westa6969
asked on
Prohibiting Use of Floppy Disks on my Network
I manage a W2K Pro Network of 320 PC's and 10 Servers, half the PC's are staff use and the other half are public users seeking jobs and training through our programs and I have a strict policy and lockdown on Floppy Disk use and USB ports as recommended by my Engineers from Analysts International/SequoiaNet. I need Security support materials supporting my reasoning and so it goes beyond just to protect against viruses as I am having a meeting with the users and they desire to challenge my Policy. I need objective support materials. Thank you.
Oops - didnt bother reading your question - :) so ignore my last post :)
Well if you have virus protection running on all the systems and server then you have no real argument to disable the floppy drives.
Well if you have virus protection running on all the systems and server then you have no real argument to disable the floppy drives.
Westa, this sounds like the usual information security issues dealt with by all organizations. I would first check with your analysts. They'll have supporting data for their infosec recommendations even if it's copy & paste. Add to that whatever your organization has for an information policy, relevant employee agreement sections, etc. Having access to previous incidents and management's response would help your case.
Expand your "floppy" spec to include all removable storage such as pen-drives or other USB/1394/IR-mountable devices.
Disabling floppies is something of the last checkbox in a very large map. Keep in mind: How did the company infosec policy originate? What were the motivations? Have those changed? Who made the decisions? If there's a need, and decision makers, policy should be cemented there. User meetings should be to discuss new problems or solutions surrounding the policy, not to decide it. If the policy isn't well supported from on high then you have anarchy and a very difficult job ahead.
Good luck,
Dave
Expand your "floppy" spec to include all removable storage such as pen-drives or other USB/1394/IR-mountable devices.
Disabling floppies is something of the last checkbox in a very large map. Keep in mind: How did the company infosec policy originate? What were the motivations? Have those changed? Who made the decisions? If there's a need, and decision makers, policy should be cemented there. User meetings should be to discuss new problems or solutions surrounding the policy, not to decide it. If the policy isn't well supported from on high then you have anarchy and a very difficult job ahead.
Good luck,
Dave
As Cyrnel said, these are issues faced by all organisations. Especially those with confidential and potentially saleable information.
Short of searching everybody on their way in/out use the policies that ship with Win2k server. Lock down every desktop.
To me USB drives are way scarier than floppies.
God luck.
Short of searching everybody on their way in/out use the policies that ship with Win2k server. Lock down every desktop.
To me USB drives are way scarier than floppies.
God luck.
I hate to reply to my own post. However:
Write an acceptable usage agreement that is ratified by senior management and make everybody sign it. If they fail to comply have them fired.
It has been my experience that this approach works.
Write an acceptable usage agreement that is ratified by senior management and make everybody sign it. If they fail to comply have them fired.
It has been my experience that this approach works.
ASKER
I develop and write the IT Policy based upon experience and consultation with my Engineer Support and recommendations from Tech Republic and other organizations posting samples/templates there. I have personalized them for my own network and it has evolved over the past couple of years. As I'm also a Degreed ParaLegal and former Monitoring Chief, Grievance/EEO Officer and Policy/Grant Writer over the past 25 years and I have had extensive experience with Policy writing and had my Policy reviewed and approved through Legal Counsel. I've also had to enforce it's provisions which has lead to the firing or suspension/demotion of several staff during the past 3 years. This is not meant to be boastful but the cases of firings were extreme violations. These actions have stood up legally when challenged and I have the support of my Director. My challenge is the persistent whining of inexperienced staff that seem to feel if they bitch enough I'll cave or my Director may. Each user is required to read and sign and agree to it. This has become an issue more pronounced since I implemented GFI Languard software to lock down access.
As to the person assumed because I have Symantec Enterprise anti-virus isn't an issue forgets that identify theft is also an issue as our Public Customers are developing resumes and other personal data as they are in our offices to search for jobs and training opportunities. Anti-Virus is but one threat and it is not bulletproof when it comes to floppy disks or other devices. I have a real concern for Software Piracy also, which they have demonstrated a disregard for this area as I can view all PC's remotely with Netop and I've observed them storing customer data improperly and installing illegal software and under the dogbite rule of the SPA we are liable not the user of our equipment. This is equal to leaving the customers private file laying open on the counter 24/7 and that is in fact illegal and anyone with a USB or Floppy could pull that data and commit identity theft or install unlicensed software. My Staff users are Degreed staff that have the IT knowledge of about a 4 year old or less. Sorry but that's what I've observed of their capabilities during the past 8 years of growing from 8 PC's to over 300.
I apologize if I did not make myself clear in my question as I wasn't seeking who may agree or disagree - that is subjective, and doesn't matter instead I am looking for Objective Support that cannot be challenged, like Gartner or CSI white papeers you folks may be aware of. Thank you for responses.
As to the person assumed because I have Symantec Enterprise anti-virus isn't an issue forgets that identify theft is also an issue as our Public Customers are developing resumes and other personal data as they are in our offices to search for jobs and training opportunities. Anti-Virus is but one threat and it is not bulletproof when it comes to floppy disks or other devices. I have a real concern for Software Piracy also, which they have demonstrated a disregard for this area as I can view all PC's remotely with Netop and I've observed them storing customer data improperly and installing illegal software and under the dogbite rule of the SPA we are liable not the user of our equipment. This is equal to leaving the customers private file laying open on the counter 24/7 and that is in fact illegal and anyone with a USB or Floppy could pull that data and commit identity theft or install unlicensed software. My Staff users are Degreed staff that have the IT knowledge of about a 4 year old or less. Sorry but that's what I've observed of their capabilities during the past 8 years of growing from 8 PC's to over 300.
I apologize if I did not make myself clear in my question as I wasn't seeking who may agree or disagree - that is subjective, and doesn't matter instead I am looking for Objective Support that cannot be challenged, like Gartner or CSI white papeers you folks may be aware of. Thank you for responses.
1st beware I side with users, but for
> so it goes beyond just to protect against viruses
You should also invoke language regarding privacy, both for the users and the company. For example, no employee should have personal diskette copy of information regarding personal information of another company, nor any copies of company secrets.
Companies with poor lockdown policies get caught with pants down, where they get reported as having released large quantities of credit card information to unscrupulous types.
Example another industry, not many hours ago some really big diamonds were swiped from a display in plain view of many (amidst allegation of new age lapse in security to save costs) - none saw the act (or would admit it)
Can your company afford such a loss, possibly by cutting back the pay of all staff? Can staff afford that or are they willing to risk it?
> so it goes beyond just to protect against viruses
You should also invoke language regarding privacy, both for the users and the company. For example, no employee should have personal diskette copy of information regarding personal information of another company, nor any copies of company secrets.
Companies with poor lockdown policies get caught with pants down, where they get reported as having released large quantities of credit card information to unscrupulous types.
Example another industry, not many hours ago some really big diamonds were swiped from a display in plain view of many (amidst allegation of new age lapse in security to save costs) - none saw the act (or would admit it)
Can your company afford such a loss, possibly by cutting back the pay of all staff? Can staff afford that or are they willing to risk it?
Sorry if my earlier suggestions were obvious. Your background wasn't.
Community service nets can be difficult since the motivating penalties are few.
This may still be far from what you intended but have you considered allowing portable storage while restricting available applications & services? Re-imaging the systems daily for integrity? What services do the users need?
I once helped set up a public-service net with 20+ systems. Had to provide floppy access for job search & other needs (before the advent of pen-drives), and only had volunteer supervision so couldn't trust the boxes beyond a day. Ended up putting the entire room in a DMZ, blocking all egress traffic besides 80, 443, internal smtp. Ran everything through a filtering FreeBSD proxy. Set up another box with install images. Every night the egress box shut off outside net access, the image box published, and the clients wiped themselves anew.
These days I might just build a CD drive internally and make that the boot volume with a HD for scratch space. Less network & install effort.
Linux or other open source variants:
-Eliminate the attraction of free commercial software. (assuming "free" does what you need)
-Reduce vulnerabilities, inside & out.
-Can be built (compiled) with custom restrictions - i.e. time bombs, time restrictions, functionality limits.
-Simpler to automate installs.
Lots of options in this direction. MS has net install solutions now though I'm not familiar with limitations or costs. If this is feasible, can you be more specific about application requirements? Web? Office apps, etc.?
Really, I'm just planting ideas. Sounds late in the game to change course.
Dave
Community service nets can be difficult since the motivating penalties are few.
This may still be far from what you intended but have you considered allowing portable storage while restricting available applications & services? Re-imaging the systems daily for integrity? What services do the users need?
I once helped set up a public-service net with 20+ systems. Had to provide floppy access for job search & other needs (before the advent of pen-drives), and only had volunteer supervision so couldn't trust the boxes beyond a day. Ended up putting the entire room in a DMZ, blocking all egress traffic besides 80, 443, internal smtp. Ran everything through a filtering FreeBSD proxy. Set up another box with install images. Every night the egress box shut off outside net access, the image box published, and the clients wiped themselves anew.
These days I might just build a CD drive internally and make that the boot volume with a HD for scratch space. Less network & install effort.
Linux or other open source variants:
-Eliminate the attraction of free commercial software. (assuming "free" does what you need)
-Reduce vulnerabilities, inside & out.
-Can be built (compiled) with custom restrictions - i.e. time bombs, time restrictions, functionality limits.
-Simpler to automate installs.
Lots of options in this direction. MS has net install solutions now though I'm not familiar with limitations or costs. If this is feasible, can you be more specific about application requirements? Web? Office apps, etc.?
Really, I'm just planting ideas. Sounds late in the game to change course.
Dave
Trend makes a great network-layer AV appliance.
Don't want to scare you though.
ASKER
I regret that some respondents (Fergo) have had to turn to crass insults from a few contributors. I posted to try and get professional Help with Objective materials from fellow Professionals not immature and unprofessional insults, I thought this was a professional help service of IT Pro's that try to help and support one another and instead I get these comments like I'd get playing XBOX Live game with a bunch of teenagers?
Analysts International and Plante Moran are my Engineering Support professionals and I will turn to them since they designed my network with me - I'd rather pay the $125 an hour Consultant than sit here and waste my time with the insults. Experts Exchange? To the rest of you Thank you but it would be too time consuming to spell everything in this forum and I'm likely to get more more subjective opinion from others like fergo and times to valuable to waste in this forum as I didn't join and participate to offer an invite to insults. Is this Insults Exchange?
Analysts International and Plante Moran are my Engineering Support professionals and I will turn to them since they designed my network with me - I'd rather pay the $125 an hour Consultant than sit here and waste my time with the insults. Experts Exchange? To the rest of you Thank you but it would be too time consuming to spell everything in this forum and I'm likely to get more more subjective opinion from others like fergo and times to valuable to waste in this forum as I didn't join and participate to offer an invite to insults. Is this Insults Exchange?
The only objective suppot materials you are likely to find will be to say that every company should have a documented and enforced infosec policy, which bears due regard to corporate, customer, and individual information and covers all types of information transfer. There are too many different scenarios in the real world for an analyst to come up with a definitive infosec policy that details specific technology restrictions - eg, I run a test centre, which by design has air gapped networks, so the only technical way of moving data between networks is via removable media. We therefore implement policies and procedures around the use of those media, but cannot use any technical restrictions.
HTH
HTH
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Frankly - disabling your floppy drives won't secure your computers. Unless you can also guarantee that there's no *other* way to get data on or off your computers, you're just being a tyrant and getting in people's way. Either you have to operate totally locked-down computers or you don't. If you do - disabling the floppy drives isn't enough. Will your users be happy with no floppy, no other kind of external disk and no network? Will they still be able to work?
http://www.protect-me.com/dl/devicelock.pdf gives a good representation on why you need to have control, and good but a cheap way of controlling Floppy Drives, USB, Firewire, and a myriad of administrative control.
Home page of the software:
http://www.devicelock.com this is something I have used for internal control.
In most medium to large networks, your biggest security threats come from inside, its at least worth a look.
Home page of the software:
http://www.devicelock.com this is something I have used for internal control.
In most medium to large networks, your biggest security threats come from inside, its at least worth a look.
Sorry but it want help (I know this does not help answer your question that much)
It is possable to get round what you have done I am sure. (save as a: ....)
The smart users will be able to get round it (smart users have the knowledge of how to have a virus but that does not mean they will)
The dumb users probably cant run a virus if they wanted to.
It is possable to get round what you have done I am sure. (save as a: ....)
The smart users will be able to get round it (smart users have the knowledge of how to have a virus but that does not mean they will)
The dumb users probably cant run a virus if they wanted to.
www.nist.gov has an excellent set of WhitePapers that can provide pretty much all of the supporting documentation you need to argue your stance in regards to denial / control of floppy & USB access. I assume from your post that you have already made the decision to block access and now you just want a independant party to offer supporting documentation. These papers deal with issues of due care and diligence, security, and many other topics as well. The site has papers in development as well as in accepted form. I regularly use these resources to support many of my day to day security decisions. Your engineers should have given you supporting documentation for their decisions as well.
Westa!
I believe that a lot of educational organisations run courses that will help you to understand the basics of IT security, regardless of your technical knowledge. I only had access to a BBC machine with 8k of ram when I went to school but these days the world is your oyster.
I suggest that you x-ray & thermal scan everyone coming in and out and if there are any issues force them to submit to a cavity search at the risk of instant dismissal for non-compliance. A mantrap environment in & out of the building usually acts as a good deterrent to nefarious activity. In case you are wondering about my experience with this we just assisted in the investigation and resultant prosecution of a large gaming software theft in China.
Or take some heed from some of the very excellent comments you have received above. Submitted for nothing - just in the interest of helping you out.
The cavity search bit was a joke.
Rgds.
I believe that a lot of educational organisations run courses that will help you to understand the basics of IT security, regardless of your technical knowledge. I only had access to a BBC machine with 8k of ram when I went to school but these days the world is your oyster.
I suggest that you x-ray & thermal scan everyone coming in and out and if there are any issues force them to submit to a cavity search at the risk of instant dismissal for non-compliance. A mantrap environment in & out of the building usually acts as a good deterrent to nefarious activity. In case you are wondering about my experience with this we just assisted in the investigation and resultant prosecution of a large gaming software theft in China.
Or take some heed from some of the very excellent comments you have received above. Submitted for nothing - just in the interest of helping you out.
The cavity search bit was a joke.
Rgds.
There was good, objective information provided which is all that was asked for.
Suggest split
lrmoore
wlennon
dldigital
Suggest split
lrmoore
wlennon
dldigital
ASKER
Thank you for assistance - I'll use the Objective materials in support. As to some of the other posters I think they may think this is Smart Ass Exchange and certainly many lack any true Networking background to let the Lunatics run the Asylum attitude. I ended up deploying GFI Languard Portable Storage Control and it makes the floppy and USB drives invisible to the user - they have no way around that with Group Policy deployment also in place. The GFI program permits central deployment and administration and where needed the software can be uninstalled in seconds and then deployed when the use is needed. As I'm also the Purchasing Manager I purchase no PC's with floppies and so for new inventory they are out of the equation. As to getting in the way of Users give me a break they are the users of the resources provided period they have no vested rights and if they understood true networking and Shares you'd understand the days of sneakernet are long gone.
Thus the software has flexibility to deployed/uninstall selectively. Considering I have 163 Users that are Degreed in the Social area as Case Managers with little IT that have no understanding of potential threats and the other 175 PC's are public customers that range from zero to Degreed Engineers that have lost their jobs I have to take precautions that prevent damage and wasted time. There is nothing they need to do that requires a USB or floppy that my Network cannot provide and it's protected - how many of the Public have truly updated home PC's to move info back and forth? Most don't surveys have shown. I had a subcontract Supervisor setup file sharing at one of our remote offices and had several movies and 7 GB's of illegal movies sitting on our Network. He's needless to say unemployed!
The rest of those smart asses can let the Lunatics run the Asylum my job is to provide services/support not give away the key to the vault to a bunch of ID10T users that could care less what damage results - it isn;'t their fricken property to screw around with.
Thus the software has flexibility to deployed/uninstall selectively. Considering I have 163 Users that are Degreed in the Social area as Case Managers with little IT that have no understanding of potential threats and the other 175 PC's are public customers that range from zero to Degreed Engineers that have lost their jobs I have to take precautions that prevent damage and wasted time. There is nothing they need to do that requires a USB or floppy that my Network cannot provide and it's protected - how many of the Public have truly updated home PC's to move info back and forth? Most don't surveys have shown. I had a subcontract Supervisor setup file sharing at one of our remote offices and had several movies and 7 GB's of illegal movies sitting on our Network. He's needless to say unemployed!
The rest of those smart asses can let the Lunatics run the Asylum my job is to provide services/support not give away the key to the vault to a bunch of ID10T users that could care less what damage results - it isn;'t their fricken property to screw around with.
Glad to have been of help
dldigital > Glad to have been of help
westa6969 > The rest of those smart asses can let the Lunatics run the Asylum my job is to provide services/support not give away the key to the vault to a bunch of ID10T users that could care less what damage results -
> Considering I have 163 Users .. and 10 Servers
> several movies and 7 GB's of illegal movies
Oh, you're stuck in a small shop. Movies do not cut it on FDs in my shop, we've got hundreds of times as many users and thousands of servers, so I've got a different concept of damage and origin of same. So the following URLs won't be of much help I guess, I'll just leave 'em for the dldigital's, war1's, wlennon's, and others to try or not as they wish (re: USB)
http://www.linuxdevices.com/news/NS8562564746.html
http://www.realmsys.com/solutions_mps.html
westa6969 > The rest of those smart asses can let the Lunatics run the Asylum my job is to provide services/support not give away the key to the vault to a bunch of ID10T users that could care less what damage results -
> Considering I have 163 Users .. and 10 Servers
> several movies and 7 GB's of illegal movies
Oh, you're stuck in a small shop. Movies do not cut it on FDs in my shop, we've got hundreds of times as many users and thousands of servers, so I've got a different concept of damage and origin of same. So the following URLs won't be of much help I guess, I'll just leave 'em for the dldigital's, war1's, wlennon's, and others to try or not as they wish (re: USB)
http://www.linuxdevices.com/news/NS8562564746.html
http://www.realmsys.com/solutions_mps.html
Go into the BIOS when booting the computer (usualy press F2 or DEL) look around for the option "floppy 1" or simmilar and change it from "3.5'' 1.44MB" to "None" or "Disabled". It is different for every BIOS so if you want a more clear answer then i need to know the model no./make of the computer or motherboard.
You may also want to password the BIOS so no one can re-enable the drive. Password option is usualy found under Security.