+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Hardware Thread, How are you dealing with the use of USB drives? in Technical; Hi Just a general query about how others approach the use of USB drives in school. We do not have ...
  1. #1

    Join Date
    Dec 2007
    Posts
    27
    Thank Post
    3
    Thanked 1 Time in 1 Post
    Rep Power
    0

    How are you dealing with the use of USB drives?

    Hi
    Just a general query about how others approach the use of USB drives in school. We do not have a restriction on the use of USBs but I am noticing more and more virus-infected drives brought from home. Our anti-virus is quite good in catching the majority but no anti-virus will pick up 100%. I want to tighten up the security of the network but it is not practical to put a blanket ban on their use. The options available seem to be:
    adjust group policies; third-party software - are there any out there actually as good as they say they are?; partial or complete bans on their use.

    It would be good to hear what sort of approach other schools are taking.

  2. #2

    Join Date
    May 2010
    Location
    West Yorkshire
    Posts
    139
    Thank Post
    0
    Thanked 13 Times in 13 Posts
    Rep Power
    0
    Most antivirus products have an option to disable USB pens but not powered USB Hard Drives. I know ESET does this

    Shaun Dibble
    VSP MCP

  3. #3

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    "adjust group policies" - This but we dont block USB! I have added a software restriction policy that will stop users running exe files etc... from USB drives so they cant run them then sophos will delete any infected files it finds.

    "third-party software" - Never tried any!

    "partial or complete bans on their use" - Would need to be enforced, possibly with Group Policy or they will just ignore it, may impact on devices such as dig cams that are seen as removable media? But on the plus side if you are a secondary less worry about kids bringing in files they shouldnt have in school...

  4. #4

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Sophos Enterprise Control v4 seems to have fairly comprehensive Device Control and Application Control policies. I'm currently trying out a few more restrictions on our wayward pupils to try to put a stop on their pesky USB devices.

  5. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,247
    Thank Post
    882
    Thanked 2,745 Times in 2,319 Posts
    Blog Entries
    11
    Rep Power
    785
    If you have Vista or above the policies allow you to allow or restrict certain device IDs from being installed, this would let you allow cameras and other school certified device types but disallow any others or block specific problematic ones.

    Computer Config\ Admin Templates \ System \ Device installation \ Device installation restrictions

  6. #6

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,071
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144
    Most of the viruses on USB memory pens are activated by the autorun procedure, so if you diable autorun on external drives this goes some way to stopping a lot of the problems.

    We just make sure our antivirus is absolutely up-to-date, other than banning their use completely I can't see any other way round the potential risk of viruses on them. We did evaluate this quite in depth and decided the risk was small providing we invest in a good virus checker, so we did just that.

    Mike.

  7. #7

    Join Date
    Dec 2007
    Posts
    27
    Thank Post
    3
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks to all who have replied so far -your feedback has been useful. Seems so far that the way to go is group policy in conjunction with tweaking antivirus. I would be interested to hear if anybody is using any good third-party products.

  8. #8

    Join Date
    Dec 2007
    Posts
    885
    Thank Post
    92
    Thanked 165 Times in 140 Posts
    Rep Power
    50
    I use a combination of:

    Software Restrictions (Using GPO & disables Autorun!)
    USBDLM (Restricts Drive Letters and runs a script to show our USB AUP when USB inserted).
    Sophos Device Control (either disables/restricts USB, more importantly stops the CD-ROM partition being mounted on U3 drives that software can also be installed run from).

  9. #9
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,424
    Thank Post
    657
    Thanked 278 Times in 245 Posts
    Rep Power
    78
    Although I don't lock down USB drives, as others have said, I was thinking of doing so for student accounts, more to stop the fact that we have a couple of students who come in and like to print off rather large documents. Now, we've just got PaperCut NG in place and I'm trying to convince the staff that we need to put the students on a print and release setup, but that would mean more staff involvement and they'd rather leave them to it.

    But now, I can't lock down USB drives for students as I've just been informed that I need to provide USB drives to a large number of our students as they need to learn how to use them as part of their functional skills.

    ARGH! Catch 22!

    [/RANT]

    Sorry .. that turned more into a rant than anything useful. I think that so long as you have in place a decent AV solution, you can get away with blocking certain files from running (.exe etc) which should hopefully lock things down enough, but I guess it depends on your reasons for doing it. If your AV is good and updated then you should, on the most, be ok, but if you have a number of want to be hackers, then it's another issue.

  10. #10

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,255
    Thank Post
    604
    Thanked 1,110 Times in 849 Posts
    Blog Entries
    15
    Rep Power
    488
    Other than the usual removal of autorun ability for USB drives, I also create a folder on any teacher USB drive I get hold of called autorun.inf and give it +R +S +H attributes and remove permissions for anyone but administrator. Double whammy for the school systems and offers a level of protection at home for them too, however that may be moot very soon as I start a drive to get Truecrypt in use in as many places as possible.

  11. #11
    salan's Avatar
    Join Date
    Nov 2007
    Posts
    384
    Thank Post
    41
    Thanked 42 Times in 28 Posts
    Rep Power
    28
    Has anyone any ideas on how I can block exe's etc from pens ie only allow data?
    We got hit with the conficker over the summer and it was a major pain to remove. I have blocked removable media at the mo, but i am getting pressure to unlock them again for staff (kids it will remain blocked).
    I vaigly remember some software that scanns you pen and if it finds any programs etc on it . it locks it out. It will only allow data to be on the pen. Does anyone know of such software?
    Alan

  12. #12

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    12,306
    Thank Post
    1,673
    Thanked 2,023 Times in 1,470 Posts
    Blog Entries
    2
    Rep Power
    457
    Anything plugged into the USB slot does not get registered due to us disabling them via GPO (for the back ones) and disconnecting the front ones. Win win for us here.

  13. #13

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,555
    Thank Post
    112
    Thanked 177 Times in 144 Posts
    Rep Power
    72
    We allow the use of usb drives with some of the restrictions listed above (no autorun, no exe from usb drive) but our biggest way forward is to get students to upload work to our Sharepoint VLE - this cuts the issue out to large extent. We are working with staff and students to encourage them to use My Site - it's early days but people are starting to use it.

  14. #14
    salan's Avatar
    Join Date
    Nov 2007
    Posts
    384
    Thank Post
    41
    Thanked 42 Times in 28 Posts
    Rep Power
    28
    Quote Originally Posted by jcollings View Post
    We allow the use of usb drives with some of the restrictions listed above (no autorun, no exe from usb drive)
    How do you do the 'no exe's'?
    Alan

  15. #15

    Join Date
    Jun 2010
    Posts
    198
    Thank Post
    9
    Thanked 25 Times in 24 Posts
    Rep Power
    21
    Quote Originally Posted by salan View Post
    Has anyone any ideas on how I can block exe's etc from pens ie only allow data?
    We got hit with the conficker over the summer and it was a major pain to remove. I have blocked removable media at the mo, but i am getting pressure to unlock them again for staff (kids it will remain blocked).
    I vaigly remember some software that scanns you pen and if it finds any programs etc on it . it locks it out. It will only allow data to be on the pen. Does anyone know of such software?
    Alan

    The answer is here Go to post number 19. I implemented this solution and it works great also blocks cd-rom drives from running exe's and any other file types if you wish.

    Kili



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 6
    Last Post: 27th May 2010, 03:59 PM
  2. Usb pen drives
    By krisd32 in forum Our Advertisers
    Replies: 3
    Last Post: 15th June 2009, 02:22 PM
  3. USB Pen Drives
    By westleya in forum General Chat
    Replies: 31
    Last Post: 22nd May 2009, 02:50 PM
  4. USB Drives Survey
    By Dos_Box in forum Hardware
    Replies: 29
    Last Post: 26th June 2007, 09:47 AM
  5. USB Drives + Games
    By linuxgirlie in forum Windows
    Replies: 3
    Last Post: 9th February 2006, 12:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •