Disable the usb controller in the BIOS and add a BIOS password and lock the case. Only down side is you have to find a PS2 keyboard and mouse.
Holy shit is there no IT security policy at a city hall?!
Normally USB ports are disabled by default in a large company setting… especially when personal data is involved.
A PS2 adapter is like a dollar.
3 Likes
Nope, no security plan at all, the hall barely invested in tables for us two, we work in a 3x2m corridor with a 30U APC rack taking some of the space. We do have a split air-con, but just because it was the norm for the server rack.
They don’t really consider the I.T. department high priority, despite the fact our work makes the entire hall function, even Dell (our server supplier) has deemed the room very inadequate for the server…
Oh, and most of out network is based on 10/100 network switches and 15 year old CAT5 cables with low end keystones. The gigabit solution on my house is better than the one at the hall.
Couldn’t i leave just one port activated? I have a Lenovo keyboard with an USB passthrough that i can connect my mouse onto
Windows group policy link also in the comments:
2 Likes
Perfect! I’ll try it!
Check your work policies but introducing malicious software here would be likely be gross misconduct and immediate dismissal so stick a nice sign up stating that 
1 Like
That’s nothing, not too long ago I went to a site where their entire network was mostly populated by 10mbps flat switches with no VLAN capability, it was just one giant collision domain. There wasn’t the money to upgrade and most of the cabling was 20 years old ! Management was clueless and the one guy in charge was just a few years away from retirement…
1 Like
Pah, 10mbps flat switches! You don’t know you were born! I was working at one site where all they had was token ring (No, not a Tolkien Ring!) and for Christmas they thought they were lucky if the company director gave them a sixpence…
6 Likes
Do you have access to group policy? Either local or domain is fine. If local:
start and search for gpedit.exe
Computer Configuration (or user) -> Administrative Templates -> System -> Removable Storage Access
Disable the ones you want to disable by enabling the policy.
1 Like
gpedit.msc
4 Likes
Jesus these forums… people nit pick on the smallest things.
I know it’s .msc else I wouldn’t recommend the group policy stuff. Windows is smart enough to pull it up now with .exe, no reason to worry about msc which may make someone go “wooo I don’t know what msc is I’m not touching that.”
For some reason the bottom part of the snippet got cut.
2 Likes
Today I learned win10 will run a Msc if I mistyped. I dislike/ hate on windows a little less now…
Not nitpicking, just didn’t know it would actually find and execute the .msc in the search. Because when you try to run it as .exe via Win+R it just throws an error in your face.
The run prompt is looking for specifics, the search bar is looking for keywords.
If you’re using Windows and still looking at solutions, and you don’t want to go so far as disabling usb devices or something, I’d say sandboxing is something worth exploring. Others have already brought it up by suggesting virtual machines + snapshots, but using a sandboxing application should give you the same benefits without all the overhead that comes from running a full VM.
I haven’t done much testing on sandbox applications myself, but there’s lots of info out there from people who have tested it. The only thing I’ve tested was wannacry on an un-updated version of Comodo and Sandboxie and both stopped it from doing any damage to my PC.
Comodo has an auto-sandbox feature that seems pretty on point. In the way a virus program has a blacklist (allow all files unless they match the malware in its database), Comodo’s sandbox uses the opposite approach and trusts nothing unless it has a verifiable signature from a trusted vendor. In this sense it should work on unknown threats as well (and seems to handle that well in testing). So it doesn’t directly address the USB situation, but if that USB has any kind of auto-executing malware on it, Comodo would sandbox it.
Another solution I use is Sandboxie. I think this feature may require the paid version, but I’ve set up a sandbox that forces every file/executable/etc in a certain drive to run in the sandbox. There’s tools out there you can use to force usb storage devices to mount at the same letter each time, like this, and then just have your sandbox set up to intercept anything coming from that drive letter. In my experience, this has worked quite well, even with scripts set to auto-run.
Just keep in mind that with this setup, if you plug in your own USB drive, open up a word document on it, edit the document and save it, that edited document will be saved in your sandbox, not on your (unsandboxed) PC or on the USB drive. So it’ll take a couple of extra mouse clips to save the edited version onto your PC (outside of the sandbox) or onto the USB drive.
if it’s mostly just work related:
-install ubuntu
-install libreoffice
-install master pdf editor.
this will allow basic auto mount/unmount of usb sticks, file transfers, excel/word compatibility, and pdf compatibility on the machine, with no viruses.
if you need to print, also install cups
if you need network shares, install samba client
if you absolutely need windows for something, install virtualbox and create a small windows vm. Mine is set for 1 processor, 4gb ram, 50gb hard disk space. For example I need this for running stamps.com software, as the rest of the office uses this and i have no control over that.
I’ve been using this setup at work on my arch machine for the past 3 years. I work as an IT admin for a small law firm, and we quite often get regular spam virus phishing pdf emails
do NOT install wine if going this route. windows viruses will happily run under wine.
1 Like
@Yockanookany sorry man, I appreciate the post, but thought Microsoft remapped msc and exe commands… wasn’t nit picking or meaning any bad things, just genuinely was mistaken.
1 Like