Note: this post is Windows-centric. Apologies to all Mac and Linux users, but I had to go with the majority on this one.
It doesn’t take a hack attack for your business to be facing a data breach and major security headache. One of the easiest ways for anyone to steal data from your company would be to copy files from your systems directly on to a portable storage device and walk out of the office with it. While you may have removed all CD and DVD drives, USB ports are still a point of vulnerability. Not only can they take information out, but they can also bring in viruses, trojans and spyware. Luckily, they can be disabled.
The most obvious solution to the problem is to disable USB devices in the Control Panel. This will work for any storage devices that have been used on the machine previously, but the AutoPlay function might kick in for any new machines, and is therefore easily bypassed. Score one for the data thieves. Not only that, but by disabling the USB ports on a machine wholesale, that also means that USB keyboards, cameras and printers might also be disabled. All in all, this brute force approach is not necessarily the best one.
Another alternative is to make storage drives read-only through the registry settings of a machine. This would not only allow for the use of a number of peripherals that also need a USB port, but would also mean that it would be impossible to write to any devices. There is a down and dirty run-through of how to disable write access for storage devices that you can use, though this is only through the registry, and there is no guarantee that an enterprising miscreant will not find a way to get what they want.
The best solution I have seen when investigating this topic is to disable USB storage devices via a computer’s BIOS, before locking access to that realm via a password. At least if you do that, you know it will take a concerted effort to bypass the controls you have set. I don’t normally visit their pages, but About do have a helpful section on how to access your PC’s BIOS.
If you’ve been paying attention, you’ll have noticed that while all of these solutions are OK on a case by case basis, there is nothing said so far about implementing these security measures across a network. This isn’t because I have not found any, but because it does seem to be wholly dependent on the kind of network you are running. There was a page at the HP website that suggested the best course of action for different setups, but it has since been culled.
This is not to say that there is no way to implement blanket permissions, but it is entirely dependent on the server technology you are already running. I have stacks of information for all sorts of permutations of Linux, Apache and Windows Server systems, but listing them all here would take far too long. For a small business, tweaking each new machine may only take a couple of minutes; for larger organisations, however, there is a kick-ass Novell script that does everything needed with the minimum of fuss.
[Image by AdobeMac]