At one school where conficker ran wild I banned drives/cameras/anything with RW memory and cleaned everything (took 3 goes!). I then disabled autorun on any devices and only allowed school pen drives that had been personally cleared by me.
I think disabling autorun will stop most bad virus from circulating and I hope/trust that Sophos could catch any infected word documents etc.
And banned hotmail etc so any incoming edocs come via the county email system only.
I've tried to request that they be disabled. I do realise how students and staff use them to transfer work around but with the portal being implemented across my schools, with home access, they can easily copy their work to that. Unfortunately I was over ruled by the powers that be. I have set Group policy to stop EXE files from being run from removable media but it doesn't stop the potential for viruses to get in on memory sticks
We've had conficker here also. Manual clean, staff informed only to use cleaned pens. We've got autorun disabled and USBDLM on all workstations. All exes are blocked for users off pen drives.
Mandatory encryption will be in place for staff soon (I hope). Would prefer to ban them - but staff would be lost without them. Need an alternative solution before they're banned (hopefully get there some day)!
We use the GP to restrict drive letters and then we use all of those that were available. We then use Sophos endpoint to block all removable data devices, but other USB devices are OK. We also block the front USB ports in the Students PC's in the PC BIOS. Basically USB data devices are banned from students PC's. Students need to use email or the VLE to get work in to the school.
For staff, we use Sophos endpoint to authorise USB devices and then ensure that these can only be read if they are encrypted, we authorise other USB devices, cameras and audio recorders, but as read only. I am hoping to ban USB data devices next year altogether, we have installed Barracuda SSL VPN for drive access for staff (and network server access for support) and once we have had it cleared by the exam body, we will extend the drive access to students.
you cant just block USB ports or pens at schools anymore, nearly all students use them to save work onto.
But thats the point some people are trying to make in this thread. People are pushing the students to their VLE's, Email systems to transfer work to and from home, or other sites in their schools. As far as i am aware there is not policy in place that stops Network Admins blocking the use of USB devices for students and staff, i think its just to their own discression on how they want to look after their systems from Virus'.
Originally Posted by JamesG
I know the school i look after, Memory Keys are not blocked in anyway and we have a number of issues with some machines being infected with a usb device virus which is a pain to remove, and transfers from usb pen to usb pen. I have tried to get something done about it by giving members of staff their own encrypted usb pens from school, but they are still bringing them in from home, so I am wanting to impliment Sophos to do all the USB and Device Controling, guess its just a matter of time before something major happens.
We had Conficker over the summer and what a pain it was!
Now the usb ports are blocked for the pupils (they have to use the VLE) but open for Staff, but they have to get their pens checked by us first.
Not ideal but its such a pain. The staff have remote access now so usb's are not getting used as much now at all.