Networking - Secure USB Memory Sticks

We have an isolated network that holds classified information. It is not connected to the Internet.
Staff will need to move information on/off it from time-to-time.

Does anyone manufacture a secure USB stick so that you can only plug the accredited devices into the workstations, and preferably these memory sticks would only work in selected machines?

We want to stop people plugging in any old memory stick anywhere and being able to remove data randomly.

Many thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please clarify: On what machines should they work? Only on known ones, never external ones?

Like stick1 works only on device1 and dev2?
Bryant SchaperCommented:
you can limit by device id, not perfect, it is based on a the manufacturer id so I think all drives of the same model would would work.  You may want to look at encryption and also encrypted/password protected drives has well.  I have a USB drive that requires a physical PIN to access it, and is sealed.
edhastedAuthor Commented:
This is what we are trying to achieve.

In essence we want to stop people being able to put any USB stick into a workstation that could be used to remove company data off site. We want a system that will all only work with "approved" memory sticks. Ideally sticks could be allocated as to which machines they could be used in. If the data on the stick was encrypted then so much the better.

It is possible to buy lockable plugs that can be fitted into USB slots to bung them and stop them from being used at all. But this is nowadays impractical as so many devices need USBs just to work. Obviously including the keyboards and mice that are becoming USB and at long last less reliant on the venerable PS2 plugs (circa 1988 PS/2 origins).

So in essence we want to be able for the O/S/Endpoint security to decide if a memory stick is inserted if it is a valid stick and if it is valid for that machine. If and only if that is the case them it will allow that USB stick to be used.

The workstations are all on Windows 7 Professional.
The servers are SBS 2011 or Server 2012.
We are using Symantec Endpoint Security.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

andreasSystem AdminCommented:
you also need to ensure ppl cannot carry out your approved usb sticks, as they will work everywhere. If files on them are not encrypted the files are out.
Decryption should only be possible with a token the users are not supposed to remove from the workplace, e.g. via keys put in the TPMs of the machines.

But i'm not sure on how to implement this properly, ive never tried.
There's a variety of programs that will help you with the the first of your 2 goals: define what devices are usable on which of your own, managed computers. But the second one, keeping a USB device from working outside your managed environment is much harder. That is not impossible, but would involve far more than you would like to do, I guess. It would need a rights management server that needs to be contacted to get a key to unlock (=decrypt) the contents of the sticks. So only your managed devices would be able to obtain such a key.

The first, easier task, will be achieved by the help of many AV suites, for example Kaspersky business. You could use scripting and work with Microsoft's own devcon.exe to keep disallowed devices from installing (by uninstalling them right afterwards), you could also use GPOs, but those are not device specific, just device series specific (like in "all sandisk cruzer sticks are allowed, but nothing else" and not in "only the sandisk cruzer stick with ID 121312366FN6 is allowed").

The second would mean to look at expensive/complex solutions like ADRMS:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bryant SchaperCommented:
yes, I think you would be looking for some sort of forced encryption, I think i saw a software and USB drive once apon a time.  You would want to encrypt the inbound and outbound files in relation to the usb drive.

But as I type this, I am thinking, how secure is this system if people can bring files from the outside in?  If it is that confidential USB is never going to be a solution, I might recommend dedicated firewalls and drop location to move inbound files too.  By allowing a file to come in via USB, where does it originate from, my thought is outside the off internet system correct, so these would be none secure files in the first place or if confidential then why are they on the outside.

What is the real end goal of that you are moving in and out of the computer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.