Controlling what information can be moved around via thumb drives, i-Pods, cameras and other forms of removable storage media has gained a lot of focus over the past 12-months. It's not to say the need hasn't been there for much longer, because it has, just that media attention following exposure and loss of personal information, for instance social security numbers, has resulted in auditor attention.
There are a number of third-party products that claim to control usage of and the functionality thereto in terms of read or read-write capability for USB storage devices, however, in my experience the simplest approach is usually the only approach that stands the test of time.
What I am referring to here specifically is the control through local security settings and in the case of Windows also through Group Policy and Active Directory.
The NSA have produced a rather enlightening document that not only addresses the need as relates to Microsoft Windows but also that of Linux and Solaris (both 9 and 10) as well as Mac OS X. For further reading you may find the document here on this site or directly from the NSA, here.
Unfortunately this document does not cover the currently available Windows 2003-based Domain and Active Directory.
Windows Vista has a number of additional Administrative Templates that provide better 'out of the box' control of such devices. (It is out of the scope of this post to validate whether exporting any of these templates and subsequently importing them into 2003 would provide this additional functionality and as such I would love to here from anyone that has pursued this direction either from a successful or unsuccessful perspective.)
For now, we have another way. The Administrative Template attached to this post here and listed below may be imported into the active directory domain template in your domain and enabled to effectively provide read-only access to USB devices. This policy change will not disable the usage of any USB powered keyboards or mice.
As mentioned earlier in this post, there are a number of third-party products that report to control access in a similar fashion but most if not all that successfully achieve this are commercial products. Windows Group Policy is an integral, necessary component of any Windows-based Active Directory domain and can be enabled to offer a potentially similar albeit basic level of control at a price acceptable to all.
If you wish to take the level of control even further you may utilize the information found here at the Microsoft web site to disable other devices such as CD-ROM, Floppy and LS-120 drives also.
If there are any errors or omissions to the methods described by the NSA document attached or by the Microsoft website that have subsequently surfaced through user testing please let us know so we can all share from your experiences.
I hope you find this information useful.
Thanks.
| Attachment | Size |
|---|---|
| Disabling_USB_Storage_Devices.pdf | 815 KB |
| usb_write_protect_adm.zip | 827 bytes |