sunhux
asked on
Workarounds to granting USB ports access on corporate laptops
I view the blocking of USB for 2 reasons:
a) data leakage/loss prevention (so that sensitive data is not copied out):
but copying data from thumb drives into the laptop is Ok, right?
No data loss/leakage concern right?
So does anyone know if there are tools out there that allows the
USB port to permit data to be copied into laptops but not out?
Our McAfee tool doesn't appear to have this feature
b) the concern of malwares (including scripts) being executed from
thumb drives : well for this, we'll have on-access AV in place so in
a way this is mitigated. Win 10 with is AV Defender also prevents
execution of Java, VB scripts etc
Now, between item a & b, my much bigger concern is item a because
for item b, a good AV will mitigate quite well while I've not heard of
any tools that permit one-way data copying into laptop via USB.
Or does anyone know of any tools such as wireless HDD that has
such feature such that users can't reconfigure the "firewall rules"
so that data can only be copied into laptops & not out ?
To provide another intermediate laptop with sftp etc is out of the
question as this solution is too unwieldy
a) data leakage/loss prevention (so that sensitive data is not copied out):
but copying data from thumb drives into the laptop is Ok, right?
No data loss/leakage concern right?
So does anyone know if there are tools out there that allows the
USB port to permit data to be copied into laptops but not out?
Our McAfee tool doesn't appear to have this feature
b) the concern of malwares (including scripts) being executed from
thumb drives : well for this, we'll have on-access AV in place so in
a way this is mitigated. Win 10 with is AV Defender also prevents
execution of Java, VB scripts etc
Now, between item a & b, my much bigger concern is item a because
for item b, a good AV will mitigate quite well while I've not heard of
any tools that permit one-way data copying into laptop via USB.
Or does anyone know of any tools such as wireless HDD that has
such feature such that users can't reconfigure the "firewall rules"
so that data can only be copied into laptops & not out ?
To provide another intermediate laptop with sftp etc is out of the
question as this solution is too unwieldy
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have Data Loss Protection in place that will scan for sensitive data so
our corporate policy will block emails with sensitive data.
Certainly there are ways to still copy data out such as wifi devices but
our users (assume) are not that tech competent
our corporate policy will block emails with sensitive data.
Certainly there are ways to still copy data out such as wifi devices but
our users (assume) are not that tech competent
ASKER
Laptop's HDD is encrypted with a high-end tool
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
https://www.ampercent.com/enable-disable-write-access-usb-drive/6264/
So if the user has no admin rights, he can't change the above registry setting, right?
Also, am I right to say an encrypted thumb drive (full partition of the drive encrypted
& requires password to mount/read/write to it) is not so easily infected by malware?