platform

Controlling what information can be moved around via thumb drives, i-Pods, cameras and other forms of removable storage media has gained a lot of focus over the past 12-months. It's not to say the need hasn't been there for much longer, because it has, just that media attention following exposure and loss of personal information, for instance social security numbers, has resulted in auditor attention.

There are a number of third-party products that claim to control usage of and the functionality thereto in terms of read or read-write capability for USB storage devices, however, in my experience the simplest approach is usually the only approach that stands the test of time.

What I am referring to here specifically is the control through local security settings and in the case of Windows also through Group Policy and Active Directory.

The NSA have produced a rather enlightening document that not only addresses the need as relates to Microsoft Windows but also that of Linux and Solaris (both 9 and 10) as well as Mac OS X. For further reading you may find the document here on this site or directly from the NSA, here.

Unfortunately this document does not cover the currently available Windows 2003-based Domain and Active Directory.

Windows Vista has a number of additional Administrative Templates that provide better 'out of the box' control of such devices. (It is out of the scope of this post to validate whether exporting any of these templates and subsequently importing them into 2003 would provide this additional functionality and as such I would love to here from anyone that has pursued this direction either from a successful or unsuccessful perspective.)

For now, we have another way. The Administrative Template attached to this post here and listed below may be imported into the active directory domain template in your domain and enabled to effectively provide read-only access to USB devices. This policy change will not disable the usage of any USB powered keyboards or mice.

As mentioned earlier in this post, there are a number of third-party products that report to control access in a similar fashion but most if not all that successfully achieve this are commercial products. Windows Group Policy is an integral, necessary component of any Windows-based Active Directory domain and can be enabled to offer a potentially similar albeit basic level of control at a price acceptable to all.

If you wish to take the level of control even further you may utilize the information found here at the Microsoft web site to disable other devices such as CD-ROM, Floppy and LS-120 drives also.

If there are any errors or omissions to the methods described by the NSA document attached or by the Microsoft website that have subsequently surfaced through user testing please let us know so we can all share from your experiences.

I hope you find this information useful.

Thanks.

I recently had a couple of friends ask me for advice on what they should be doing to better protect themselves when 'surfing-the-net'.

So, taking into consideration that not everyone is as technical or computer savvy as the next person, I dispensed the following pieces of advice; realistically these should reduce the chances of something bad befalling you PC.

1. Ensure you have Anti-Virus Protection and that it is updated daily.
2. Ensure you have Anti-Spyware Protection (which may or may not be part of your A/V solution) and update it regularly.
3. Do not download files, launch attachments or click on links in email from people you don't know or trust!
4. Use a firewall - if you can't afford or don't know how to set up a hardware-based variant, get a software one (if you use Windows XP you already have one, so use it!)
5. Use a secure browser to protect yourself and ensure you use HTTPS type communication when performing credit card or banking transactions. If you are uncertain of a sites legitimacy, use McAfee SiteAdviser to check it automatically for you.
6. Make sure your system is up to date with system updates and patches.
7. Never click on links in email from your bank or any other financial institution (including Pay Pal or similar), go directly to the site yourself and find what they were referring to. (Not all messages received are legitimate and some financial institutions now have policies against sending linked messages to their customers/members).
8. Store highly personal information inside an encrypted file or folder.

There are a lot of applications available online that are FREE for personal use and with which you can make your time online that much safer.

Here are a handful of suggestions (this list is not exhaustive by any means):

Anti-Virus - Avast or AVG Anti-Virus or Avira AntiVir
Spyware - Microsoft Windows Defender or Ad-Aware SE Personal or SpyBot
Firewall - Zone Alarm or Comodo or Windows Service Pack 2.
Browser - FireFox or Opera
Encrypted Storage - TrueCrypt

Some food for thought at the very least, I'm sure you will agree!

Dave
--------------------
http://www.poscribes.com