Q: How can I prevent users from connecting USB devices (such as thumb drives, iPods, etc.) to their PC? How about CD burners and floppies? What about wireless network cards? I am concerned that these devices could introduce a virus or be used to transport financial institution data off premises.
A: You voice a valid concern, and I have reviewed a couple of software solutions. One is GFI Endpoint Security and another is DeviceWall. My main focus has been on the GFI software because it’s less expensive and provides the needed functionality. DeviceWall adds the ability to encrypt removable storage devices if they are used. At this time, I have not fully tested either software; however, we’ve used other GFI software for a number of years and find it to be very good overall.
GFI includes a management console that gives administrators the option to allow USB devices where needed and block them elsewhere. USB devices include media players like iPods, USB sticks, CompactFlash cards, and memory cards. The control also includes the ability to disable wireless cards, floppy drives, and CD burners. Visit the GFI Web site (http://www.gfi.com/endpointsecurity/) to view the details of this software
Another less powerful option may be used to disable USB devices and floppy/CD drives. In Windows Server 2003 Group Policy, a custom administrative template can be created to disable or enable these devices. Please see Microsoft Knowledgebase article 555324 (http://support.microsoft.com/kb/555324) for the details and contact our Helpdesk for assistance.
Note: Wireless cards present a security risk because the computer could connect to any available wireless access point within range of the financial institution. It could even be the business next door with an unsecured connection. Now the laptop would have two connections at the financial institution, one cabled to the institution’s network and one connected to the wireless network. This presents a number of problems that include:
- A user could surf the Web over the wireless connection and bypass the financial institution’s Internet filtering and firewall protection.
- The institution’s network is at-risk from the wireless network because the two connections create a path from the wireless to the institution. Malware of all kinds could attack the financial institution’s network including viruses.