RE: [OT] Limiting the use of USB devices on Windows XP

["John Andrews" <groups@xxxxxxxxxxxxxxxx>]

With 300+ sites to manage... We do our best to keep a secure network.

-----Original Message-----
From: ukha_d@xxxxxxx [mailto:ukha_d@xxxxxxx] On Behalf
Of Mal Lansell
Sent: 09 August 2005 21:47
To: ukha_d@xxxxxxx
Subject: Re: [ukha_d] [OT] Limiting the use of USB devices on Windows XP


Well if you really wanted to take something, you'd just wait until
everyone else went home and plug a drive in internally - you'd need cctv

to stop that one.

John Andrews wrote:

>Good job we don't allow cameras, scanners, cd rom drives, dvd drives,
>memory sticks and anything else USB. I did not know about the
>controller chip issue, we use device lock as a general it ain't going
>to work here thing, but I'll report your findings back to the device
>lock team (desktop team). But then 90% of our user base is on NT and it

>works fine and is very reliable.
>
>-----Original Message-----
>From: ukha_d@xxxxxxx [mailto:ukha_d@xxxxxxx] On Behalf
>Of Ward, David
>Sent: 09 August 2005 17:58
>To: 'ukha_d@xxxxxxx'
>Subject: RE: [ukha_d] [OT] Limiting the use of USB devices on Windows
>XP
>
>
>Thanks, but we've tried that and it's doesn't work as advertised :S
>
>If that camera uses a common interface controller, and the manufacturer
>hasn't paid their $1500 to buy a unique ID   Device lock ends up
>allowing
>any device with that controller chip!
>
>
>
>---------
>The VID/PID that DeviceLock uses originates from the controller chip,
>not the flash storage.
>
>I will give you a simple example, which I have just tried.
>
>My company has identified the StegoStik (this product:
>http://www.stegostik.com/) as
our mandatory flash device.  Hence in our

>initial evaluation of DeviceLock (currently on a single machine only),
>we have "whitelisted" this device, and blocked all others.
>
>It is completely irrelevant to me WHERE DeviceLock gets the information

>from, but DeviceLock defines a 64MB StegoStik DeviceLock's own
"USB
>Devices database" as follows:
>
>Description				DeviceID
>USB Mass Storage Device		USB\Vid_0ea0&Pid_2168&Rev_0200
>
>This is what is added to the whitelist in DeviceLock in order to allow
>access to it.
>
>Now, if I take a 1GB PQI Intelligent stick (this product:
>http://www.emartbuy.com/uk/catalog/item/miscl/itemDetail.aspx?itemId=44
>5
>) and insert it, DeviceLock reports the same VID/PID combination and
>ALLOWS ME TO ACCESS IT!
>
>The point I'm making here is that the DeviceLock manual states:
>
>"It means that all devices belonging to the certain model of the
>certain vendor will be recognized as the one authorized Device"
>
>This statement is fundamentally incorrect, as I can sit here with two
>different products, that look completely different, from two different
>vendors, in two massively different capacities, and DeviceLock tells me

>that it's the same device and allows it to be used, simply because they

>share a common part (i.e. the controller chip)!
>
>
>
>
>-----Original Message-----
>From: John Andrews [mailto:groups@xxxxxxx]
>Sent: 09 August 2005 17:39
>To: ukha_d@xxxxxxx
>Subject: RE: [ukha_d] [OT] Limiting the use of USB devices on Windows
XP
>
>
>Devicelock - we use it about $10 per seat
>
>Works similar to AD policies, you can allow a machine, a user or just a

>device - i.e. camera for jim on machine y
>
>-----Original Message-----
>From: ukha_d@xxxxxxx [mailto:ukha_d@xxxxxxx] On Behalf
>Of Ward, David
>Sent: 09 August 2005 12:50
>To: 'ukha_d@xxxxxxx'
>Subject: [ukha_d] [OT] Limiting the use of USB devices on Windows XP
>
>
>Limiting the use of USB devices on Windows XP
>
>I have a friend who is currently being driven to despair trying to
>implement site IT security. His brief is to prevent users from adding
>or removing files to the company system using removable USB drives
>
>The problem is that there is a decree that users must be able to use
>sanctioned company provided USB flash drives (don't ask, we know how
>contradictory and stupid this is)
>
>The two commercial solutions : DeviceLock & SecureWave Sanctuary
>DeviceControl   both operate using VID & PID from the USB device,
Device
>lock allows the use of a white list to even permit certain VID &
PID
>combinations,
>
>BUT   the daft thing is that the VID & PID used are the ones from
the
>device
>controller, and as 99% of flash drives use the same controller it's
>impossible to limit the use to one specific manufacturers Flash drive,
>and what's worse is that Devicelock people won't or can't even
>acknowledge that a controller IC can have a different VID & PID to
the
>device it's used in - Arghhhhh!
>
>We have looked at enumerating VID & PID ourselves but it quickly
>becomes tricky determining which devices are USB flash drives
>
>Has anyone come across this problem or know of a possible solution?
>
>Thanks for your time
>
>Dave Ward
>
>
>
>
>Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>
>Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>Yahoo! Groups Links
>
>
>
>
>
>
>
>
>