The_Maverick
asked on
Securing Information on Win2K Box - Disabling USB Flash Drives, CD Writer, Floppy Disk Drive etc
Hi All,
I've been tasked with securing a Windows 2000 PC.
At present the users have full administrator rights - we now want to lock down the PC - so that regular users will NOT be able to copy data from the hard drive to a USB Drive or burn it to a CD or write it to a floppy (but administrators need to be able to do this).
The PC is stand-alone.
Any hints / suggestions / pointers etc would be very much appreciated.
Thanks in advance,
Mav.
I've been tasked with securing a Windows 2000 PC.
At present the users have full administrator rights - we now want to lock down the PC - so that regular users will NOT be able to copy data from the hard drive to a USB Drive or burn it to a CD or write it to a floppy (but administrators need to be able to do this).
The PC is stand-alone.
Any hints / suggestions / pointers etc would be very much appreciated.
Thanks in advance,
Mav.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that.
At this stage knocking out the USB via the BIOS is an option, but it might mean having to replace mouse & keyboard (mouse is an expensive trackball), and cabling is difficult (the PC is on a fishing boat).
Would prefer a GPO solution if you know of any ???
At this stage knocking out the USB via the BIOS is an option, but it might mean having to replace mouse & keyboard (mouse is an expensive trackball), and cabling is difficult (the PC is on a fishing boat).
Would prefer a GPO solution if you know of any ???
Is there a reason you cannot just locke the CPU in a cabinet? This would be your most simple way of doing it.
Locking up is a better solution, then disable user rights to shutdown with GPO. But if that's not an option InfoStranger's solution is good, and as far as the mouse and keyboard goes, find a USB -> PS2 adapter (many laptops even come with PS2 splitters to connect both the mouse and keyboard via single PS2 jack) . Or steal one :). I throw them away on a daily basis.
However, some BIOS are pretty advanced, and can even lock down devices (such as the 2nd IDE device (CD-ROM), USB, and others, dependant on the povided password.
However, some BIOS are pretty advanced, and can even lock down devices (such as the 2nd IDE device (CD-ROM), USB, and others, dependant on the povided password.
Oh, you can also buy software for about $25 to make this happen.
Phr0stByte, you may want to give him the name and link to the software if you know them.
Have a look at this, it's a way to block USB storage devices, but allow other USB devices to work:
http://www.petri.co.il/disable_usb_disks.htm
http://www.petri.co.il/disable_usb_disks.htm
Wish I could, and sorry I can't just pull something out of my hat !
I was just too lazy to find them now, and I assumed he didnt want to pay for his solution. If, Maverick, you're interrested I'll look into it, but I would spend too much time with it otherwise... because "just any" program doesn't cut it for me :).
Nice link to petri, gvlob :)
I was just too lazy to find them now, and I assumed he didnt want to pay for his solution. If, Maverick, you're interrested I'll look into it, but I would spend too much time with it otherwise... because "just any" program doesn't cut it for me :).
Nice link to petri, gvlob :)
It's really amazing what you can find on the net :-)
Good link gvlob.
We are using same thing to block USB storage devices.
While your link will disable the USB device if it has been installed.
We use one more thing.
We delete usbstor.inf and usbstor.pnf files from c:\windows\inf\
Now, if someone try and put a usb device, it will not install in first place.
But, this is helpful only if it has not already been installed on the machine.
We are using same thing to block USB storage devices.
While your link will disable the USB device if it has been installed.
We use one more thing.
We delete usbstor.inf and usbstor.pnf files from c:\windows\inf\
Now, if someone try and put a usb device, it will not install in first place.
But, this is helpful only if it has not already been installed on the machine.
Prashsax, the only problem I would have with that is I would not be able to us a USB device if I ever wanted to unless I restore those files. I personally hope that he can just lock it up. The user does not need any access to the CPU. If the computer locks or a hard shutdown needs to be performed, then someone in charge should do that anyway.
ASKER
Hi All,
Thanks for all the feedback.
Unfortunately, physically locking the PC up isn't an option as the unit is installed on a large fishing boat that goes out for 6 weeks at a time (service calls are somewhat difficult!) - if the unit goes down then they'd have to stop fishing (at a cost of around $4000 per hour), and head back to land (2 to 3 days to make the trip). All those things considered, they won't take the risk of not being able to get into the box. One might argue that a key be given only to the captain, but he's the one we're trying to keep the data from, so that doesn't work either!
I appreciate that whilst they have physical access to the machine they could always move the disk to another PC and access the data that way (we don't want to get into things like EFS), so at this stage it's more a case of "making it difficult" for them to get at the data, but we accept that it's not going to make it impossible (although it takes something like 20 minutes with a screw driver to remove the facia that it's mounted behind (about 20 long wood screws)).
Happy to pay for any software that helps - $$$ isn't an issue.
At this stage the project has been put on hold for a few days, so I'm going to have to wait to see what final direction they want me to take. In the meantime I'll take a closer look at all of this, and (in all probability) close the question off by the end of the week.
Many thanks again for all of your input.
Cheers,
Mav.
Thanks for all the feedback.
Unfortunately, physically locking the PC up isn't an option as the unit is installed on a large fishing boat that goes out for 6 weeks at a time (service calls are somewhat difficult!) - if the unit goes down then they'd have to stop fishing (at a cost of around $4000 per hour), and head back to land (2 to 3 days to make the trip). All those things considered, they won't take the risk of not being able to get into the box. One might argue that a key be given only to the captain, but he's the one we're trying to keep the data from, so that doesn't work either!
I appreciate that whilst they have physical access to the machine they could always move the disk to another PC and access the data that way (we don't want to get into things like EFS), so at this stage it's more a case of "making it difficult" for them to get at the data, but we accept that it's not going to make it impossible (although it takes something like 20 minutes with a screw driver to remove the facia that it's mounted behind (about 20 long wood screws)).
Happy to pay for any software that helps - $$$ isn't an issue.
At this stage the project has been put on hold for a few days, so I'm going to have to wait to see what final direction they want me to take. In the meantime I'll take a closer look at all of this, and (in all probability) close the question off by the end of the week.
Many thanks again for all of your input.
Cheers,
Mav.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help everyone - sorry it took me so long to get back here and finalise things.
In the end the client has chosen to leave things the way they are, but there's still benefit here to me in that I'll be able to look these up in the future.
In the end the client has chosen to leave things the way they are, but there's still benefit here to me in that I'll be able to look these up in the future.
If you just want to block all the USB as well then you need to disable the USB boards and the onboard USB hubs. You probably should think about blocking out the Mutimedia Card Readers as well. If you want to block all of this then you should block all USB devices. If you want to print then you need to either use a network printer or a Parallel printer.
Onboard USB can be disabled in the BIOS which means that you need to password protect the BIOS.