Re: disable usb devices
- From: "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx>
- Date: Thu, 15 May 2008 10:12:06 -0700
Will you then also work to disable the following:
* FireWire ports
* Writable CD/DVD drives
* PCMCIA/CardBus slots
* SD Card/Memory Stick/etc. slots
* Internet access (Hotmail, Gmail, Yahoo Mail, FolderShare, and so on)
* Printers and photocopiers
* Digital cameras
* Telephones
You see, there are many ways people can export data from your organization. You're looking at only one mechanism.
For most of the history of computer security, we defenders have been struggling to keep the bad guys out. Well, we've reached that point -- with modern operating systems and properly-written applications, the bad guys indeed are mostly kept out.
Now, for various reasons, we've had to turn our attention to a completely different kind of task -- applying more controls over what authorized users can do with data they're allowed to see. Think about this for a moment! It's a completely different task, one that requires new thinking, new processes, and new technologies.
You can't use old-style bad-guy-prevention methods anymore. Attempting to limit "containers" (be it the network or a PC or a memory module) has limited utility here. Instead, we must adopt new methods that allow data sources to protect themselves. Essentially, the notion of portable access control, where the object -- in this case, a file -- controls its own access and enforces its own policies, rather than relying on the container -- a file share.
Yes, this is rights management. IMHO, it's the only way we can truly start to mitigate the "authorized user threat" (I hate that term, but so far haven't come up with anything better). Implementing such a system -- say, Windows RMS -- requires a fundamental shift in thinking about the roles and work of information security. But I don't see any other way. Blocking USB drives just won't cut it: you'll simply create what I call a "circumvention vulnerability," something that encourages users to look for ways to get around the security policy. And I promise you, they'll find many.
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"yepiknowiam" <yepiknowiam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:376C801A-FB6D-411C-BC6E-A1C3044573FF@xxxxxxxxxxxxxxxx
Trying to prevent users downloading possibly sensitive files/information and.
bringing it home to work on. They could easily lose a thumb drive and we are
a financial institution. It's a preventive measure. I believe there are
many risks with usb devices.
"Steve Riley [MSFT]" wrote:
Every time I see this, I have to ask: why do you want to do this? What
security threats are you trying to mitigate by disabling USB storage
devices?
- References:
- disable usb devices
- From: yepiknowiam
- Re: disable usb devices
- From: Steve Riley [MSFT]
- Re: disable usb devices
- From: yepiknowiam
- disable usb devices
- Prev by Date: Re: VirusScan 8.5.0i
- Next by Date: Re: VirusScan 8.5.0i
- Previous by thread: Re: disable usb devices
- Next by thread: C:\$Secure corrupt error message
- Index(es):
Relevant Pages
|
