Link to home
Start Free TrialLog in
Avatar of raza
razaFlag for United States of America

asked on

Block USB


What is the best solution to block USB access? What are the tools that big companies are using it?

Regards,

Raza
Avatar of Shaun84
Shaun84

What do you mean block USB access?
If you mean stop people using any usb ports you could disable the usb ports in the device manager.
ASKER CERTIFIED SOLUTION
Avatar of MiguelSilvestre
MiguelSilvestre

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Group Policy is the de facto tool for managing the configuration of machines on Windows-based networks (that is, networks that have Active Directory deployed).

You can create an ADM template to do this.


Here is the code to restrict XP/SP2 (replace all '|' with ''):

(This will 'Write Protect' the device, similar to flipping the tab on a floppy disk)

CLASS MACHINE

CATEGORY "USB Storage"

  POLICY "Write Protect USB Storage"
    KEYNAME "SYSTEM|CurrentControlSet|Control|StorageDevicePolicies"
    VALUENAME "WriteProtect"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

Save as a .ADM file, load it in, and go !

or

To prevent machines pre-XP/SP2...(including Windows 2000 SP4)

(This will disable the storage device completely, i.e no read or write)

CLASS MACHINE

CATEGORY "USB Storage"

  POLICY "Disable USB Storage"
    KEYNAME "SYSTEM|CurrentControlSet|Services|USBSTOR"
    VALUENAME "Start"
    VALUEON NUMERIC 4
    VALUEOFF NUMERIC 3
  END POLICY
END CATEGORY

 
Avatar of raza

ASKER



This is one option to block the USB port physically then user will not be able to use the USB at all. Nowadays, the new dell desktop is coming without ps2 ports.

How about for Linux/Unix/Mac systems?  

What are the practices in the market?
I'd block the usb controller from the BIOS.
Peanut butter, gum or glue in the slots...best way :)
Just don't install the USB drivers or just disable them in the device manager. This will block all varieties of USB devices, not just mass storage devices. Ensure users, using the system are not administrators, they wonlt be able to attatch new devices (install drivers) without having admin rights.

If your users have local admin rights, then no policy or missing/disable driver will stop users that are smart enough.

As others have said. If you can block USB in the BIOS(with a password), that's the best way. Else try the above.

Rob
 
There also a UK company that makes clips that snap into the port and can only be removed with a tool. There about $2 each. I couldn't find the link, but we looked into using them last year.
Avatar of raza

ASKER


I thought its a dumpes idea to clip the usb port.

I have eveluated DevicLock Product of http://www.protect-me.com/dl/ and were going to implement this for my company. but after reading the following I have only one option left is to use these clips.

Case study: Pod slurping
The scenario
An unauthorized visitor shows up after work hours disguised as a janitor and carrying an iPod (or similar portable storage device). He walks from computer to computer and "slurps" up all of the Microsoft Office files from each sy stem. Within an hour he has acquired 20,000 files from over a dozen workstations. He returns home and uploads the files from his iPod to his PC. Using his handy desktop search program, he quickly finds the proprietary information that he was looking for.***

Sound far fetched?

An experiment
I conducted an experiment to quantify approximately how long it takes to copy files from a PC to a removable storage device (iPod, thumbdrive, et cetera) if you have physical access. The quick answer: not very long.

I wrote a quick python application (slurp) to help automate the file copy process. Slurp searches for the "C:Documents and Settings" directory on local hard drives, recurses through all of the subdirectories, and copies all document files.

Using slurp.exe on my iPod, it took me 65 seconds to copy all document files (*.doc, *.xls, *.htm, *.url, *.xml, *.txt, etc.) off of my computer as a logged in user. Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.