Restrict USB Storage Devices in an Enterprise Environment

[EvilMunky]

Hi All,

Thought I had asked this previously here before but couldnt find my post so I thought I would ask the question again.

I am looking for a software based solution that allows USB Storage Devices to be controlled.

Requirements of the software are as follows:

• Must be an enterprise solution / Centrally managed
• Must have ability to "Authorise" certain devices - ie after we scan them
• Must not restrict usb devices such as keyboards / mice etc
• Ability to set a time limit on device authorisation to allow temporary access

As a bit of background that may help explain the need, the site I currently work on has a number of network machines that are in a "public" type area - meeting rooms / drop in rooms etc. For one reason or another, these machines have to have connection to our standard network (details to follow). they are commonly used by outsiders who more often than not bring data along on a USB storage device.

Our environment is a Windows 2003 Active Directory based network, with a mix of Laptops and Desktops all running Windows XP sp2

My end goal is to have all public machines (and normal users machines if i can get away with it) protected with this solution that will only allow authorised devices on our network. Devices will be authorised by IT staff (my team) at specified workstations after having been through a thorough AV scan.

I think that about covers it - so if anyone out there is using any software in a similar environment I would be interested in their feedback.

I am aware there are many different solutions out there and am capable of using Google myself, but am particularly interested in peoples experiences.

Thanks in advance

Kip

[Splash]

You can block USB storage by GPO easily enough, but it sounds like you need something a little more complex

[MrP]

i'd be interested in this for a different reason.

we dont mind people using memory stick and portable hard disks, but people keep bringing in keyboard, mice and printers in from home which would be nice to stop.

[mark19632]

We use Disknet Pro
Check Point Software: Reflex Disknet Pro

Personally I find it awful as it seem to disable file sharing even the admin$ share for some reason without tweeking the registry, but that might just be a conflit with the av. Also it won't uninstall with anythign other than the use that installed it.

Other that than it does everything you asked for and is fairly easy to mange and it uses AD groups.

[EvilMunky]

Splash - Yes I can do the blocking Via a GPO easily enough, but blocking everything isn't what i need.

Hadn't heard of Disknet pro mark, will have a read up on it.
THanks

[IAmATeaf]

We use Sanctuary Device Control:

USB Security - USB Blocking Software & Port Protection of Removable Devices

Seems an OK product for us, we use it to control cd/dvd writer access and usb device access, it sort of loosely integrates with AD so a bonus.

[Splash]

Splash - Yes I can do the blocking Via a GPO easily enough, but blocking everything isn't what i need.

Hadn't heard of Disknet pro mark, will have a read up on it.
THanks

I figured as such. If it helps a call centre I just put together operate a "no usb or local storage" policy on the agents' machines. This is all controlled using a single GPO applied to an OU with all these machines in. Management machine sit in a seperate OU and as such are exempt, and if a machine becomes deemed a management box it's a simple case of moving it to the management OU and rebooting.

[EvilMunky]

Thanks IAmATeaf - will check that one out.

Splash, unfortunately the environment in question needs to be more flexible than that. I need all users and all machines to be able to use authorised pen drives only.

This is not for the purpose of restricting data transfer but for the purpose of restricting incoming threats. I have done similar with the GPO's and whilst they are highly powerfull, they just dont help me in this scenario.

cheers

[pendulum666]

Out of interest, why do you need externals to be able to bring in USB devices and use them at all on your corporate network?

[EvilMunky]

Our organisation has academic links where people can have a number of "base" offices and access to a number of different systems. These people are authorised on our network as well as on other networks.

We also have a large number of meeting / presentation setups which will ahve presentations run that will need access to our network.

Messy I know, but thats inheritance for ya.

[IAmATeaf]

Well Sanctuary should be able to copw with all the above, you can also mirror copied data and restrict the amount the data a user can copy per day. Permissions can be applied per user, per computer or per AD global groups, you can also scan a device remotely so if a user brings in a pen drive, you can ask them to plug it in, get it's unique ID, grant perms and then push the changes out.

Quite a neat product really and the project i'm currently working on helped to mould the product so that's it's a bit more flexible then it used to be.

EDIT: if the user base is large don't forget to negotiate a good discount, can't remember how much it costs us but it's not much per seat.

[EvilMunky]

Sounds like what i am lookin for. nice one

[pendulum666]

What happens if someone uses a cd/dvd with files on then? How would you scan for viruses there?

[Shorty]

You can also try DeviceWall for a comparable product on your business case and costings

[IAmATeaf]

What happens if someone uses a cd/dvd with files on then? How would you scan for viruses there?

Not too sure what you mean, if the user doesn't have access it's prevented at almost the hardware level so they'd never get to the files on the cd/dvd, if they have access then the cd/dvd behaves in the normal way and would depend on your AV settings.

[pendulum666]

I mean all this talk of limiting infected files entering the network via usb storage devices...what if someone whacks in a cd...I take it the OP controls that already there.