RE: [OT] Limiting the use of USB devices on Windows XP

["John Andrews" <groups@xxxxxxxxxxxxxxxx>]

Good job we don't allow cameras, scanners, cd rom drives, dvd drives,
memory sticks and anything else USB. I did not know about the controller
chip issue, we use device lock as a general it ain't going to work here
thing, but I'll report your findings back to the device lock team
(desktop team).
But then 90% of our user base is on NT and it works fine and is very
reliable.

-----Original Message-----
From: ukha_d@xxxxxxx [mailto:ukha_d@xxxxxxx] On Behalf
Of Ward, David
Sent: 09 August 2005 17:58
To: 'ukha_d@xxxxxxx'
Subject: RE: [ukha_d] [OT] Limiting the use of USB devices on Windows XP


Thanks, but we've tried that and it's doesn't work as advertised :S

If that camera uses a common interface controller, and the manufacturer
hasn't paid their $1500 to buy a unique ID   Device lock ends up
allowing
any device with that controller chip!



---------
The VID/PID that DeviceLock uses originates from the controller chip,
not the flash storage.

I will give you a simple example, which I have just tried.

My company has identified the StegoStik (this product:
http://www.stegostik.com/) as our
mandatory flash device.  Hence in our
initial evaluation of DeviceLock (currently on a single machine only),
we have "whitelisted" this device, and blocked all others.

It is completely irrelevant to me WHERE DeviceLock gets the information
from, but DeviceLock defines a 64MB StegoStik DeviceLock's own "USB
Devices database" as follows:

Description				DeviceID
USB Mass Storage Device		USB\Vid_0ea0&Pid_2168&Rev_0200

This is what is added to the whitelist in DeviceLock in order to allow
access to it.

Now, if I take a 1GB PQI Intelligent stick (this product:
http://www.emartbuy.com/uk/catalog/item/miscl/itemDetail.aspx?itemId=445
) and insert it, DeviceLock reports the same VID/PID combination and
ALLOWS ME TO ACCESS IT!

The point I'm making here is that the DeviceLock manual states:

"It means that all devices belonging to the certain model of the
certain
vendor will be recognized as the one authorized Device"

This statement is fundamentally incorrect, as I can sit here with two
different products, that look completely different, from two different
vendors, in two massively different capacities, and DeviceLock tells me
that it's the same device and allows it to be used, simply because they
share a common part (i.e. the controller chip)!




-----Original Message-----
From: John Andrews [mailto:groups@xxxxxxx]
Sent: 09 August 2005 17:39
To: ukha_d@xxxxxxx
Subject: RE: [ukha_d] [OT] Limiting the use of USB devices on Windows XP


Devicelock - we use it about $10 per seat

Works similar to AD policies, you can allow a machine, a user or just a
device - i.e. camera for jim on machine y

-----Original Message-----
From: ukha_d@xxxxxxx [mailto:ukha_d@xxxxxxx] On Behalf
Of Ward, David
Sent: 09 August 2005 12:50
To: 'ukha_d@xxxxxxx'
Subject: [ukha_d] [OT] Limiting the use of USB devices on Windows XP


Limiting the use of USB devices on Windows XP

I have a friend who is currently being driven to despair trying to
implement site IT security. His brief is to prevent users from adding or
removing files to the company system using removable USB drives

The problem is that there is a decree that users must be able to use
sanctioned company provided USB flash drives (don't ask, we know how
contradictory and stupid this is)

The two commercial solutions : DeviceLock & SecureWave Sanctuary
DeviceControl   both operate using VID & PID from the USB device,
Device
lock allows the use of a white list to even permit certain VID & PID
combinations,

BUT   the daft thing is that the VID & PID used are the ones from the
device
controller, and as 99% of flash drives use the same controller it's
impossible to limit the use to one specific manufacturers Flash drive,
and what's worse is that Devicelock people won't or can't even
acknowledge that a controller IC can have a different VID & PID to the
device it's used in - Arghhhhh!

We have looked at enumerating VID & PID ourselves but it quickly
becomes
tricky determining which devices are USB flash drives

Has anyone come across this problem or know of a possible solution?

Thanks for your time

Dave Ward