HELP - Major Security Risk - USB Flash Memory!!

M

Matthew Miller

It has come to my attention that normal users on my network can plug in and
use USB Flash Memory sticks with no problems what so ever.

This is a huge security risk for us, and it also violates our polices to
allow such activity. I cannot find how to disable this.

Current Settings: (Domain Group Policy) Computer Config\Windows
Settings\Security Settings\Local Policies\Security Options\
Devices: Allow to format and eject removable media = Administrators

Local Policies on client computers are default for same setting (which is
Administrators)


What else do I need to do? Going around and disabling all USB ports is not
a practical solution, our computers are spread to far apart to accomplish
anything that big.

Any changes you suggest, will they affect current users of USB mem sticks,
or only new users? We have 2 individuals with authorization to use a USB
mem stick who will need to continue to use a mem stick; but several who
currently use one, need all rights removed immediately! (2 users who need
to continue, one is a Power User, and one is a normal Domain User)

Thanks for any and all help

Matt
 
C

Carey Frisch [MVP]

How do I prevent the use of USB Storage Devices in Windows XP?
http://www.jsiinc.com/SUBO/tip7000/rh7093.htm

Also see: "Controlling block storage devices on USB buses"
in the following article.

Changes to Functionality in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx#ECAA

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

-------------------------------------------------------------------------------

:

| It has come to my attention that normal users on my network can plug in and
| use USB Flash Memory sticks with no problems what so ever.
|
| This is a huge security risk for us, and it also violates our polices to
| allow such activity. I cannot find how to disable this.
|
| Current Settings: (Domain Group Policy) Computer Config\Windows
| Settings\Security Settings\Local Policies\Security Options\
| Devices: Allow to format and eject removable media = Administrators
|
| Local Policies on client computers are default for same setting (which is
| Administrators)
|
|
| What else do I need to do? Going around and disabling all USB ports is not
| a practical solution, our computers are spread to far apart to accomplish
| anything that big.
|
| Any changes you suggest, will they affect current users of USB mem sticks,
| or only new users? We have 2 individuals with authorization to use a USB
| mem stick who will need to continue to use a mem stick; but several who
| currently use one, need all rights removed immediately! (2 users who need
| to continue, one is a Power User, and one is a normal Domain User)
|
| Thanks for any and all help
|
| Matt
 
S

Steve Riley [MSFT]

If you are worried about users absconding with information on USB drives,
please also don't forget about several other methods that are also
available:

* corporate e-mail
* web-based free e-mail
* instant messengers
* peer-to-peer file sharing utilities
* USB drives that install their own drivers
* digital cameras and MP3 players
* 1394 firewire drives
* CD and DVD recorders
* parallel port hard drives
* floppy disks
* infrared port or network transfer to other computers
* print outs
* digital photographs and screen captures
* telephone dictation

Note: the other poster did point to some info you can use. This, however, is
a machine setting, not a user setting; all users of the machine will be
affected. You can't have a separate setting for the two authorized users.

If someone wants to make off with data from your computers or network and
they've got access, generally they will be able to accomplish their goals. A
product like Rights Management Services can be very helpful here, but even
RMS won't stop what we call "analog attacks," like for instance placing the
monitor face on a photocopier and pressing the print button. :)

My recommendation: rethink the focus of your security policy. What risk is
the policy trying to mitigate? Usually it isn't a good idea for a *policy*
to mention specific pieces of technology. Policies describe acceptabe
behavior and the consequences for violation. If removing confidential
information is a violation of policy, address it at the management level
(terminate the violator's employment), because it's really the only way you
can.

Steve Riley
(e-mail address removed)
 
G

Guest

Steve
Well done, excellent answer. I was questioned recently about the insecurity
of USB keys and am of the same opinion as you. As you stated, there are so
many other ways of stealing data it has to be addressed via policy.
Dave
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security risk and back door access for USB netowrk devices 5
can't modify local security settings 2
USB: Driver installation vs. no admin privileges 2
Readyboost and USB Flash memory 2
USB Flash Memory - No Drive Letter 1
How can I have users format a Usb drive as Non-Admin 3
Local Power User on domain 1
USB MEMORY STICKS PROBLEM IN WINDOWS 2000 SP4 1

Top