RE: USB Security

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

Is it feasible for you to disable the USB port at the BIOS?

-----Original Message-----
From: James McGee [mailto:james () infosec co im]
Sent: 30 November 2004 19:09
To: 'John Robot'; security-basics () securityfocus com
Subject: RE: USB Security


There are known registry hacks which can help prevent the abuse of USB
devices.

The best of these enable the administrator to diable the use of USB ports
for mass media devices, or removable storage, which is what a typical USB
Storage Drive will appear as.

Apparently (I have not seen it yet, but it comes from a MS employee) the GPO
objects you can import to manage XPSP2 also contain this as an option, and
you can also mark USB ports as read only.

So, that should help stop the data walking out the door...

Cheers


James

-----Original Message-----
From: John Robot [mailto:john_f_robot555 () hotmail com] 
Sent: 25 November 2004 14:38
To: security-basics () securityfocus com
Subject: RE : USB Security

Hi,

Languard (from GFI) offers a software that boast being able to control USB
ports.

http://www.gfi.com/lanpsc/


I've never tested it though!

Marty!

-----Original Message-----
From: GuidoZ [mailto:uberguidoz () gmail com]
Sent: Wednesday, November 24, 2004 12:30 AM
To: Jimi Thompson
Cc: Beauford, Jason; Marios Papaioannou; Gray, Steve;
security-basics () securityfocus com
Subject: Re: USB Security


> Rather than use hiderun32.exe, use something like getadmin.exe and show 
> your management what you can if you 1) bring in 4 GB of mal-ware and 2) 
> leave with 4 GB of their salary data to post on the web or in the lunchroom

> on the bulletin board.

lol, yes, there are plenty of options. That why the hiderun32 hides the 
batch file - you can do any command line command you wanted to from that 
point (including getadmin... any of the Sysinternals or Foundstone 
collection would come in handy).

Securing it is a problem. If you need the USB ports for legitimate purposes,

then you obviously have less options. If you can disable them entirely, both

through a passworded BIOS and the XP reg hack, then you'll be sitting 
better. I've never used any program that claims to lock down the USB ports 
against illegitimate use, though I have seen them advertised. (Sorry I don't

have any links hand.)

--
Peace. ~G


On Mon, 22 Nov 2004 21:09:52 -0600, Jimi Thompson <jimi.thompson () gmail com> 
wrote:
> Rather than use hiderun32.exe, use something like getadmin.exe and show 
> your management what you can if you 1) bring in 4 GB of mal-ware and 2) 
> leave with 4 GB of their salary data to post on the web or in the lunchroom

> on the bulletin board.
>
> Jimi
>
> On Mon, 22 Nov 2004 16:46:38 -0500, Beauford, Jason
>
>
> <jbeauford () eightinonepet com> wrote:
> > I may be late here and someone may have mentioned it, but you can > 
> disable the USB Drivers for Windows XP via the registry.  Even > better 
> Logon Scripts.
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
> >
> > JMB
> >
> >
> >
> > -----Original Message-----
> > From: Marios Papaioannou [mailto:m.papaioannou () cytanet com cy]
> > Sent: Sunday, November 21, 2004 4:35 AM
> > To: 'Gray, Steve'
> > Cc: security-basics () securityfocus com
> > Subject: RE: USB Security
> >
> > Hello Steve,
> >
> > From my point of view, the only 100% secure way to reduce the risk > of 
> usb is to disable the usb ports from bios. Any other suggestions > are
> > welcome.
> >
> > Regards,
> > Marios
> >
> > -----Original Message-----
> > From: Gray, Steve [mailto:SGray () wakefield gov uk]
> > Sent: Saturday, November 20, 2004 1:15 AM
> > To: security-basics () securityfocus com
> > Subject: RE: USB Security
> >
> > Hi,
> > This is something we are very interested in at the moment. I have > 
> found some software, from a firm called Generix, that looks as > though it 
> will control the use but it is difficult to get managers > to pay for it. 
> They seem to understand risks from floppy disks and > CD's, but not from 
> USB devices. Any practical policy guidelines to > limit risks would be 
> welcome. Steve Gray Wakefield MDC
> > --------------------------
> > Sent from my BlackBerry Wireless Handheld
>
>
> --
> Thanks,
>
> Jimi

_________________________________________________________________
Gardez le contrôle grâce à la protection contre les fenêtres pop-up 
articulée sur la technologie brevetée Microsoft SmartScreen 
http://join.msn.com/?pgmarket=fr-ca&page=features/popup Commencez dès 
maintenant à profiter de tous les avantages de MSN Premium et obtenez les 
deux premiers mois GRATUITS*.


This email and its attachments are solely for the attention of security-basics () securityfocus com.  
Please contact Trevor.Cushen () sysnet ie if you receive this mail in error.