poor lockdown policies get caught with pants down, where they get reported as having released large quantities of credit card information to unscrupulous types.

Example another industry, not many hours ago some really big diamonds were swiped from a display in plain view of many (amidst allegation of new age lapse in security to save costs) - none saw the act (or would admit it)

Can your company afford such a loss, possibly by cutting back the pay of all staff? Can staff afford that or are they willing to risk it?
0
 
LVL 4

Expert Comment

by:cyrnel
ID: 12205524
Sorry if my earlier suggestions were obvious. Your background wasn't.

Community service nets can be difficult since the motivating penalties are few.

This may still be far from what you intended but have you considered allowing portable storage while restricting available applications & services? Re-imaging the systems daily for integrity? What services do the users need?

I once helped set up a public-service net with 20+ systems. Had to provide floppy access for job search & other needs (before the advent of pen-drives), and only had volunteer supervision so couldn't trust the boxes beyond a day. Ended up putting the entire room in a DMZ, blocking all egress traffic besides 80, 443, internal smtp. Ran everything through a filtering FreeBSD proxy. Set up another box with install images. Every night the egress box shut off outside net access, the image box published, and the clients wiped themselves anew.

These days I might just build a CD drive internally and make that the boot volume with a HD for scratch space. Less network & install effort.

Linux or other open source variants:
-Eliminate the attraction of free commercial software. (assuming "free" does what you need)
-Reduce vulnerabilities, inside & out.
-Can be built (compiled) with custom restrictions - i.e. time bombs, time restrictions, functionality limits.
-Simpler to automate installs.

Lots of options in this direction. MS has net install solutions now though I'm not familiar with limitations or costs. If this is feasible, can you be more specific about application requirements? Web? Office apps, etc.?

Really, I'm just planting ideas. Sounds late in the game to change course.

Dave
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 12205570

Trend makes a great network-layer AV appliance.

Don't want to scare you though.
0
 

Author Comment

by:westa6969
ID: 12205809
I regret that some respondents (Fergo) have had to turn to crass insults from a few contributors. I posted to try and get professional Help with Objective materials from fellow Professionals not immature and unprofessional insults, I thought this was a professional help service of IT Pro's that try to help and support one another and instead I get these comments like I'd get playing XBOX Live game with a bunch of teenagers?

Analysts International and Plante Moran are my Engineering Support professionals and I will turn to them since they designed my network with me - I'd rather pay the $125 an hour Consultant than sit here and waste my time with the insults. Experts Exchange? To the rest of you Thank you but it would be too time consuming to spell everything in this forum and I'm likely to get more more subjective opinion from others like fergo  and times to valuable to waste in this forum as I didn't join and participate to offer an invite to insults. Is this Insults Exchange?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:swinterborn
ID: 12206536
The only objective suppot materials you are likely to find will be to say that every company should have a documented and enforced infosec policy, which bears due regard to corporate, customer, and individual information and covers all types of information transfer. There are too many different scenarios in the real world for an analyst to come up with a definitive infosec policy that details specific technology restrictions - eg, I run a test centre, which by design has air gapped networks, so the only technical way of moving data between networks is via removable media. We therefore implement policies and procedures around the use of those media, but cannot use any technical restrictions.

HTH
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12208159
Westa6969,
As noted in multiple ways above, there are few documented "best practice" whitepapers that suggest disabling the floppy drive, but I managed to find a couple:
http://www.sensorsmag.com/isensors/dec00/20/main.shtml
http://www.sophos.com/virusinfo/bestpractice/
http://www.fireav.com/customers/security.htm

Another potential issue is keeping the floppy in a bootable state. If I can walk up to any computer on your network with a boot floppy, I guarantee that I will own the entire network. All I need is a single floppy disk and an I-Pod. Innocent enough? Do you know how much information you can store on an I-POD? Plug in the USB and it simply shows up as another disk drive to drag/drop files to/from. Headphones on, head bobbing to music and you think I'm listening to something....not...
Of course, that also applies to bootable CD's now, too...

Does this scare you enough?
http://www.atstake.com/products/lc/
http://dban.sourceforge.net/
http://www.seifried.org/lasg/system/
http://www.petri.co.il/forgot_administrator_password.htm

The US Govt "Orange Book" that provides security ratings for sytems that must meet strict security requirments provide a "C2" rating for Microsoft systems with the provisios that 1) they never be connected to a network, and 2) all removable drives are disabled...
Here's MSoft's story on C2
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/security/c2secgde.mspx

Bottom line, polices in place, and executive decisions made that publicly accessible systems will not even have a floppy or CD drive installed, and all USB ports disabled.

0
 
LVL 6

Expert Comment

by:DominicCronin
ID: 12208652
Frankly - disabling your floppy drives won't secure your computers. Unless you can also guarantee that there's no *other* way to get data on or off your computers, you're just being a tyrant and getting in people's way. Either you have to operate totally locked-down computers or you don't. If you do - disabling the floppy drives isn't enough. Will your users be happy with no floppy, no other kind of external disk and no network? Will they still be able to work?
0
 
LVL 13

Expert Comment

by:wlennon
ID: 12209019
http://www.protect-me.com/dl/devicelock.pdf gives a good representation on why you need to have control, and good but a cheap way of controlling Floppy Drives, USB, Firewire, and a myriad of administrative control.

Home page of the software:

http://www.devicelock.com this is something I have used for internal control.

In most medium to large networks, your biggest security threats come from inside, its at least worth a look.
0
 
LVL 2

Expert Comment

by:adam1213
ID: 12215347
Sorry but it want help (I know this does not help answer your question that much)
It is possable to get round what you have done I am sure. (save as   a:  ....)

The smart users will be able to get round it (smart users have the knowledge of how to have a virus but that does not mean they will)

The dumb users probably cant run a virus if they wanted to.
0
 

Expert Comment

by:dldigital
ID: 12250531
www.nist.gov has an excellent set of WhitePapers that can provide pretty much all of the supporting documentation you need to argue your stance in regards to denial / control of floppy & USB access. I assume from your post that you have already made the decision to block access and now you just want a independant party to offer supporting documentation. These papers deal with issues of due care and diligence, security, and many other topics as well. The site has papers in development as well as in accepted form. I regularly use these resources to support many of my day to day security decisions. Your engineers should have given you supporting documentation for their decisions as well.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 12278428
Westa!

I believe that a lot of educational organisations run courses that will help you to understand the basics of IT security, regardless of your technical knowledge. I only had access to a BBC machine with 8k of ram when I went to school but these days the world is your oyster.

I suggest that you x-ray & thermal scan everyone coming in and out and if there are any issues force them to submit to a cavity search at the risk of instant dismissal for non-compliance. A mantrap environment in & out of the building usually acts as a good deterrent to nefarious activity. In case you are wondering about my experience with this we just assisted in the investigation and resultant prosecution of a large gaming software theft in China.

Or take some heed from some of the very excellent comments you have received above. Submitted for nothing - just in the interest of helping you out.

The cavity search bit was a joke.

Rgds.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 15898235
There was good, objective information provided which is all that was asked for.
Suggest split
lrmoore
wlennon
dldigital

0
 

Author Comment

by:westa6969
ID: 15902471
Thank you for assistance - I'll use the Objective materials in support.  As to some of the other posters I think they may think this is Smart Ass Exchange and certainly many lack any true Networking background to let the Lunatics run the Asylum attitude.  I ended up deploying GFI Languard Portable Storage Control and it makes the floppy and USB drives invisible to the user - they have no way around that with Group Policy deployment also in place.  The GFI program permits central deployment and administration and where needed the software can be uninstalled in seconds and then deployed when the use is needed.  As I'm also the Purchasing Manager I purchase no PC's with floppies and so for new inventory they are out of the equation.  As to getting in the way of Users give me a break they are the users of the resources provided period they have no vested rights and if they understood true networking and Shares you'd understand the days of sneakernet are long gone.  

Thus the software has flexibility to deployed/uninstall selectively.  Considering I have 163 Users that are Degreed in the Social area as Case Managers with little IT that have no understanding of potential threats and the other 175 PC's are public customers that range from zero to Degreed Engineers that have lost their jobs I have to take precautions that prevent damage and wasted time.  There is nothing they need to do that requires a USB or floppy that my Network cannot provide and it's protected - how many of the Public have truly updated home PC's to move info back and forth? Most don't surveys have shown.  I had a subcontract Supervisor setup file sharing at one of our remote offices and had several movies and 7 GB's of illegal movies sitting on our Network.  He's needless to say unemployed!

The rest of those smart asses can let the Lunatics run the Asylum my job is to provide services/support not give away the key to the vault to a bunch of ID10T users that could care less what damage results - it isn;'t their fricken property to screw around with.
0
 

Expert Comment

by:dldigital
ID: 15903289
Glad to have been of help
0
 
LVL 24

Expert Comment

by:SunBow
ID: 15908342
dldigital > Glad to have been of help

westa6969 > The rest of those smart asses can let the Lunatics run the Asylum my job is to provide services/support not give away the key to the vault to a bunch of ID10T users that could care less what damage results -
>  Considering I have 163 Users .. and 10  Servers
> several movies and 7 GB's of illegal movies

Oh, you're stuck in a small shop. Movies do not cut it on FDs in my shop, we've got hundreds of times as many users and thousands of servers, so I've got a different concept of damage and origin of same. So the following URLs won't be of much help I guess, I'll just leave 'em for the dldigital's, war1's, wlennon's, and others to try or not as they wish (re: USB)

http://www.linuxdevices.com/news/NS8562564746.html
http://www.realmsys.com/solutions_mps.html
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now