Solved

Securing Information on Win2K Box - Disabling USB Flash Drives, CD Writer, Floppy Disk Drive etc

Posted on 2006-11-05
15
330 Views
Last Modified: 2010-04-11
Hi All,

I've been tasked with securing a Windows 2000 PC.

At present the users have full administrator rights - we now want to lock down the PC - so that regular users will NOT be able to copy data from the hard drive to a USB Drive or burn it to a CD or write it to a floppy (but administrators need to be able to do this).

The PC is stand-alone.

Any hints / suggestions / pointers etc would be very much appreciated.

Thanks in advance,

Mav.
0
Comment
Question by:The_Maverick
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 3

Accepted Solution

by:
InfoStranger earned 250 total points
ID: 17878415
First, you need to minimize access for each of your users to User access instead of Administrator.
Next, you need to do the following steps:
http://support.microsoft.com/kb/231289 is where you can find the details of the instructions, below is modified for local computers.
1) click start
2) click run...
3) type mmc and press ok
4) select File on the top menu
5) click Add/Remove Snap-In...
6) click Add... Button in the Stand-alone Tab
7) Select Group Policy Object (GPO)
8) Click Add
9) make sure that it says Local Computerin the Group Policy Object:
10) select Removable Storage(Local) and click Add
11) click finish
12) Click OK
13) Select User Configuration > Administrative Templates > Windows Components > Windows Explorer
14) Select "Prevent Access to drives from My Computer"
15) Select Enable and choose the restrictions from the dropdown
16) Select Removable Storage (Local) > Libraries
17) Right-Click on the name of the device you want to disable usage
18) Click Properties
19) click Security Tab on the top
20) Change settings on User or just remove it
21) Click OK
22) Click File > Save
23) name the file with .msc to modify in the future

I hope this helps.
0
 
LVL 3

Expert Comment

by:InfoStranger
ID: 17878445
Oh yeah!  This does not disable the USB.  This is kinda tricky since it is hard to specify every USB flash drives.  I assume that you do not want to block out USB printers and scanners.

If you just want to block all the USB as well then you need to disable the USB boards and the onboard USB hubs.  You probably should think about blocking out the Mutimedia Card Readers as well.  If you want to block all of this then you should block all USB devices.  If you want to print then you need to either use a network printer or a Parallel printer.

Onboard USB can be disabled in the BIOS which means that you need to password protect the BIOS.
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 17878456
Thanks for that.

At this stage knocking out the USB via the BIOS is an option, but it might mean having to replace mouse & keyboard (mouse is an expensive trackball), and cabling is difficult (the PC is on a fishing boat).

Would prefer a GPO solution if you know of any ???

0
 
LVL 6

Expert Comment

by:gvlob
ID: 17884114
Is there a reason you cannot just locke the CPU in a cabinet? This would be your most simple way of doing it.
0
 
LVL 1

Expert Comment

by:Phr0stByte
ID: 17884829
Locking up is a better solution, then disable user rights to shutdown with GPO.  But if that's not an option InfoStranger's solution is good, and as far as the mouse and keyboard goes, find a USB -> PS2 adapter (many laptops even come with PS2 splitters to connect both the mouse and keyboard via single PS2 jack) .  Or steal one :).  I throw them away on a daily basis.  

However, some BIOS are pretty advanced, and can even lock down devices (such as the 2nd IDE device (CD-ROM), USB, and others, dependant on the povided password.

0
 
LVL 1

Expert Comment

by:Phr0stByte
ID: 17884846
Oh, you can also buy software for about $25 to make this happen.
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17884909
Phr0stByte, you may want to give him the name and link to the software if you know them.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 6

Expert Comment

by:gvlob
ID: 17885048
Have a look at this, it's a way to block USB storage devices, but allow other USB devices to work:

http://www.petri.co.il/disable_usb_disks.htm
0
 
LVL 1

Expert Comment

by:Phr0stByte
ID: 17885159
Wish I could, and sorry I can't just pull something out of my hat !

I was just too lazy to find them now, and I assumed he didnt want to pay for his solution.  If, Maverick, you're interrested I'll look into it, but I would spend too much time with it otherwise... because "just any" program doesn't cut it for me :).

Nice link to petri, gvlob :)
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17885204
It's really amazing what you can find on the net :-)
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17885459
Good link gvlob.

We are using same thing to block USB storage devices.

While your link will disable the USB device if it has been installed.

We use one more thing.
We delete usbstor.inf and usbstor.pnf files from c:\windows\inf\

Now, if someone try and put a usb device, it will not install in first place.

But, this is helpful only if it has not already been installed on the machine.
0
 
LVL 6

Expert Comment

by:gvlob
ID: 17885498
Prashsax, the only problem I would have with that is I would not be able to us a USB device if I ever wanted to unless I restore those files. I personally hope that he can just lock it up. The user does not need any access to the CPU. If the computer locks or a hard shutdown needs to be performed, then someone in charge should do that anyway.
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 17885981
Hi All,

Thanks for all the feedback.

Unfortunately, physically locking the PC up isn't an option as the unit is installed on a large fishing boat that goes out for 6 weeks at a time (service calls are somewhat difficult!) - if the unit goes down then they'd have to stop fishing (at a cost of around $4000 per hour), and head back to land (2 to 3 days to make the trip). All those things considered, they won't take the risk of not being able to get into the box. One might argue that a key be given only to the captain, but he's the one we're trying to keep the data from, so that doesn't work either!

I appreciate that whilst they have physical access to the machine they could always move the disk to another PC and access the data that way (we don't want to get into things like EFS), so at this stage it's more a case of "making it difficult" for them to get at the data, but we accept that it's not going to make it impossible (although it takes something like 20 minutes with a screw driver to remove the facia that it's mounted behind (about 20 long wood screws)).

Happy to pay for any software that helps - $$$ isn't an issue.

At this stage the project has been put on hold for a few days, so I'm going to have to wait to see what final direction they want me to take. In the meantime I'll take a closer look at all of this, and (in all probability) close the question off by the end of the week.

Many thanks again for all of your input.

Cheers,

Mav.

0
 
LVL 1

Assisted Solution

by:Phr0stByte
Phr0stByte earned 250 total points
ID: 17894249
Products that look useful to me are DeviceLock (http://www.devicelock.com/),  DeviceWall (http://www.devicewall.com/pro/), GFI EndpointSecurity (http://www.gfi.com/endpointsecurity/) , or Takeware (http://www.takewaregatekeeper.co.uk/features.html), in that order.

GFI is the best-known name among those.  but much like Norton looks a little over-priced and bloated.  However, I also believe you'd get the best support from them.  

Also, keep in mind, that I haven't used this kind of technology myself, so my opinion is nothing more.  I have only looked into this software, but decided it was beyond our companies budget.

Otherwise I also came across these other names:

DeviceShield, Sanctuary Device Control, Reflex Disknet Pro, Safend Port Protector


Now, if you;re losing $4000/hour when this PC is down, I HOPE you have a 2nd machine aboard... :)

And don't forgot InfoStrangers first post.  That will plug "most" of the holes.
0
 
LVL 2

Author Comment

by:The_Maverick
ID: 18005261
Thanks for your help everyone - sorry it took me so long to get back here and finalise things.

In the end the client has chosen to leave things the way they are, but there's still benefit here to me in that I'll be able to look these up in the future.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now