We've taken the step of disabling the USB controllers in device
manager on our clients' machines.
Not an ideal solution, as with everything coming on USB nowdays, we
spend an inordinate amount of time re-enabling these devices - which
leaves them open for use with USB drives.
While I'm on the subject. . . why all the FUD regarding USB drives?
We have a policy at my current job that prevents the use of USB
drives. This was a policy implemented around the same time that we
deployed new clients to our users. . . clients that came with CD
burners and floppy drives. . . which aren't disabled.
The result has become the archtypical example of users finding
creative ways around bad rules. One user went and purchased his own
USB hub for use in the one open port we gave him. Another user, more
leery of breaking the established rules, will email his briefings home
to himself and puts them on his flashdrive there - simply because he
doesn't want to have deal with the hassle of CDs while on road trips.
A google comes back with several hits regarding various options on how
to disable USB ports but is very thin on the rationale behind the act.
Even a search on securityfocus.com returns a lot of wheres and hows.
. . but is not so good on the whys.
The best I've been able to find is that some people were worried about
the efficiency of USB drives, putting forth the argument that the
greater ease of the technology comes with increased risks. Granted. .
. but if high efficiency leads to high risk why allow other effecient
technologies as well, technologies like email or the web?
Or even CD burners. . .
or PDAs. . .
or floppy drives. . .
All of these have vulnerabilities that ultimately can only be
addressed with company and administrative policies. Policies that
should also cover (or can easily be adapted to) USB drives.
It may sound like my mind is made up on this - but it isn't - not
completely. I'm just frustrated by having to _daily_ defend what is a
very unpopular policy. A typical exchange goes along the lines of:
-We have <pick one> CD burners / floppy drives / Iron clad NDAs /
security clearances but we can't use a thumbdrive?
Um. . . yeah. . . it's something that the security office pushed down.
-That's pretty stupid. Why?
Um . . . not a clue.
-I mean I can use the CD / floppy / email / web / network printer /
fax machine / photocopier to get files / information out there.
Yeah. . . well . . it's not the only policy that we've got that hasn't
really been thought through.*
(5-30 minutes of general ranting follows, depending on the fortitude
of the person and how fast I can do what needs to be done and escape.
The above line is wonderful for getting the user to leave me alone and
off ranting against /them/ what inhabit security. It is,
unfortunatly, not a very team-oriented nor professional phrase. But
it's an honest one).
This happens daily.
I kid you not.
Okay. To be honest I'd only just heard the fax machine argument today.
But. I would be appreciative if anyone could point me towards a good
reason for disabling USB drives, so that I can start defending this
policy with some form of conviction.
Or am I correct in my belief that this emperor is buck naked?
Now - if you'll excuse me - I have a DVD burner to install for a user.
Allan Seyberth
---------------------------------------------------------------------------
---------------------------------------------------------------------------
