Every user on your network has the ability to walk away with any file or directory he or she can read. Even if the file is too big for a floppy and the user doesn't have a CD writer or ZIP drive, your data isn't safe.
Users can walk away with data at any time with a USB storage device. These key-sized devices offer storage capabilities ranging from 32 MB to more than 1 GB.
USB devices have become extremely popular, and they allow Plug-and-Play (PnP) installation with no user or administrator intervention required. Generic signed USB storage device drivers are part of the installation when you load your systems, and they're ready when users plug in their storage devices.
Windows 2000/XP PnP device installation was moved to system authority so all USB devices can install before user logon. This allows any user to plug in a USB storage device and use it without your approval or knowledge.
HOW DO YOU REGAIN CONTROL?
This is an enormous hole in your workstation security plan and inhibits your ability to control workstation hardware. And you can't control or regulate it using group policy.
But you do have options. Three acceptable methods of controlling these devices currently exist.
DISABLE USB IN THE BIOS
This is a radical approach to solve a simple problem, especially if you're using or might want to use USB devices on your workstations.
I don't recommend removing USB support via the BIOS. This is a time-consuming process, and it doesn't integrate well into a largeenterprise solution.
MOVE THE DRIVER.CAB FILE
This approach requires moving the Driver.cab file found in the Winnt\Driver Cache\i386 directory to a location that users can't access. Using the administrator profile logon and logoff policy, you can copy and delete this directory to make sure it's available when you install new devices or deploy OS updates.
Moving the Driver.cab file is a network-centric approach that leaves the system state ready, and it puts the file in a location that's accessible only to the people with the authority to install new system devices.
DEPLOY THIRD-PARTY SOFTWARE
There are a couple of software solutions that can control USB device permissions. DeviceLock is a great product that offers granular control over a broad range of host devices and ports at a fairly affordable price.
Using a third-party software solution is also a scalable approach that should integrate easily within your workstation deployments, but it does increase complexity and the cost of your deployed workstations.
Of course, you can always choose to do nothing and live with the vulnerability. However, I like finding vulnerabilities and closing them before a user discovers and exploits them.
Continue focusing on controlling user access and the storage of your network files, and your internal security will be rock solid.
ABOUT THE AUTHOR
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.
Source: TechRepublic (http://techrepublic.com.com), SECURITY SOLUTIONS E-NEWSLETTER for January 23, 2004.