Slashdot Mirror
Longhorn Will Have Ability to Ban External Storage Devices
slashdotbs writes "CNET is reporting that Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods. The article refers to 'the threat posed by digital storage devices'."
Block access to USB keys?
Hell, we can do that now!
Remember that SP2 has several new longhorn "features" that were rushed into the service pack in the name of security.
Davak
and - shockingly! - iPods.
Shockingly, michael, people use iPods to backup data! Companies don't want their employees leaving the premises with this data and checking through tens of thousands of bags is time consuming and expensive. Perhaps this would be different if iPods weren't easily able to be used for backing up data but that's just not the case.
According to the article this feature is available in XP SP2. See here for more information.
No, it's not some Microsoft conspiracy to end iTMS and the iPod.
They need to give IT people the ability to block IE, it's more dangerous than any removable storage device.
Companies struggle with protecting their confidential and proprietary information. Being able to to do this at a policy level will be a big help to a lot of security folks.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
The device you've attached to your computer is not Microsoft Certified and is therefore potentially dangerous. Please visit microsoft.com to purchase an approved device.
iPod acts just like any other USB storage device on Windows. It is still a security issue.
Comment removed based on user account deletion
For many people, it's currently easier to walk out with a USB device full of files than it is to connect to yahoo mail and send them as attachments. (Proxies, transfer size limitations, etc.) This is a logical step, like removing floppy drives in the 1990s and then limiting their use with software with Microsoft security policies.
I was talking to the CIO of a major health organization who had commissioned his engineers to find a solution to the problem of people bringing in their USB flash drives. Since he's worried about patient privacy, there's the fear that somebody would be inside, stick in a USB drive, copy data and walk out.
I know - "but what if they use a notepad, dummy". Yes, there is that problem - but last time I checked, you can steal a ton more data via a USB drive than a piece of paper.
The engineers answer? Epoxy glue in the USB slots. Not the best choice.
So for places that have to deal with security, this is good for two reasons. First, it prevents people from taking data through alternate methods (USB/Firewire drives). Second, it lets people with those devices bring them into the lab.
Take the iPod example. If you're working in one of my secure labs, I might tell you "sorry - leave it outside". But with this technology, I can say "Sure - bring it in and listen to your tunes" with a reasonable level of surety that they're not to go copy data they shouldn't.
So from my mind, this is a Good Thing, and I'd like to see it on my OS X/Linux machines as well.
52 Weeks, 52 Religions with John Hummel
Seriously,
Just because you give IT administrators the power to lock down the computer doesn't mean that Aunt Sallie isn't going to be able to use her iPod.
Imagine you administer a huge corporate network and you've standardized on Longhorn. Now imaging that the single biggest threats your network has seen in the past have originated from customer service reps bringing files from home on their iPods and Thumbdrives. If I were an administrator, I would have no problem locking down those machines to eliminate that threat.
Oh no! You mean people can stop me from attaching devices to computers they own and administrate?? Will microsoft's villany never end?!?
"The price good men pay for indifference to public affairs is to be ruled by evil men." -Plato
Microsoft since 2000 has always had Group Policy definitions to restrict CD burning and Floppy use on certain PCs, why is this such a big deal? Because it has the word "iPod" in the article?
It's not like every IT department is going to start locking down USB keys.. it takes one employee complaining to their manager they can't take their uber-important files home to work on at night to get things like this reversed anyway.
Nail biters don't bother.. it's just a slow news day for Slashdot
There is a rage in me to defy the order of the stars, despite their pretty patterns.
Windows XP SP2 already has this. The referenced article describes a larger new feature that would include this as a subset, but "the future is today" regarding IT admins being able to lock out USB storage devices.
substitute iPod with samsung, sony, dell..
And the point is that MS is not the one who makes the decision about what devices to ban. It is the office manager. Who knows if the office manager himself might have an iPod?
While I personally believe this is a good thing, often these things can be circumvented easily by... booting a knoppix CD. Of course a modern BIOS will allow you to restrict booting from a floppy (yes I know... I am the only person who still uses these), or a CDRom, but all can be undone with 30 seconds and enough balls to open your case. Even then, Im sure there is some trick to purge the CMOS without ever cracking the case.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I don't own an iPod, but I imagine it's just a plain ol' USB storage device when plugged in. As such, it's as much of a security risk as any other, similar device.
We've all been slagging off MS for years now for their attitude to security; no point in whining now when they get it right, just cos you can't play music through your desktop speakers.
BTW: cool link on that page. Well, not cool, but I like the headline: Allchin: Don't call it 'Shorthorn'
Uhm...
If users didn't have rights to do "bad" things, then USB keys and iPods wouldn't be a concern.
Isn't this exactly what they are doing? Giving admins the ability to take away unnecessary rights from the user?
Our IT folks have locked down our Unix Workstations from mounting most media. These devices especially mp3 player that act like drives cause our semi-technical security to freak.
It will help windows make inroads into classified environments.
(some feel that store bought "music" media should labeled to its security level, except cd burners can't burn store bought music cds.)
Why is this a bad thing? It just gives more choices for security. Now if a sysadmin blocked these ports they better have an alternative to getting files off the machine (if files need to be copied somtimes...) Also, anyone know how the blocking is done? Can it be on a per device basis, or just all external storage devices?
-You're only as clean as your towel.
OMG! There's this tech company with whom I correspond, and ALL of their emails come from Outlook! They're in bed with Microsoft! OMG!!!
I worked on a project where we had to remove every USB, firewire, CDROM, and floppy drive along with sheathing all the plugs and sealing all the connections on hundreds of computers to satisfy some of the more stringent controls required in HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996) that no unauthorised persons be able to access restricted documents. It was cheaper than using control software (trusted computing platforms and certification is wicked expensive).
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Case in point. A company has proprietary and confidential information that you, as their employee, have access to (without having admin privs). The company wishes to restrict your ability to make copies and potentially misuse (i.e., steal) that information.
I fail to see what administrator priveleges have to do with this.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
You can train a horse to stay in the barn, but it's far more effective to close the doors as well.
Some companies work with "trade secrets."
Some companies work with YOUR "private information."
Some companies work with your country's "military profile."
I think it's perfectly appropriate to empower the IT department to set forth a flexible and strategic policy of which devices are interoperable, and which devices are not.
[
I feel much safer knowing MS is looking out for us, can't you just feel that invigorating "innovation" starting to pulsate through your O/S?
Excuse me - i'm getting woozy . . .
and another operating system using a different way to control access to devices is inherently wrong?
$ mount /dev/sda1 /mnt
mount: only root can do that
***Quis custodiet ipsos custodes***
I see a lot of comments talking about "anal sysadmins" and such. In a commercial environment that may be true. But there's an area where it is even MORE important to be able to lock these devices out: The government / sensitive info computers of the world. Think about all of the work that goes on in these places and the number of computers, many of which are on Solaris and Windows (some Linux is approved, but not much) They have to implement these features to keep national-security type information from walking out on someones keychain. (course those items cannot be in secured areas anyway, but I digress).
As an aside, I wonder how long it will be before we see the first 'boot type virus' (or perhaps a FAT FS virus) on these things like the good old days of floppies?
The referenced item from Intego was about a theoretical Trojan horse that no one appears to have actually taken advantage of to do evil (symantec's take on it. Also a detailed look at the "security alert" can be found here.
Anyway yes any storage device could have a Trojan, etc. dropped onto it. Yet in the case of the iPod and other storage devices (at least under Mac OS X) just because such a beasts exists on the storage device doesn't mean that once connected it spreads (no auto-run of code on mounted devices is supported on Mac OS X without third-party tools).
Not much can protect one from a Trojan if the victim cannot recognize it for what it is (sure virus scanners may hit on it if it is a known trojan).
Anyway the real issue is mostly about users dropping company data onto their iPod, etc. (likely unencrypted) and then walking out the door and possibly losing it...
Everyone seems to agree that the ability to disable USB is a good idea, but this has been around for quite a while........not just WinXP. Most BIOS's have the ability to disable USB. Just set this, add a password, and physically lock it down.
but what does one eat at an "OMGWTF" Barbeque?
Just blob it into the USB ports on the motherboard and be done with it. It stops "boot Knoppix and save it to your USB key" approaches, too.
I believe the /etc/fstab entry would be something like this :
/dev/sda1 /mnt/usb1 auto noauto,user,ro 0 0
A workaround for longhorn's external device blocker was found. By simply coloring your device black with a marker and holding it, you will be able to mount your drives.
...spike
Ewwwwww, coconut...
This is not a big deal folks. My spouse works for a financial institution and they block access to Internet based email (e.g. GMail, Yahoo, etc). My current employer blocks ftp access to the outside world. My last employer didn't allow us to bring our cell phones or pagers into the secure computer labs. The computer you use at work is not yours and you can't do with it as you wish. This may be frustrating for us techies but it is the truth. Remember folks that this is intended to be used by corporate users and NOT for home users. This is just a natural progression of companies wanting to make sure that employees don't run off with data that they are not supposed to. Anyone else remember this fiasco?
OS X, Linux, Tivo, Amiga, my fascination with cult-like technologies would intrigue any psychiatrist.
Don't they mean the threat of _third party_ storage devices? :-)
- Kevin
The less confident you are, the more serious you have to act.
Linux has had this since 1991.
Seriously, it's called fstab.
It's also a handy way of keeping confidential information from leaking.
Now... if only I could figure out _how_ to get my users classified as a storage device...
Seriously... did anyone else notice that the story was submitted by someone calling themselves slashdotbs?
:)
If it were April 1, I'd think Michael was playing a joke on us, but as it stands, I think someone pulled a pretty good joke on Michael.
What MS is doingis making it harder to steal, not impossible. One continues to raise the bar of difficulty until one attains a level of acceptable risk. This makes it easier to raise the bar.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I work in the IT dept. of a financial institution. Our info security team is damn good at what they do, and they'll likely recommend that USB keys be blocked when (if) we ever make it to Longhorn - we're still on Win2K for desktops. Still, for all the measures they put in place, I've got ways around them. Port 80 and 8080 will always be open outgoing. So I use 8080 to SSH home, and port-forward all kinds of nifty services on my home network, like SlimServer, PopFile, VNC, and Remote Desktop for my Windows box. If they close 8080, I'll just find a different port.
I just bought a 1GB usb key with the ability to be 'bootable.'
:) )
So, no only do they have to prevent external storage, but they also have to turn off USB booting, and password the BIOS. I don't know if those are standard practices or not.
And, with this ability to turn of external drives, does that retain the ability to use other USB devices? Wouldn't there be some sort of 'spoofing' that could happen? (don't ask my what...I haven't figured that out yet.
--Welcome to the Realm of the Hawke--
Why would the users at your work be physically near a server to put a USB key in?
What this *is* about is just one more "feature" that M$ is putting into their offering that UNIX/Linux/Et. AL. have had forever.
When you start diluting the issue talking about the conspiracy mumbo-jumbo, and fascist *admins, and what have you, you really are helping M$ along...
The only rational answer to an announcement like this is:
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
If they can read them, then they can upload them somewhere else. They don't NEED an iPod or USB key. Kapesh?
if you are working in such a place that doesn't want you taking files out on USB devices, what makes you think you have access to upload them outside of their network, or access to email them out into the wild?
The dedicated can always do something to circumvent. This "solution" by MS is either a small part of a larger set of security checks or for detering the quick steal. I don't see it as a "hack" to fix a broken OS at all.
Microsoft in the name of security has done alot more silly things... like the fact that you can't send word/excel docs as attachments using outlook anymore. Instead of fixing their security holes they just disable whatever might cause viruses to spread...
.exe files because that is the only way they can stop people from getting viruses.
Pretty soon MS will disable double clicking
Microsoft response, courtesy of Steve Ballmer: I'll 'fstab' you in the face!!
Actually, all the admin has to do now (in Win 2k or Win XP) is change the setting for "Allow users to manage devices" and the users can't add devices, even USB devices, without admin priviledges. This sounds like a more pointed approach, so you can add/remove other things, but not USB keys.
In the USA, we like stuff watered down, like beer, television, and freedom.
...at least on the part of Microsoft. Microsoft isn't trying to keep you from using USB drives or iPods, silly. You'll be able to use them by default. It simply gives the system administrator the ability to control the computer by giving them the *option* to disable these features.
There are a lot of organizations that don't want people plugging in USB storage devices and walking off with their critical, sensitive data. This gives them the ability to make their computers more secure, so less scrupulous people won't walk away with data.
I would think that on a site full of Linux people, there would actually be celebration about having more control over your computer. I think Microsoft should be commended on this one.
This paranoia over USB flash drives and iPods just shows how uninformed, uneducated and like lemmings general IT personnel are.
How is an iPod or a USB flash drive any different than a floppy disk? Or a ZIP disk? or CD-RW?
In the past, most CPUs have had some form of writable removable media drive such as a floppy, zip disk, ls120, etc. USB is the new form of that. So why the panic?
Job security? After all, network security is the new black. Or is it paranoia over USB flash drives and iPods that are the new black?
All locking out these devices does it make it inconvenient for people to do their job. No more storing that Powerpoint presentation on a USB drive and plugging it into the meeting room projector, you'll have to bring the whole computer.
And if someone REALLY wanted to steal corporate data, they'd remove the hard drive, take it home, copy it, and bring it back.
Good point! But now there is a way of limiting their access to the sensitive information. So now less trust is required to do the same job which makes it easier to find someone to do it.
It sounds like you're against it but from your post I can only figure why this is a good thing.
As usual, Microsoft continues to push the blame elsewhere instead of fixing their damn OS!
I thought this was a change to their OS? You wouldn't call this a fix then?
With proper management of GPO policy you can disable such external beasts today..
You can even disable things such as floppy drives...
Could even do that with NT 4...
---- Booth was a patriot ----
There have been third party products that allowed you to lock out external media (cd-rom, floppy, etc) for quite some time. Unless you were logged in as domain administrator of course. Also you need a password to boot from a floppy and flash the BIOS on most secured networks.
The idea that an IT admin is given tools necessary to prevent outside data from getting into the network and to prevent data from getting out of the network is neither new nor is it a bad idea.
Of course one can still just zip up a bunch of secret document and mail them to an anonymous account like gmail. That does leave a pretty nasty paper trail though.
“Common sense is not so common.” — Voltaire
So my Neuros player will still work right?
Didn't think so. The story just sounds more sinister when a trendy gadget is apparently singled out. The writer thought by giving it a MS Vs Apple twist more people would read it.
If you want to steal a file this is no more difficult than doing an https POST to a web server. Pretty hard to block and pretty hard to detect.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Microsoft already has documentation on disabling USB, and you do not need to wait for SP2 to implement this. http://support.microsoft.com/default.aspx?scid=kb; en-us;823732
As for the quote,
"IT managers do have access to tools that would allow them to block USB ports, but such tools are little-known, and little-used. "There are tools that are available to...manage USB ports, but 99.9 percent of all machines in corporations don't have anything like that," Brill said."
I guess Mr. Brill is not aware of the obscure concept of Microsoft Group Policies, file permissions and google.
Can Windows also prevent me from booting a Knoppix CD to copy files to my USB device?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
But you're missing the fact that these schemes don't work for folks that know what they're doing, which is who you are trying to control.
Everyone else, i.e. the people that are just trying to get their work done, are the ones impacted by these efforts.
USB storage devices may be a closeable hole. Are you going to close these too:
1. The Internet. Companies try. But if you can make a web request, send an email, etc. you can send data out of the company, very efficiently. Even the most byzantine "Great Firewall of Company X" leaves this door wide open. They may put a proxy, etc. That doesn't close the hole.
In fact, anyone worth their salt can create an encrypted VPN over any two way channel you give them.
2. The serial port, say connected to a cell phone, or a laptop.
3. The Parallel port. Laplink cable and a laptop, or maybe a parallel connected MP3 player (old models available for $5-$30 on ebay).
4. The ethernet port. Seriously, have you seen a computer that didn't allow connections to other machines on unpriveleged sockets? The Rio Karma comes to mind as something you could hook up there.
5. Floppy disk drive
6. CD-ROM burner. Typically easily available on every corporate network I've seen.
7. USB port on other protocols than "Storage," like say the simple USB peer-to-peer network cables.
8. Photons emitted by the monitors convey information which may be written down or relayed over a telephone or photographsed with a camera
9. Directly connected, and network printers. If you really want to, you can just print it out, and likely you could print a heck of a lot of info reduced down so small that you could shove the piece of paper in your nose and blow it up later to a readable size.
Given all of this, I'd say it is pointless to try to close all the holes without a ground up redesign of how operating system security works, and even then, there are ways around it. Neither Microsoft nor industry is going there any time soon, so why get in the way of folks just trying to get their work done if the problem isn't really solved?
-- John.
There is a setting in the local security policy that stops people from adding hardware.... This includes usb drives and ipods. Been there for a long time too Win2K without the SP's and later. I find it hard to believe that MS would put that into Local Security Policy and not have it at the Domain Security Policy. I dont feel the need to upgrade my system to a domain controller to verify that though.
Stop signs are only Suggestions
There is no security without physical security. Leave me alone with a working device long enough and I can get the data out of it. From a certain point of view, DRM software is a system administrator. This feature will be more effective for controlling what the lightweight user does than at preventing corporate theft by a computer professional.
No, I think that if you are going to solve a problem you need to make a serious, comprehensive attempt to solve it.
This is just one facet of the problem. Patching this whole is just to give the unknowledgeable a false sense of security. And that is more dangerous than leaving them worried, which might prompt more serious consideration.
Credit card information can be pretty well locked down. It is normally restricted to one machine, and that machine is restricted to a certain set of users. It should be stored encrypted, and only some folks should have the keys.
Disabling USB storage devices on such a machine won't help if you don't trust the employee that has access. In fact that is probably the real issue; trying to let technology replace taking real responsibility for knowing and monitoring your employees. People steal data, and you need to know that your people aren't going to steal it. It's more of a human problem than a technical one.
Do not order computers with external device access.
Alternatively:
1)Remove USB ports at the motherboard.
2)Do not install floppy or zip drives.
3)Do not install CDR/DVRs.
4)Remove all legacy serial and parallel ports.
Now just how you will get any work done is another matter.
"Rocky Rococo, at your cervix!"
I don't think the feature itself is at all controversial. It is a matter of security to be able to block external devices to unauthorized users on your machine. There are ways to do this today in current versions of Windows with third party products.
Two things come to mind however:
1. Who will actually implement this feature? We're talking about something that really digs into the hardware/firmware/low-level-OS hooks of a system. For all practical purposes MS could simply shove most of the hard work off to the hardware makers saying that it provides a standard configuration panel in Windows and an API to unify the diverse hardware standards for features like this. Of course, it'd be up to the headaches of the hardware makers to make sure that things like firmware upgrades / hard resets / external booting are available but respect the settings of this API.
2. Is this something that software programmers will encourage? Before it became popular to mount USB cameras as FAT partitions on your desktop, digital cameras had to use a serial cable and follow an elaborate, non-standard syncing APIs and mechanisms. The simplicity from the programmer perspective of having a simple data repository that acts like a file system device lets them spend their time on many other things rather than handshaking and querying acrobatics. Unless MS is also implementing an extensible sync architecture which will allow them to properly screen out the "true" hardware storage devices but allow things like cameras and PDA's to be read into the computer, then I forsee most users turning off this security feature as the first or second step in the instruction manuals of most devices (just as turning off the MS firewall appears to be the first step of many Internet enabled programs).
Bottom line: There is absolutely no point in banning removable media access if I have a dedicated internet access already! A person who really wants to steal company data, will always find a way. So why prevent use of a beneficial technology?
rwx
Coderz 4 Life
Doors are useless. You're missing the fact that these don't work for folks that know what they're doing, which is who you're trying to control. Everyone else, i.e. the people that are just trying to get in and out of their house are the ones impacted by these doors.
Doorways may be a closeable hole. Are you going to close these too:
1. The windows. People try. But if you can throw a rock, brick, or wield a baseball bat, you can get through a window. You may use double-plated glass, etc. That doesn't close the "hole".
In fact, anyone worth their salt can break a window and go through it.
2. The chimney, say accessed via a ladder or grappling hook.
3. The skylight. Roof access is attainable via ladder or nearby trees if so inclined.
4. The crawl space. You could cut holes up through the bottom all day an nobody would see you.
Given all of this, I'd say it's pointless to try to close all the holes without a ground up redesign of how houses work, and even then, there are ways around it.
In conclusion, I think doors are pointless. They don't keep anyone out that really wants in. For that matter, windows and walls should also be done away with. I see no point in closing off what access we can. It's better just to let those who want access have as easy and fast a go at it as possible.
3/4 of the posts I've read are blasting MS for this. Why? Did you people even RTF extract?
MS is not banning you from using these devices. It is setting up a way to ban them. You decided to set it up or not. This is a way for companies to lock down their networks a litle more. This isn't an abuse against you. We're talking about machines you don't own here...property of the corperation you work for...
Geez. Plus, doesn't Linux already let you do this? So, why doesn't linux get flack for this?
Let's be fair people. Just cuz MS is doing it, doesn't mean it is evil.
-Mark
Dovie'andi se tovya sagain.
This isn't so bad - it might mean companies don't have to ban these devices outright if they have a way of preventing them from interfacing with their network. Implementation issues aside, I'd rather listen to music at work with my DAP, even if I can't hook it up to my workstation, than have to sit all day listening to the hum of fans blowing, the beeps from detected bit errors, inane colleague conversation and random cellphone activity.
A more simple alternative? Disable it in BIOS.
"On a scale from 1 to 10, people are stupid"
> 5. Floppy disk drive
Nope, can't. That's dead.
So what's to stop someone from making a USB disk key that pretends it's a printer and stores data as postscript? You could even have it masquerade as a regular Epson printer or anything else that appears benign to the system.
Enter Zip Linux - Linux on a 250mb zip disk. Just boot into it and mount the NTFS filesystem.
But I'd prefer to disable USB in the bios and lock the bios - but the IT guys never do that - it means they have to remember the password.
Save Pangaea!! Stop Continental Drift!!
How about crappy stuff coming IN?
As in trojans, etc getting onto the network because some doofus thought it would be cute to use his ipod as a storage device between home and work...
Just because you wish that employees be treated as automatons with no ability to make intelligent choices doesn't mean you should.
A USB drive is not a gun. And I don't think guns have much utility in the typical workplace...
If you want employees to be effective and efficient they need to be empowered to do their work. Putting in artificial roadblocks is just red tape. You need to justify that policies will do what you want them to do. Otherwise, they just get in the way of good people trying to do their work.
If they are the small percentage with bad intent, actually looking to do damage, you're fighting a lost cause. Managers need to know, monitor, and demand that policy be followed. An important aspect of that is not making pointless policies that don't solve a real problem.
If *I* really wanted to steal something, the only way you could stop me is to disable access to ***ALL*** i/o -- /audio ports,
including sealing the serial / parallel
AND hard-wiring the mouse, keyboard, ethernet, and monitor connections -- at BOTH ends.
Leave ANY of those open, and I'll be able to write to magnetic media,
UNDETECTABLY to anyone who isn't standing next to me at the moment when I'm connecting my evil capture device.
And even after you do all that, I can STILL transmit data -- encoded (e.g., barcode) in high frame-rate video -- from one tiny innocent-looking window, to a button-hole video lens in my shirt.
Then there's EM emissions recording.
IOW, if you don't strip-search me, your data is "gone in 60 seconds".