Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Specific USB blocking software/hardware

  • 09-11-2015 3:26pm
    #1
    Registered Users, Registered Users 2 Posts: 2,504 ✭✭✭


    Hi all,

    Wondering if you can help me, in my organisation we have a small number of PC's running XP and they will be in use for the foreseeable future (they are running very manufacturing machines and are very expensive to upgrade).

    These PC's are not on our network however they are managed by a third party who from time to time come on site for maintenance.

    I would like to control how these engineers use USB sticks, is there any software/hardware package out there where the PC will only accept a specific USB stick (in my possession).

    This way if an engineer needs to put something on these machines via USB I will have full control of this process (ie scan the USB stick etc.)


Comments

  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Symantec endpoint protection allows you to block USB drives. Also the Admin can bypass it for specific situations.


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Yes and no. There's software that does it, but it relies on various USB identifiers (VID/PID etc.) which can ultimately be faked.


  • Registered Users, Registered Users 2 Posts: 3,323 ✭✭✭davo2001


    Disable the port/s in the BIOS or have them joined onto a domain and this can be done through group policy.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Most corporate antivirus packages come with the power to disable USB devices and approve new ones centrally.

    Another option, assuming the resources are in place, is to use group policy to disable all removable devices on these machines. Thus when someone comes onsite and needs files loaded onto one of these machines, they give you the stick to scan it, and you can copy the files over via the network.

    It's a bit of a painful manual process, but shouldn't be an issue if these visits aren't that frequent.


  • Registered Users, Registered Users 2 Posts: 2,504 ✭✭✭bennyineire


    Thanks for the reply's guys,

    We have Kaspersky endpoint and my solution was to put these PC's in a "disable USB group" then disable the policy on a needs be basis.

    I suggested this to my manager but she's looking for me to explore other options, she seems to think what I asked for in this thread was possible but I had my doubts.


  • Advertisement
  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Thanks for the reply's guys,

    We have Kaspersky endpoint and my solution was to put these PC's in a "disable USB group" then disable the policy on a needs be basis.

    I suggested this to my manager but she's looking for me to explore other options, she seems to think what I asked for in this thread was possible but I had my doubts.

    So basically you want a whitelist of USB device IDs? I'm sure it can be done.


  • Registered Users, Registered Users 2 Posts: 2,504 ✭✭✭bennyineire


    syklops wrote: »
    So basically you want a whitelist of USB device IDs? I'm sure it can be done.

    Yep that's what I thought, just wanted to check to see if its possible. I guess not.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Yep that's what I thought, just wanted to check to see if its possible. I guess not.

    The thread has only be open for about 40 minutes. I wouldn't give up just yet. I'd be very surprised if it can't be done.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    As mentioned, Symantec endpoint protection allows you to select what usb devices you want to allow. You can also set them to read only if you wish.


  • Registered Users, Registered Users 2 Posts: 2 bofhdan


    Have you looked at the Kensington USB Port Locks? They might be easier and cheaper than trying to do that in software.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3,323 ✭✭✭davo2001


    bofhdan wrote: »
    Have you looked at the Kensington USB Port Locks? They might be easier and cheaper than trying to do that in software.

    They have nothing to do with what he wants.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Kaspersky does indeed do this, we're using it here. Person plugs in a USB device, they get a notice that the device is disabled and a button they can press to request that it be enabled. The admin then logs onto the admin server and can enable that specific device.


  • Registered Users, Registered Users 2 Posts: 2,116 ✭✭✭ItHurtsWhenIP


    All of those central managed solutions may not suit the OP.
    ...
    These PC's are not on our network...

    Even the BIOS solution may not be ideal, as these machines are controlling a part of the manufacturing process and therefore may not be able to be shut down to access the BIOS.

    A quick Google threw up some solutions that may suit. I have no idea if these are good or bad:
    http://securityxploded.com/windows-usb-blocker.php
    http://www.newsoftwares.net/usb-block/


  • Registered Users, Registered Users 2 Posts: 2,504 ✭✭✭bennyineire


    MMFITWGDV wrote: »
    All of those central managed solutions may not suit the OP.



    Even the BIOS solution may not be ideal, as these machines are controlling a part of the manufacturing process and therefore may not be able to be shut down to access the BIOS.

    A quick Google threw up some solutions that may suit. I have no idea if these are good or bad:
    http://securityxploded.com/windows-usb-blocker.php
    http://www.newsoftwares.net/usb-block/

    Correct in regards to the BIOS, these machines are really switched off and certainly wouldn't do in the middle of a production shedule.

    I had looked at http://securityxploded.com/windows-usb-blocker.php but our antivirus didn't seem to like it.

    However this link http://www.newsoftwares.net/usb-block/ seems to be a good find, thanks


  • Registered Users, Registered Users 2 Posts: 1,974 ✭✭✭whizbang


    If I was the third party responsible for these machines, I would be the one looking at blocking you from using USB sticks.
    Is Usb-block.exe approved for use on these machines ?

    Sorry, but I have been in many a situation like this, and ultimately its the people who dont understand the process that cause the damage.


  • Registered Users, Registered Users 2 Posts: 78,580 ✭✭✭✭Victor


    Realistically, how long do these machines have left and what if one / more than one just dies?


  • Registered Users, Registered Users 2 Posts: 1,974 ✭✭✭whizbang


    200+million users still on XP.
    XP Embedded still in support, even has no end of support date.

    The issue is really when the hardware suppliers run out of options . There are still suppliers offering 10+ year guaranteed lifecycle on XP products.

    Win98, Win2000 are still in daily use in specialist applications.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Victor wrote: »
    Realistically, how long do these machines have left and what if one / more than one just dies?

    You're missing why they still run. Its not the machines themselves, its some bit of hardware which they rely on which there arent drivers for anything but XP.

    I did a Pen Test for a paint company some time back. And we got a tour of the place and the manager goes, "By the way, this machine here, is out of scope. It runs the factory floor". This system which we'll call host-001 was a very old IBM PC, running windows 95.

    The conversation went like this:

    "Why do you have that?"
    "It runs the plant machinery"
    ":eek: OK. Well, we probably wouldnt see it, we are only testing the WAN, and then the LAN for pivot points"
    "Well its on the LAN so Im just saying, its out of limits".
    "Its on the LAN?!? :eek:"

    Turns out, the print making machinery was made by a company which went bust around 1996, and the control software and driver work only on windows 95.

    If it were my system and it absolutely had to be windows95 then it would be running inside a VM in a secure comms room, and anything goes wrong, I'd just reflash the virtual image. I wouldnt leave the physical PC in the office on the LAN with internet access.


  • Registered Users, Registered Users 2 Posts: 2 bofhdan


    davo2001 wrote: »
    They have nothing to do with what he wants.

    Given that the OP stated "is there any software/hardware package out there", would you care to elaborate on that? A piece of hardware that locks the port and thereby only allows an authorised key holder to insert any USB device seems to have a lot to do with what he wants.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,583 Mod ✭✭✭✭Capt'n Midnight


    Put those PC's on their own network, BIOS or physically lock USB ports
    And use a gateway machine for the USB access and share the data back.

    If they need the USB to be close to the machine then perhaps a laptop that's secured at other times.


  • Advertisement
Advertisement