On the vexed question of USB and security - as you may know this is our speciality - so again I will try to tread carefully. Please tell me if you dont find this helpful and I will desist straight away!
I know it's not easy to preserve a good level of security and keep the convenience and flexibility of allowing removable memory devices to be used. As Geoff says there are a lot of considerations and some real 'gotchas'.
The reason we have concentrated a lot of developement on this area is that there seems to be many schools - a majority of schools as far as I can tell - who want or need both.
We have achieved this in numerous schools over the last three years or so but again as Geoff points out the problems are becoming more complex as the BECTA requirements etc require higher security and Impact Level labelling etc. making the problems very different when a student / pupil is logged in from when a staff member is.
In the latter case the prime need (in my understanding) is to enure that data leaving is encrypted and is auditable (and that everyone knows that) - while with the pupils it's principally to prevent the kind of problems we've been discussing here (exes / autorun etc) and the bringing in - or taking out - of MP3s and other copyright stuff.
It seems to me that every school is a little (or a lot) different in its needs and emphasis - and I'm constantly amazed at the diversity!
You will no doubt have gathered that we have not given up on the quest (for the best of both worlds) - far from it. But I am keen to know what the key people on the frontline are thinking and how they plan to meet these challenges.
Not sure I can help with arguments to persuade SMT to up the Araldite budget (kidding) but otherwise I might be able to help a bit here and there!
One thing to try, make a blacklist hash of the autorun.inf exe it calls.
I have a u3 stick so when I get back we can see if the hash blocks it or if each stick/manufacturer has a custom build of the exe.
The 'official' U3 removal is here Bring the power of portable software to your USB flash drive - make it a U3 smart drive!
We actually intentionally gave out USB sticks this year to our students that were formatted in this way - it means that I know they have and can't delete certain information [forms, handbooks, etc] (and as a bonus to them they have storage space for their academic work)
RabbieBurns (31st January 2009)
Latest Sophos Anti-virus has Application Control which stops all kinds of Nasties like this. Works very well, judging by the reports I get from Sophos. Stops all these U3 type fiddles, games, iTunes, media players... and more!!
Slightly off topic but this could also be a bit of a security issue with the Conficker infection doing the rounds at the moment. The partition and autorunning program may well be read only but I'd be a little worried that variations of this worm may be able to make use of that.
couldn't you use usbdlm to block all other drive letters except one that can be used for the usb memory stick in conjunction with ( assuming you have R2 ) to block autorun.info and exe's ( either or - or just both ) on the memory stick ( which you know will always load as that drive letter ( which you configured / set earlier using the usbdlm inf file ) due to usbdlm.
Sorry to drag up an old thread...
The potential of it was huge but because people like you didn't understand what you were buying it's been dumped.
For those moaning about the security aspects, its no more dangerous than a CD-rom that hasn't been completely disabled (and if you disabled it then why even have it in the machine?).
As someone said on page 2, they handed them to students so they could know for sure that students had copies of documents. This technology also had other uses - such as onboard storage of drivers for USB devices. It would have eliminated the need for M$ to have to include thousands of drivers with every version of Windows and then bloating your hard drive.
Didn't think about that last one huh.
I have a tool kit for those who wish to remove their U3 partitions - pm me your email and I'll be in touch. You can also install your own .iso images to the virtual CD too (which is just as dangerous as burning a CD before anyone comments).
Its not a problem that you've dragged up an old thread.Sorry to drag up an old thread...
Its your attitude it that's the problem.
If the subject was currrent then maybe some of your comments would be relevent and useful.
But the subject isn't current and your remarks aren't.
There are currently 1 users browsing this thread. (0 members and 1 guests)