RE: [OT] Limiting the use of USB devices on Windows XP

["Ward, David" <DAvid.Ward@xxxxxxxxxx>]

Thanks, but we've tried that and it's doesn't work as advertised :S

If that camera uses a common interface controller, and the manufacturer
hasn't paid their $1500 to buy a unique ID   Device lock ends up allowing
any device with that controller chip!



---------
The VID/PID that DeviceLock uses originates from the controller chip, not
the flash storage.

I will give you a simple example, which I have just tried.

My company has identified the StegoStik (this product:
http://www.stegostik.com/) as our
mandatory flash device.  Hence in our
initial evaluation of DeviceLock (currently on a single machine only), we
have "whitelisted" this device, and blocked all others.

It is completely irrelevant to me WHERE DeviceLock gets the information
from, but DeviceLock defines a 64MB StegoStik DeviceLock's own "USB
Devices
database" as follows:

Description				DeviceID
USB Mass Storage Device		USB\Vid_0ea0&Pid_2168&Rev_0200

This is what is added to the whitelist in DeviceLock in order to allow
access to it.

Now, if I take a 1GB PQI Intelligent stick (this product:
http://www.emartbuy.com/uk/catalog/item/miscl/itemDetail.aspx?itemId=445
) and insert it, DeviceLock reports the same VID/PID combination and ALLOWS
ME TO ACCESS IT!

The point I'm making here is that the DeviceLock manual states:

"It means that all devices belonging to the certain model of the
certain
vendor will be recognized as the one authorized Device"

This statement is fundamentally incorrect, as I can sit here with two
different products, that look completely different, from two different
vendors, in two massively different capacities, and DeviceLock tells me
that
it's the same device and allows it to be used, simply because they share a
common part (i.e. the controller chip)!




-----Original Message-----
From: John Andrews [mailto:groups@xxxxxxx]
Sent: 09 August 2005 17:39
To: ukha_d@xxxxxxx
Subject: RE: [ukha_d] [OT] Limiting the use of USB devices on Windows XP


Devicelock - we use it about $10 per seat

Works similar to AD policies, you can allow a machine, a user or just a
device - i.e. camera for jim on machine y

-----Original Message-----
From: ukha_d@xxxxxxx [mailto:ukha_d@xxxxxxx] On Behalf Of
Ward, David
Sent: 09 August 2005 12:50
To: 'ukha_d@xxxxxxx'
Subject: [ukha_d] [OT] Limiting the use of USB devices on Windows XP


Limiting the use of USB devices on Windows XP

I have a friend who is currently being driven to despair trying to
implement
site IT security. His brief is to prevent users from adding or removing
files to the company system using removable USB drives

The problem is that there is a decree that users must be able to use
sanctioned company provided USB flash drives (don't ask, we know how
contradictory and stupid this is)

The two commercial solutions : DeviceLock & SecureWave Sanctuary
DeviceControl   both operate using VID & PID from the USB device,
Device
lock allows the use of a white list to even permit certain VID & PID
combinations,

BUT   the daft thing is that the VID & PID used are the ones from the
device
controller, and as 99% of flash drives use the same controller it's
impossible to limit the use to one specific manufacturers Flash drive, and
what's worse is that Devicelock people won't or can't even acknowledge that
a controller IC can have a different VID & PID to the device it's used
in -
Arghhhhh!

We have looked at enumerating VID & PID ourselves but it quickly
becomes
tricky determining which devices are USB flash drives

Has anyone come across this problem or know of a possible solution?

Thanks for your time

Dave Ward