Where I work we have a LAN (mulitple building, multiple servers, etc–we have about 3500 folks). Recently we have had many problems with speed, server crashes, etc. Today we were all briefed that starting tomorrow, we won’t be able to use memory sticks anymore. Rumor has it that someone brought a trojan into the system via a stick so now no one can use them.
How will they do this? One of our co-workers said they could disable all the USB ports? But what if my printer and mouse (and monitor, come to think of it) all have USB cables? Will these now not work either?
This may be a dumb question…I admittedly don’t know much about computers.
This sounds more like an honor code restriction. The logistics of disabling all currently unused USB ports for that many people would be a nightmare. Imagine if they had to go in and re-enable every port when its needed. And what prevents a trojan from coming in via e-mail? If I didn’t have a USB stick, I would just e-mail me everything.
If someone is bringing a Trojan into your network then that is a managerial problem. People shouldn’t be stupid and your tech support should be smart enough to prevent something like this from causing too big of a problem.
What do they use for anti-virus software?
I think you simply turn off autodetect of new hardware devices, or only allow an administrator to use it. Printers and such can be added by an administrator manually.
Once a device is installed, it will continue to run. But a memory stick is a new device, so it won’t be detected.
In Windows, this can be done remotely by something like Group Policy, so it can be done on all machines overnight.
That’s not the only way, it seems. My work laptop detects memory sticks just fine, then tells me I don’t have the right permissions level to add it. Couldn’t tell you exactly how that setting is enabled–I’ve learned in my life that the more I learn about Windows system administration, the less happy I am.
My company randomly audits usage, hard drive content, internet history, email history etc. I imagine that if during one of these random audits a USB storage device is found there will be consequences.
XP’s TweakUI will allow you to make any drive letter(s) you want inaccessible. I don’t know if that would prevent the “New Hardware Found” wizard from running and installing it without disabling other stuff, though.
To expand on that, Group Policy makes it almost painless to globally disable the USB storage drivers on all PCs. The same mechanism lets administrators also disable the use of CD-ROM drives and floppy drives as needed.
With Windows Vista, this control is even more elaborate - it’s theoretically possible to craft policies that will allow a particular brand of USB drive to be used to the exclusion of all other brands, just as one example. I say “theoretically” because it’s not terribly straight-forward or easy.
Alternately, if you’re using hard drive encryption (and you really should!) a lot of the drive encryption products can be configured to commandeer the USB ports and only allow the use of encrypted USB drives.
Ours is essentially disabled at work. All you have to do is plug a USB stick in, and immediately a pop-up appears in which you have to explain, immediately, why you have attached a USB to your system, etc… They also don’t let you burn CDs, nor do they issue company cell phones that have cameras.
I expect that a group policy is the mechanism, but can’t guarantee it. I do know that the users don’t have administrative rights to their machines.