Longhorn Will Have Ability to Ban External Storage Devices 721
slashdotbs writes "CNET is reporting that Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods. The article refers to 'the threat posed by digital storage devices'."
ban in sp2 (Score:5, Informative)
Hell, we can do that now! [tech-recipes.com]
Remember that SP2 has several new longhorn "features" that were rushed into the service pack in the name of security.
Davak
Re:ban in sp2 (Score:3, Informative)
Re:ban in sp2 (Score:5, Interesting)
Super-glue over the USB port would help with that.
In our hospital our computer people actually cut/disconnected the cables from all the usb ports and cd-roms to increase security.
Of course, the shmucks left IE installed... now they spend a zillion more hours removing spyware than they ever would by me booting to a CDR or USB key.
Re:ban in sp2 (Score:4, Interesting)
Re:ban in sp2 (Score:3, Insightful)
Of course, they can still pop in a Knoppix CD, mount the hard drive as RW, then copy files from another CD to the hard drive. Or just mount the hard drive as RO and then copy the companies files to any website via sftp, or burn them to disk.
For that matter, you CAN boot into DOS and read/write to a NTFS partition
Re:ban in sp2 (Score:5, Informative)
Reading is fun.
Re:ban in sp2 (Score:5, Informative)
That text about SP2 was NOT in the CNET article when it was first posted. They revised it as the result of comments on their own message board.
in other news (Score:5, Funny)
Re:does this apply to windows 2003 server? (Score:3, Insightful)
Re:ban in sp2 (Score:5, Insightful)
It is indeed about security, not control... (Score:5, Insightful)
There are a lot of organizations that don't want people plugging in USB storage devices and walking off with their critical, sensitive data. This gives them the ability to make their computers more secure, so less scrupulous people won't walk away with data.
I would think that on a site full of Linux people, there would actually be celebration about having more control over your computer. I think Microsoft should be commended on this one.
Half-assed, probably can't be done feasibly anyway (Score:4, Insightful)
Everyone else, i.e. the people that are just trying to get their work done, are the ones impacted by these efforts.
USB storage devices may be a closeable hole. Are you going to close these too:
1. The Internet. Companies try. But if you can make a web request, send an email, etc. you can send data out of the company, very efficiently. Even the most byzantine "Great Firewall of Company X" leaves this door wide open. They may put a proxy, etc. That doesn't close the hole.
In fact, anyone worth their salt can create an encrypted VPN over any two way channel you give them.
2. The serial port, say connected to a cell phone, or a laptop.
3. The Parallel port. Laplink cable and a laptop, or maybe a parallel connected MP3 player (old models available for $5-$30 on ebay).
4. The ethernet port. Seriously, have you seen a computer that didn't allow connections to other machines on unpriveleged sockets? The Rio Karma comes to mind as something you could hook up there.
5. Floppy disk drive
6. CD-ROM burner. Typically easily available on every corporate network I've seen.
7. USB port on other protocols than "Storage," like say the simple USB peer-to-peer network cables.
8. Photons emitted by the monitors convey information which may be written down or relayed over a telephone or photographsed with a camera
9. Directly connected, and network printers. If you really want to, you can just print it out, and likely you could print a heck of a lot of info reduced down so small that you could shove the piece of paper in your nose and blow it up later to a readable size.
Given all of this, I'd say it is pointless to try to close all the holes without a ground up redesign of how operating system security works, and even then, there are ways around it. Neither Microsoft nor industry is going there any time soon, so why get in the way of folks just trying to get their work done if the problem isn't really solved?
-- John.
...compared to homes (Score:5, Insightful)
Doorways may be a closeable hole. Are you going to close these too:
1. The windows. People try. But if you can throw a rock, brick, or wield a baseball bat, you can get through a window. You may use double-plated glass, etc. That doesn't close the "hole".
In fact, anyone worth their salt can break a window and go through it.
2. The chimney, say accessed via a ladder or grappling hook.
3. The skylight. Roof access is attainable via ladder or nearby trees if so inclined.
4. The crawl space. You could cut holes up through the bottom all day an nobody would see you.
Given all of this, I'd say it's pointless to try to close all the holes without a ground up redesign of how houses work, and even then, there are ways around it.
In conclusion, I think doors are pointless. They don't keep anyone out that really wants in. For that matter, windows and walls should also be done away with. I see no point in closing off what access we can. It's better just to let those who want access have as easy and fast a go at it as possible.
Re:...compared to homes (Score:5, Insightful)
Unless you have bars all over the place, a homeowners door is a message/statement, not a barrier.
It says, don't open this/enter without permission.
Disabling USB storage is an attempt to enforce policy by technological means. It is not a message. And it implies a mistaken belief that it is a good defense, which it ain't...
Re:...compared to homes (Score:3, Insightful)
The policy should be "don't copy or redistribute x type of corporate data without authorization."
Not "Thou shalt not use a USB storage device."
The reason being that the employee may have a perfectly good reason for connecting a USB storage device that ill advised red tape cannot predict. A general policy against copying certain types of data without authorization covers the actual goal you want to achieve
no floppy. (Score:4, Funny)
Nope, can't. That's dead [slashdot.org].
Re:Half-assed, probably can't be done feasibly any (Score:3, Insightful)
This is just one facet of the problem. Patching this whole is just to give the unknowledgeable a false sense of security. And that is more dangerous than leaving them worried, which might prompt more serious consideration.
Credit card information can be pretty well locked down. It is normally restricted to one machine, and that machine is restricted to a certain set of users. It should be stor
Guns don't kill people... (Score:4, Insightful)
A USB drive is not a gun. And I don't think guns have much utility in the typical workplace...
If you want employees to be effective and efficient they need to be empowered to do their work. Putting in artificial roadblocks is just red tape. You need to justify that policies will do what you want them to do. Otherwise, they just get in the way of good people trying to do their work.
If they are the small percentage with bad intent, actually looking to do damage, you're fighting a lost cause. Managers need to know, monitor, and demand that policy be followed. An important aspect of that is not making pointless policies that don't solve a real problem.
Comment removed (Score:5, Interesting)
Re:It is indeed about security, not control... (Score:3, Funny)
Here comes the SHOCKER! (Score:5, Insightful)
Shockingly, michael, people use iPods to backup data! Companies don't want their employees leaving the premises with this data and checking through tens of thousands of bags is time consuming and expensive. Perhaps this would be different if iPods weren't easily able to be used for backing up data but that's just not the case.
According to the article this feature is available in XP SP2. See here [microsoft.com] for more information.
No, it's not some Microsoft conspiracy to end iTMS and the iPod.
Re:Here comes the SHOCKER! (Score:5, Interesting)
Re:Here comes the SHOCKER! (Score:3, Interesting)
Why just I-Pods? (Score:3, Interesting)
Didn't think so. The story just sounds more sinister when a trendy gadget is apparently singled out. The writer thought by giving it a MS Vs Apple twist more people would read it.
What about banning booting Knoppix CD? (Score:4, Insightful)
Re:What about banning booting Knoppix CD? (Score:4, Informative)
Not sure if you're joking or not, but that would be a BIOS setting, not an OS setting... of course, you'd think that a "secure" workstation probably wouldn't even include a CDROM drive for most users since software would be installed by an admin over the network...
Re:What about banning booting Knoppix CD? (Score:3, Interesting)
Re:What about banning booting Knoppix CD? (Score:4, Informative)
Re:What about banning booting Knoppix CD? (Score:3, Informative)
They've got their priorities wrong (Score:5, Insightful)
Re:They've got their priorities wrong (Score:2, Funny)
Re:They've got their priorities wrong (Score:2, Funny)
which is apparently where they're headed.
Re:They've got their priorities wrong (Score:3, Funny)
Re:They've got their priorities wrong (Score:4, Informative)
Re:They've got their priorities wrong (Score:3, Informative)
Re:They've got their priorities wrong (Score:3, Funny)
an anti-anti-IE post. muhahah muhahahahaa , MUHAHAHAHAHAHAHAHAHAHAHAHHAAAAAAAAAAAAAAAAAAA lolzorzzzzzzzzzzzzzz!!!!!!!!11111ONEONEONEONEonee
This is a good thing (Score:5, Insightful)
Re:This is a good thing (Score:3, Interesting)
Re:This is a good thing (Score:5, Insightful)
That's why Microsoft itself works hard to create such a good work environment (I have some friends who work for Microsoft in germany and they are really very happy and loyal to their firm).
But the feature itself is not evil. It is pretty handy for sysadmins who can close another security gap. You can do the same with Unix so why is it a bad thing if Windows offers the ability to do so?
If you have physical access, you can always steal (Score:5, Insightful)
Re:This is a good thing (Score:5, Insightful)
Zero effect? Give me a break. An idiot can use a USB flash drive. All of the ways you outline require a higher level of intelligence.
By eliminating an entire group of people (non-technical ones) from being able to steal, one has made their information more secure.
Nobody has said totally secure. Just more secure.
We're sorry (Score:5, Funny)
Whats so shocking? (Score:3, Informative)
Comment removed (Score:5, Insightful)
Re:News for nerds, free stuff for the editors? (Score:3, Funny)
Re:News for nerds, free stuff for the editors? (Score:5, Interesting)
Anyway yes any storage device could have a Trojan, etc. dropped onto it. Yet in the case of the iPod and other storage devices (at least under Mac OS X) just because such a beasts exists on the storage device doesn't mean that once connected it spreads (no auto-run of code on mounted devices is supported on Mac OS X without third-party tools).
Not much can protect one from a Trojan if the victim cannot recognize it for what it is (sure virus scanners may hit on it if it is a known trojan).
Anyway the real issue is mostly about users dropping company data onto their iPod, etc. (likely unencrypted) and then walking out the door and possibly losing it...
It's about time. (Score:2, Insightful)
This is a good thing for IT managers (Score:5, Insightful)
I know - "but what if they use a notepad, dummy". Yes, there is that problem - but last time I checked, you can steal a ton more data via a USB drive than a piece of paper.
The engineers answer? Epoxy glue in the USB slots. Not the best choice.
So for places that have to deal with security, this is good for two reasons. First, it prevents people from taking data through alternate methods (USB/Firewire drives). Second, it lets people with those devices bring them into the lab.
Take the iPod example. If you're working in one of my secure labs, I might tell you "sorry - leave it outside". But with this technology, I can say "Sure - bring it in and listen to your tunes" with a reasonable level of surety that they're not to go copy data they shouldn't.
So from my mind, this is a Good Thing, and I'd like to see it on my OS X/Linux machines as well.
Re:This is a good thing for IT managers (Score:3, Informative)
This is easy for Linux (and I assume something similar would need to be done on OSX since it is unix based). Linux has been able to do this for many many years.
Edit
Put this in your etc fstab and it ought to do the trick:
dev/sda1
All users can mount and read the usb drive (ipods etc) but not write to it, nor can they execute anything from t
Re:This is a good thing for IT managers (Score:3, Informative)
USB isn't just for storage devices. Disabling the usbcore disables more than you want. You need to disable the usb storage module.
And this is bad because? (Score:5, Insightful)
Just because you give IT administrators the power to lock down the computer doesn't mean that Aunt Sallie isn't going to be able to use her iPod.
Imagine you administer a huge corporate network and you've standardized on Longhorn. Now imaging that the single biggest threats your network has seen in the past have originated from customer service reps bringing files from home on their iPods and Thumbdrives. If I were an administrator, I would have no problem locking down those machines to eliminate that threat.
What a tragedy! (Score:5, Funny)
Re:What a tragedy! (Score:3, Funny)
Here's your M$ bashing stick (we spell it M$ not MS because money makes things evil and we hate money and are not hypocritical about this at all). It works best when swung with both hands in an overhead fashion while yelling "In the name of Linus I smite thee!"
What is the big deal? (Score:5, Informative)
Microsoft since 2000 has always had Group Policy definitions to restrict CD burning and Floppy use on certain PCs, why is this such a big deal? Because it has the word "iPod" in the article?
It's not like every IT department is going to start locking down USB keys.. it takes one employee complaining to their manager they can't take their uber-important files home to work on at night to get things like this reversed anyway.
Nail biters don't bother.. it's just a slow news day for Slashdot
Windows XP already has this (Score:3, Informative)
Windows XP SP2 already has this [microsoft.com]. The referenced article describes a larger new feature that would include this as a subset, but "the future is today" regarding IT admins being able to lock out USB storage devices.
Useful (Score:2)
don't put in the word- iPod.. (Score:2, Insightful)
And the point is that MS is not the one who makes the decision about what devices to ban. It is the office manager. Who knows if the office manager himself might have an iPod?
Somewhat of a good idea (Score:5, Informative)
Re:Somewhat of a good idea (Score:3, Insightful)
The average user wouldn't know where to start. Sure, you or I could open the case and reset the CMOS but would you really consider doing that at work? My job is more important than listening to music or taking data home. Security, physical and electronic, are not foolproof. Any system has a weakness.
Re:Somewhat of a good idea (Score:5, Insightful)
Any company that needs to worry about file copying to the extent that they will lock out USB storage devices should already have mechanisms in place to prevent or restrict alternate O/S booting - and more importantly, the policies to fire your rogue ass should you choose to circumvent them.
Re:Somewhat of a good idea (Score:3, Insightful)
Sounds fine (Score:2)
If I were a network admin, I'd definately want this power. There are situations where this type of inconvenience is definately warranted. Take a look at what happened at Sandia labs, for example, they documented plenty of examples of various workers transfering data between secured
Shockingly? (Score:5, Insightful)
We've all been slagging off MS for years now for their attitude to security; no point in whining now when they get it right, just cos you can't play music through your desktop speakers.
BTW: cool link on that page. Well, not cool, but I like the headline: Allchin: Don't call it 'Shorthorn' [com.com]
Big deal for classified environments (Score:4, Insightful)
It will help windows make inroads into classified environments.
(some feel that store bought "music" media should labeled to its security level, except cd burners can't burn store bought music cds.)
HIPAA (Score:5, Informative)
It's a good thing . . . (Score:4, Funny)
I feel much safer knowing MS is looking out for us, can't you just feel that invigorating "innovation" starting to pulsate through your O/S?
Excuse me - i'm getting woozy . . .
mount: only root can do that (Score:5, Insightful)
mount: only root can do that
Re:mount: only root can do that (Score:5, Informative)
I think that you may find the "user" and "noauto" options interesting.
Re:mount: only root can do that (Score:3, Insightful)
Re:mount: only root can do that (Score:3, Informative)
So what was your point?
Very Necessary (Score:5, Informative)
Boot virus? (Score:4, Interesting)
USB (Score:3)
Re:USB (Score:3, Insightful)
People act like they will no longer be able to use their iPod at work, but all you need to do is load it up with a few gigs of mp3 at home and plug it into the power connector under the desk or use the battery. Anyone listening to music through speakers at work will quickly be beaten to death by their co-workers anyway (Hell, you'll be beaten for just enabling system sounds 'round here...)
you can do it now with epoxy (Score:5, Insightful)
this isn't an offence to us but a feature (Score:5, Interesting)
I believe the /etc/fstab entry would be something like this :
/dev/sda1 /mnt/usb1 auto noauto,user,ro 0 0
Remember this is for corporate users ... (Score:3, Insightful)
I want a storage device BANNED! (Score:3, Funny)
Bootable USB (Score:5, Interesting)
So, no only do they have to prevent external storage, but they also have to turn off USB booting, and password the BIOS. I don't know if those are standard practices or not.
And, with this ability to turn of external drives, does that retain the ability to use other USB devices? Wouldn't there be some sort of 'spoofing' that could happen? (don't ask my what...I haven't figured that out yet.
The real point is being missed. (Score:5, Insightful)
What this *is* about is just one more "feature" that M$ is putting into their offering that UNIX/Linux/Et. AL. have had forever.
When you start diluting the issue talking about the conspiracy mumbo-jumbo, and fascist *admins, and what have you, you really are helping M$ along...
The only rational answer to an announcement like this is:
this is suprising how? (Score:3, Interesting)
Pretty soon MS will disable double clicking
Uhh this is already possible (Score:3, Informative)
You can even disable things such as floppy drives...
Could even do that with NT 4...
This isn't new (Score:3, Informative)
The idea that an IT admin is given tools necessary to prevent outside data from getting into the network and to prevent data from getting out of the network is neither new nor is it a bad idea.
Of course one can still just zip up a bunch of secret document and mail them to an anonymous account like gmail. That does leave a pretty nasty paper trail though.
Really kind of pointless (Score:3, Insightful)
The Easiest Solution (Score:3, Insightful)
Alternatively:
1)Remove USB ports at the motherboard.
2)Do not install floppy or zip drives.
3)Do not install CDR/DVRs.
4)Remove all legacy serial and parallel ports.
Now just how you will get any work done is another matter.
Controversial? No. But Will It Work? (Score:5, Interesting)
Two things come to mind however:
1. Who will actually implement this feature? We're talking about something that really digs into the hardware/firmware/low-level-OS hooks of a system. For all practical purposes MS could simply shove most of the hard work off to the hardware makers saying that it provides a standard configuration panel in Windows and an API to unify the diverse hardware standards for features like this. Of course, it'd be up to the headaches of the hardware makers to make sure that things like firmware upgrades / hard resets / external booting are available but respect the settings of this API.
2. Is this something that software programmers will encourage? Before it became popular to mount USB cameras as FAT partitions on your desktop, digital cameras had to use a serial cable and follow an elaborate, non-standard syncing APIs and mechanisms. The simplicity from the programmer perspective of having a simple data repository that acts like a file system device lets them spend their time on many other things rather than handshaking and querying acrobatics. Unless MS is also implementing an extensible sync architecture which will allow them to properly screen out the "true" hardware storage devices but allow things like cameras and PDA's to be read into the computer, then I forsee most users turning off this security feature as the first or second step in the instruction manuals of most devices (just as turning off the MS firewall appears to be the first step of many Internet enabled programs).
Might mitigate corporate reaction? (Score:4, Insightful)
at least 8 UNDETECTABLE ways to beat this (Score:3, Informative)
including sealing the serial / parallel
AND hard-wiring the mouse, keyboard, ethernet, and monitor connections -- at BOTH ends.
Leave ANY of those open, and I'll be able to write to magnetic media,
UNDETECTABLY to anyone who isn't standing next to me at the moment when I'm connecting my evil capture device.
And even after you do all that, I can STILL transmit data -- encoded (e.g., barcode) in high frame-rate video -- from one tiny innocent-looking window, to a button-hole video lens in my shirt.
Then there's EM emissions recording.
IOW, if you don't strip-search me, your data is "gone in 60 seconds".
Re:Stupid as usual (Score:3, Insightful)
If users didn't have rights to do "bad" things, then USB keys and iPods wouldn't be a concern.
Isn't this exactly what they are doing? Giving admins the ability to take away unnecessary rights from the user?
You miss the point (Score:5, Insightful)
Case in point. A company has proprietary and confidential information that you, as their employee, have access to (without having admin privs). The company wishes to restrict your ability to make copies and potentially misuse (i.e., steal) that information.
I fail to see what administrator priveleges have to do with this.
Re:Stupid as usual (Score:5, Insightful)
You can train a horse to stay in the barn, but it's far more effective to close the doors as well.
Some companies work with "trade secrets."
Some companies work with YOUR "private information."
Some companies work with your country's "military profile."
I think it's perfectly appropriate to empower the IT department to set forth a flexible and strategic policy of which devices are interoperable, and which devices are not.
Re:Booo...Hissss... (Score:5, Insightful)
Whatever (Score:5, Informative)
Linux has had this since 1991.
Seriously, it's called fstab.
It's also a handy way of keeping confidential information from leaking.
Re:Whatever (Score:5, Informative)
Re:Whatever (Score:5, Informative)
Does it matter?
If it really matters to you that the drivers not be present, you can also turn off module autoloading and not put the USB mass storage drivers in your modules.conf
Re:Whatever (Score:3)
My guess is that you'll have to get a specific license from Microsoft to enable these devices to interact with the system, and even then, only with specific "approved" applications.
Take off the tinfoil hat man. Join the real world. There is no way in the world that any company who wants to make money would do something so foolish. If such a thing happened it would make frontpage news in every tech journal, and likely newspaper. How many people would buy such an OS? NONE.
Re:Booo...Hissss... (Score:3, Interesting)
If it were April 1, I'd think Michael was playing a joke on us, but as it stands, I think someone pulled a pretty good joke on Michael.
Re:Will it also ban Knoppix? (Score:2)
Re:You mean like (Score:3, Insightful)
Re:OMGWTFBBQ, you can't use your iPod at work! (Score:3, Funny)