Slashdot Mirror


Longhorn Will Have Ability to Ban External Storage Devices

slashdotbs writes "CNET is reporting that Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods. The article refers to 'the threat posed by digital storage devices'."

28 of 721 comments (clear)

  1. Here comes the SHOCKER! by garcia · · Score: 5, Insightful

    and - shockingly! - iPods.

    Shockingly, michael, people use iPods to backup data! Companies don't want their employees leaving the premises with this data and checking through tens of thousands of bags is time consuming and expensive. Perhaps this would be different if iPods weren't easily able to be used for backing up data but that's just not the case.

    According to the article this feature is available in XP SP2. See here for more information.

    No, it's not some Microsoft conspiracy to end iTMS and the iPod.

  2. They've got their priorities wrong by Compholio · · Score: 5, Insightful

    They need to give IT people the ability to block IE, it's more dangerous than any removable storage device.

  3. This is a good thing by winkydink · · Score: 5, Insightful

    Companies struggle with protecting their confidential and proprietary information. Being able to to do this at a policy level will be a big help to a lot of security folks.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:This is a good thing by Lispy · · Score: 4, Insightful

      Amen. I was about to say the same thing. If I feel like under constant suspicion I tend to be illoyal. That's just the same with people living in a totalitarian regime. It is much better to trust the employees and make sure they are properly payed. If they are really loyal they will be much more productive. It is one of the first lessons we learned from industrialisation.

      That's why Microsoft itself works hard to create such a good work environment (I have some friends who work for Microsoft in germany and they are really very happy and loyal to their firm).

      But the feature itself is not evil. It is pretty handy for sysadmins who can close another security gap. You can do the same with Unix so why is it a bad thing if Windows offers the ability to do so?

    2. Re:This is a good thing by winkydink · · Score: 4, Insightful
      A clever person with physical access can always steal information. As stated above, one makes it increasingly difficult until one reaches what one feels is an acceptable level of risk.

      Zero effect? Give me a break. An idiot can use a USB flash drive. All of the ways you outline require a higher level of intelligence.

      By eliminating an entire group of people (non-technical ones) from being able to steal, one has made their information more secure.

      Nobody has said totally secure. Just more secure.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  4. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  5. This is a good thing for IT managers by Dark+Paladin · · Score: 5, Insightful

    I was talking to the CIO of a major health organization who had commissioned his engineers to find a solution to the problem of people bringing in their USB flash drives. Since he's worried about patient privacy, there's the fear that somebody would be inside, stick in a USB drive, copy data and walk out.

    I know - "but what if they use a notepad, dummy". Yes, there is that problem - but last time I checked, you can steal a ton more data via a USB drive than a piece of paper.

    The engineers answer? Epoxy glue in the USB slots. Not the best choice.

    So for places that have to deal with security, this is good for two reasons. First, it prevents people from taking data through alternate methods (USB/Firewire drives). Second, it lets people with those devices bring them into the lab.

    Take the iPod example. If you're working in one of my secure labs, I might tell you "sorry - leave it outside". But with this technology, I can say "Sure - bring it in and listen to your tunes" with a reasonable level of surety that they're not to go copy data they shouldn't.

    So from my mind, this is a Good Thing, and I'd like to see it on my OS X/Linux machines as well.

  6. And this is bad because? by bloggins02 · · Score: 5, Insightful

    Seriously,

    Just because you give IT administrators the power to lock down the computer doesn't mean that Aunt Sallie isn't going to be able to use her iPod.

    Imagine you administer a huge corporate network and you've standardized on Longhorn. Now imaging that the single biggest threats your network has seen in the past have originated from customer service reps bringing files from home on their iPods and Thumbdrives. If I were an administrator, I would have no problem locking down those machines to eliminate that threat.

  7. Shockingly? by rde · · Score: 4, Insightful

    I don't own an iPod, but I imagine it's just a plain ol' USB storage device when plugged in. As such, it's as much of a security risk as any other, similar device.

    We've all been slagging off MS for years now for their attitude to security; no point in whining now when they get it right, just cos you can't play music through your desktop speakers.

    BTW: cool link on that page. Well, not cool, but I like the headline: Allchin: Don't call it 'Shorthorn'

  8. Re:Stupid as usual by PhuCknuT · · Score: 3, Insightful

    Uhm...

    If users didn't have rights to do "bad" things, then USB keys and iPods wouldn't be a concern.

    Isn't this exactly what they are doing? Giving admins the ability to take away unnecessary rights from the user?

  9. Big deal for classified environments by acomj · · Score: 3, Insightful

    Our IT folks have locked down our Unix Workstations from mounting most media. These devices especially mp3 player that act like drives cause our semi-technical security to freak.

    It will help windows make inroads into classified environments.

    (some feel that store bought "music" media should labeled to its security level, except cd burners can't burn store bought music cds.)

  10. Re:Booo...Hissss... by Jimmy+The+Leper · · Score: 5, Insightful

    Why is this a bad thing? It just gives more choices for security. Now if a sysadmin blocked these ports they better have an alternative to getting files off the machine (if files need to be copied somtimes...) Also, anyone know how the blocking is done? Can it be on a per device basis, or just all external storage devices?

    --
    -You're only as clean as your towel.
  11. You miss the point by winkydink · · Score: 4, Insightful
    As usual, Microsoft continues to push the blame elsewhere instead of fixing their damn OS! If users didn't have rights to do "bad" things, then USB keys and iPods wouldn't be a concern. Yet Windows continues to insist on letting users run with privileges that only administrators should have.

    Case in point. A company has proprietary and confidential information that you, as their employee, have access to (without having admin privs). The company wishes to restrict your ability to make copies and potentially misuse (i.e., steal) that information.

    I fail to see what administrator priveleges have to do with this.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  12. Re:Stupid as usual by Speare · · Score: 4, Insightful
    As for "copying large amounts of company data", what ever happened to employee trust? i.e. You should only hire someone you can trust to do job you put them in, because there's no getting around giving them access to sensitive information. It's like telling the company accountant that they can't have access to the financial records, because they might embezzle money!

    You can train a horse to stay in the barn, but it's far more effective to close the doors as well.

    Some companies work with "trade secrets."

    Some companies work with YOUR "private information."

    Some companies work with your country's "military profile."

    I think it's perfectly appropriate to empower the IT department to set forth a flexible and strategic policy of which devices are interoperable, and which devices are not.

    --
    [ .sig file not found ]
  13. mount: only root can do that by mocm · · Score: 5, Insightful

    $ mount /dev/sda1 /mnt
    mount: only root can do that

    --
    ***Quis custodiet ipsos custodes***
  14. you can do it now with epoxy by ChipMonk · · Score: 4, Insightful

    Just blob it into the USB ports on the motherboard and be done with it. It stops "boot Knoppix and save it to your USB key" approaches, too.

  15. Remember this is for corporate users ... by mingrassia · · Score: 3, Insightful

    This is not a big deal folks. My spouse works for a financial institution and they block access to Internet based email (e.g. GMail, Yahoo, etc). My current employer blocks ftp access to the outside world. My last employer didn't allow us to bring our cell phones or pagers into the secure computer labs. The computer you use at work is not yours and you can't do with it as you wish. This may be frustrating for us techies but it is the truth. Remember folks that this is intended to be used by corporate users and NOT for home users. This is just a natural progression of companies wanting to make sure that employees don't run off with data that they are not supposed to. Anyone else remember this fiasco?

    --
    OS X, Linux, Tivo, Amiga, my fascination with cult-like technologies would intrigue any psychiatrist.
  16. If you have physical access, you can always steal by winkydink · · Score: 4, Insightful

    What MS is doingis making it harder to steal, not impossible. One continues to raise the bar of difficulty until one attains a level of acceptable risk. This makes it easier to raise the bar.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  17. Re:Somewhat of a good idea by pknoll · · Score: 4, Insightful
    Many workstation-class machines have intrusion detection.

    Any company that needs to worry about file copying to the extent that they will lock out USB storage devices should already have mechanisms in place to prevent or restrict alternate O/S booting - and more importantly, the policies to fire your rogue ass should you choose to circumvent them.

  18. The real point is being missed. by i_r_sensitive · · Score: 4, Insightful
    This not about corporate information security. This isn't about wether *admins should have the right to do this or not. Those are issues every company has to answer for themselves.

    What this *is* about is just one more "feature" that M$ is putting into their offering that UNIX/Linux/Et. AL. have had forever.

    When you start diluting the issue talking about the conspiracy mumbo-jumbo, and fascist *admins, and what have you, you really are helping M$ along...

    The only rational answer to an announcement like this is:

    That's not news, that's not a feature, that's integral to any well designed OS.
    --
    "Talk minus action equals nothing" - Joey Shithead, D.O.A.
    "Talk minus action equals /." -
  19. Re:ban in sp2 by McComas · · Score: 5, Insightful

    Tut-tut. If you are going to come down on MS over this option, don't distort the issue. MS would love to have more fancy shmancy hipster customers, vis. MSN music store. The option isn't less useful, it is more useful; especially to IT administrators looking for a greater degree of control over their users' digital schpincters. If you are going to flame MS, it should be over the extension of control they can exert over users, not some kind of social pogrom against whomever you are concerned with. And, as it has already been pointed out, there have been tools around to do this for some time.

  20. It is indeed about security, not control... by MonkeyCookie · · Score: 5, Insightful

    ...at least on the part of Microsoft. Microsoft isn't trying to keep you from using USB drives or iPods, silly. You'll be able to use them by default. It simply gives the system administrator the ability to control the computer by giving them the *option* to disable these features.

    There are a lot of organizations that don't want people plugging in USB storage devices and walking off with their critical, sensitive data. This gives them the ability to make their computers more secure, so less scrupulous people won't walk away with data.

    I would think that on a site full of Linux people, there would actually be celebration about having more control over your computer. I think Microsoft should be commended on this one.

  21. What about banning booting Knoppix CD? by ReelOddeeo · · Score: 3, Insightful

    Can Windows also prevent me from booting a Knoppix CD to copy files to my USB device?

    --

    Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
  22. Half-assed, probably can't be done feasibly anyway by jhoger · · Score: 4, Insightful

    But you're missing the fact that these schemes don't work for folks that know what they're doing, which is who you are trying to control.

    Everyone else, i.e. the people that are just trying to get their work done, are the ones impacted by these efforts.

    USB storage devices may be a closeable hole. Are you going to close these too:

    1. The Internet. Companies try. But if you can make a web request, send an email, etc. you can send data out of the company, very efficiently. Even the most byzantine "Great Firewall of Company X" leaves this door wide open. They may put a proxy, etc. That doesn't close the hole.

    In fact, anyone worth their salt can create an encrypted VPN over any two way channel you give them.

    2. The serial port, say connected to a cell phone, or a laptop.

    3. The Parallel port. Laplink cable and a laptop, or maybe a parallel connected MP3 player (old models available for $5-$30 on ebay).

    4. The ethernet port. Seriously, have you seen a computer that didn't allow connections to other machines on unpriveleged sockets? The Rio Karma comes to mind as something you could hook up there.

    5. Floppy disk drive

    6. CD-ROM burner. Typically easily available on every corporate network I've seen.

    7. USB port on other protocols than "Storage," like say the simple USB peer-to-peer network cables.

    8. Photons emitted by the monitors convey information which may be written down or relayed over a telephone or photographsed with a camera

    9. Directly connected, and network printers. If you really want to, you can just print it out, and likely you could print a heck of a lot of info reduced down so small that you could shove the piece of paper in your nose and blow it up later to a readable size.

    Given all of this, I'd say it is pointless to try to close all the holes without a ground up redesign of how operating system security works, and even then, there are ways around it. Neither Microsoft nor industry is going there any time soon, so why get in the way of folks just trying to get their work done if the problem isn't really solved?

    -- John.

  23. ...compared to homes by Eravau · · Score: 5, Insightful

    Doors are useless. You're missing the fact that these don't work for folks that know what they're doing, which is who you're trying to control. Everyone else, i.e. the people that are just trying to get in and out of their house are the ones impacted by these doors.

    Doorways may be a closeable hole. Are you going to close these too:

    1. The windows. People try. But if you can throw a rock, brick, or wield a baseball bat, you can get through a window. You may use double-plated glass, etc. That doesn't close the "hole".

    In fact, anyone worth their salt can break a window and go through it.

    2. The chimney, say accessed via a ladder or grappling hook.

    3. The skylight. Roof access is attainable via ladder or nearby trees if so inclined.

    4. The crawl space. You could cut holes up through the bottom all day an nobody would see you.

    Given all of this, I'd say it's pointless to try to close all the holes without a ground up redesign of how houses work, and even then, there are ways around it.

    In conclusion, I think doors are pointless. They don't keep anyone out that really wants in. For that matter, windows and walls should also be done away with. I see no point in closing off what access we can. It's better just to let those who want access have as easy and fast a go at it as possible.

    1. Re:...compared to homes by jhoger · · Score: 4, Insightful

      Poor analogy.

      Unless you have bars all over the place, a homeowners door is a message/statement, not a barrier.

      It says, don't open this/enter without permission.

      Disabling USB storage is an attempt to enforce policy by technological means. It is not a message. And it implies a mistaken belief that it is a good defense, which it ain't...

  24. Might mitigate corporate reaction? by meowsqueak · · Score: 3, Insightful

    This isn't so bad - it might mean companies don't have to ban these devices outright if they have a way of preventing them from interfacing with their network. Implementation issues aside, I'd rather listen to music at work with my DAP, even if I can't hook it up to my workstation, than have to sit all day listening to the hum of fans blowing, the beeps from detected bit errors, inane colleague conversation and random cellphone activity.

  25. Guns don't kill people... by jhoger · · Score: 3, Insightful

    Just because you wish that employees be treated as automatons with no ability to make intelligent choices doesn't mean you should.

    A USB drive is not a gun. And I don't think guns have much utility in the typical workplace...

    If you want employees to be effective and efficient they need to be empowered to do their work. Putting in artificial roadblocks is just red tape. You need to justify that policies will do what you want them to do. Otherwise, they just get in the way of good people trying to do their work.

    If they are the small percentage with bad intent, actually looking to do damage, you're fighting a lost cause. Managers need to know, monitor, and demand that policy be followed. An important aspect of that is not making pointless policies that don't solve a real problem.