Secure USB Access.

Given this comment:  "... We cannot block USB's due to business reasons. "

... there's no way you can "guarantee 100% safety" with their use.   All you could do is install tracking software that would provide a lot of what was copied to USB devices ... but this would require audits to identify any un-authorized usage.

There are options to mitigate risks introduced (confidentiality, integrity, availability, etc.) by portal devices, such as Software Restriction Policies, AppLocker Policies, and Data Loss Prevention (DLP).  Whitelisting applications via AppLocker would be a good measure.  You'll also want to ensure all Windows systems are using the Enhanced Mitigation Experience (EMET) Toolkit.  You'll also want to consider confidentiality risks associated with mobile data both in transit and at rest (e.g. encryption)

References
Thumb Drive Threats and Countermeasures in a Microsoft Windows Environment
USB Drives, Portable Storage Devices and Physical Security
USB – Ubiquitous Security Backdoor
Security Threats and Mitigating Risk for USB Devices

Here's a product worth reviewing:
http://support.frontrange.com/ProductsSolutions/category.aspx?id=13190

".........We cannot block USB's due to business reasons................. "
Don't assume that technology will solve all know threats around data loss, because it wont. Technology solutions are only part of the story of DLP, IT Staff and CTO's/CIO's are required that they understand the threats and how they work, so you need to change your policy.

I know some organisations, they have physically disabled their USB ports, also there is software that forces data being transferred to USB to be encrypted so it protects if not organization approved device. In our environment USB drives are by default disabled through group policy enforcement.

In your case you can think of some good commercial DLP options (fortigate, Sophos, ..), also checkout  CounterACT (http://www.forescout.com/) is a commercial product for monitoring client activity.

More info:
http://www.youtube.com/watch?v=NJu0De3XUJY
http://okt.to/d5mG4E

Basically we have allowed USB access so that users can do their homework and bring documents at the office to be copied to their respective.

Since I can see the giving USB access is not the solution.

Is there any enterprise solution downloading/uploading documents. It could be integrated with windows active directory. Moreover, it should be secure and provide encryption.

You may want to consider cloud based storage solutions as well.

I want to host the files with us.

Thanks

Go to gfi.com and look at their endpoint security product.   it will monitor and/or constrain any files getting moved to/from USB sticks. Lots of flexibility on configuring what can and can not be read or written based on source/destination and computer and/or user login privileges.

As you've been told there is nothing that is 100% effective.  But if every system is running the GFI agent then it will be difficult to compromise ... especially if you have the software monitor for systems rebooting or going offline. That is tell-tale indication that somebody is trying to circumvent the software.

Windows has group policies to allow authorised external portable storage and so catch these setting which also try to prevent malicious drive usage
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3._Locking_down_Windows_and_Linux_against_Malicious_USB_devices

Likewise having to encrypt the ext storage will maintain confidentiality for data at rest esp in loss events that is common.

Understand Kaspersky also has device control with access lisy that may be good ro leverage further to tightening.

http://support.kaspersky.com/7467

You may even consider temporary access for shared workstation. See

http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3/section4

Overall if trusted device are infected the other av and host intrusion prevention controls in Kaspersky should kicked in. Exclude unknow zero days
http://support.kaspersky.com/learning/courses/kl_102.98/chapter3.3

Is your main concern people walking off with confidential data... or someone introducing a virus (a la STUXNET) via the OS automatically running any software on a USB storage device when it's inserted?

If it's the latter, you can turn off Autorun. Here's an MS article on the subject:

http://support.microsoft.com/kb/967715

Why the need for encryption at all? What is the concern with USB as a security issue? Is it bringing in virus's or transferring viri from one pc to the other? Is it loss of information by users copying files to their USB sticks?

If there is a reason to encrypt, make sure you understand what encryption is doing, I wrote an article on it: https://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html

To me it sounds like you want users to upload their documents to one location? I'm not seeing the security angle yet. Bitlocker and GPO's can "force" the use of BL encryption on USB or portable HDD's, but it may be a restriction that the users are not happy with. They might not want to use BL encryption because they use Mac's with their USB sticks and would not be able to because BL doesn't work on Mac/Apple.

I don't see a way to require encryption in a campus environment unless you're issuing the USB drives with the encryption on it already. They don't have the drive then no USB file transfer.

Forcing USB's to be encrypted isn't something I can see at the school/college level for students. Since they can probably access their email via a web browser and just download the files that way too. I need more direction as to why USB is the focus and what the goal is.
-rich

Encryption is to protect data at rest but true enough ans I also see that staff would not bw bother or evn want that unless mandated to comply. If there is means of transparent on the fly decrypt it may help but only in specific cusrom device or specific machine with that agent to decrypt. Aome even comes with 2fa before you can open the content in the portable storage. Encryption only make sense to protect data but that soesnt mean the data is trusted and the we can trust that storage device is used. We can as much enfoece authorised device and restrict  such device use in allowed machine or locality zone. Data leakage and mass infection vector always link back to portable storage aa culprit.  Do have usage policy and awareness training too.

100% guaranteed safety is easy with this.

You simply need to get some good 2 part epoxy and fill up every USB port on every machine with it.

The tricky part will be using the computers with no mouse or keyboard.

@FutureTechSysDOTcom: just use machines with the old PS2 connectors for keyboard & mouse. Sorted! ;-)

There are PS2->USB adapters one could use to defeat this.  Face it, the only 100% effective way is to do what they do at some of the places I go to.   They first remove the temptation by not having USB ports in the first place.

Secondly, and the most effective means ...  6'8" marines with machine guns,metal detectors, searches, and imminent threat of prison.

Other than that, look at my post on buying the GFI software.   It monitors all systems for going offline (red flag), and it monitors all systems for USB insertion or copying files to an external device, USB stick, or even network location.

Really no way around that as long as all the systems are running GFI.

Windows has it's own less intrusive and native controls for "mass storage" devices, allowing you to effectively ban Flash or USB-Hdd's, and still allowing KB and Mouse.
There is no security threat specified by the author, just a mention of USB as being a potential security concern, we need more info. To disable mass storage:

@ECHO OFF
REG ADD HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\USBSTOR /V Start /T 
REG_DWORD /D 3 /F

REG ADD HKLM\Software\Policies\Microsoft\Windows\deviceInstall\Restrictions /V DenydeviceClassesRetroactive /T REG_DWORD /D 0 /F
echo ........USB Mass Storage has been enabled........

Select allOpen in new window

-rich

cloudbased can be f.e. owncloud. then you run the cloud show and not some other party.

I give up!
-rich

Rich - your solution is draconian, and it eliminates all USBs.  The author wanted to use USBs with some sort of restrictions.  I'm not the author, but I can see how your solution would not have met the author's needs.

But thanks for the tip, it is an elegant solution as long as nobody as credentials to modify registry.

@dlethe -- And what is your assessment of my suggestions?  ID: 39652001

the front range product is probably similar to GFI which I suggested. I have first-hand experience with GFI, but none with FrontRange so can't give a fair analysis.  As for the rest of the links, encryption is an unworkable solution for these needs..  The SANS paper was ancient and held some good info, but was dated, so most of the fixes were obsolete.

Probably would have consider existing beefing up endpoint sw instead of having another device control sw. Operationally patching and policy mgmt need tighter control and watch over for conflict and misconfig.thanks experts

What I gave up on was what the author was after... Ensuring that the USB's are encrypted is ok, but it only solves the problem of a lost/stolen USB from being read by someone unauthorized. USB as a "security concern" is a much broader than lost USB's.
You can't throw encryption at everything people :) It also doesn't sound like the author was looking for encryption at all based on 39653106.
-rich