Securing portable storage devices

With portable storage devices becoming more and more popular, IT staff have had to come up with is ways of protecting the sensitive data on their networks from such devices.

Not only do these devices able to store large amounts of data but they can also carry programs such as browers, utilities and of course keyloggers or other malicious content. This poses a huge security risk to company data and infrastructure. So how do you do your protect yourself from such risks? Well below I will step through a few workarounds that I have come up with:

• One way to disable portable storage devices is to disable the USB functionality all together. This can be done in the BIOS. (each BIOS is different so the steps maybe different for your machine)
• Restart your machine, once the machine is rebooted it should show in the top left or right of the screen "Setup" or "BIOS Config" hit the associated key that shows next to that.
• You may have to search around in some of the menus for "USB Support" or "USB Device" It can usually found in the advanced configuration. Set that to disable. This will disable any USB device that you may have connected to the machine. Including printers, keyboards, mice, PDA's.
• Then you can "Exit and Save"

Of course as mentioned above that this will make all USB devices cease to function. This may or may not be ideal in your particular environment. So there is any other way around this in Windows.

Since Windows has incorporated Plug'n'Play in their operating systems, it has been at times a blessing and in other times it has been a security nightmare. In this case most USB storage devices are automatically installed and don't need administrative privileges to install. One way around that is in a corporate environment is to use policy editor and block all USB devices from being installed. This can also be done in Active Directory group policy editor.

The problem in this method lies in: how do you allow certain devices to work and not others. If you use policy editor it will do it for certain groups or domain wide. However, if you want certain machines, the ability to use USB devices but not storage devices then you can do the following:

• If no USB storage devices have been used then:
• Search for the following files:
• %SystemRoot%\Inf\Usbstor.inf
• %SystemRoot%\Inf\Usbstor.pnf
• Then when you have located then set the permissions to Administrator to Allow and Everyone set to Deny, and other user groups that you don't want installing the device should also be set to Deny.

• If the storage device has been installed then you will need to edit the following key in the registry: !Make changes to the registry at your own risk!
• HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
• Once you have located the above key then you have to change the hexadecimal value to 4.

I have tested the above in Windows 2000 environment, with many different USB keys and it works. Of course one might ask why would you want to allow anyone access to install any USB device. Well when your Administrative staff uses PDA's then you tend to find ways of being secure but allow the people that sign your check the ability to synch their Contacts. As always do adequate testing before implementing anything like this domain wide. If you have any questions drop me a line.

"Crikey"

The world has lost a great animal conservationist this weekend. Steve Irwin, was passionate in the protection of many of the worlds threatened animals. If you have ever watched him you would know that he was crazy, fun-loving guy. I send my condolences to his wife, and his two kids. Lets hope that his efforts of protecting animals will continue.

On another note I came across an blog entry on Digg last night, it was created by Jason Calcanis from Netscape fame. The title of the entry was "The Discovery Channel Killed Steve Irwin". If you read the article he basically says that because the Discovery Channel was trying to get higher ratings they get these people like Steve Irwin to do crazy, dangerous stunts. Well I think that is total B.S.

Steve Irwin used Discovery as much as they used him for ratings. He used that medium to spread his message about the necessity of crocs in the environment. Steve would have been wrestling, capturing, and saving crocs and other dangerous animals, with or without a TV show.

The Discovery Channel didn't create "naturalists' that have to risk their lives to be credible" Steve the TV persona was created by the love and passion of the fans that watched him on his show in Australia long before The Discovery Channel picked him up. That just sent his message across the world instead of in his own backyard.

The bottow line is that there is no one to blame for Steve's untimely death. Thats why they call it an accident.

Picture: Australian television presenter Steve Irwin, The Crocodile Hunter, lifts up a snake onstage at Nickelodeon's 15th Annual Kids' Choice Awards in Santa Monica, Calif. (CP PICTURE ARCHIVE/AP, Lucy Nicholson