Thought he said the workstation was in the server room.
If not lock the office.
You guys are blowing the situation out of proportion lol.
I thank you guys for all of the solutions!
The issue was solved by printing a warning paper saying “do not use this computer without asking” deactivating all of the USB ports other than the two usb 3.0 ports and installed Debian.
That solved the problem so far.
What i really wanted know was if there was any sort of programs i could install on the remaining Windows machines to remedy the situation, something like an antivirus
Not that I know of. If you want to do it on a software level your best bet is really group policy on the network level. If you don’t have a windows server to set up group policy you can use diskpart as described here: https://superuser.com/a/948527
If that really solves the problem though is a different question. I don’t know much about malware currently going around, but if the malware doesn’t need a mounted volume this won’t work either. And if it’s the IME exploit you’re boned either way.
1 Like
Physical access is usually game over but you could super glue plugs in all the usb ports your not using but unplugging the mouse or keyboard would break that so super glue them in as well.
Then outside of pulling off the case side panel to get to a USB ports on the MB your ok
until its time to replace the kb or mouse … the lock idea along with group policy to disable mass storage is better. the problem is if they can insert the usb drive, then they have physical access to the machine. with physical access , game over.
i dont know of any windows software that would do as you ask , and allow mass storage.
if you can find a way to make every usb mass storage permissions to allow read and write, but deny execute that would stop most people. you would also need to have windows logged in as a unprivileged user (so they cant right click and “run as admin” ) .
//edit
i dont think we are talking anyone one with our levels of expertise. i think Chevy_Monsenhor is talking the average user.
1 Like
A software solution is still full of holes the NSA or NSA leaks can exploit. Software is pretty flawed.
hell unplug the network and plug in a connection that hits intels MINUX platform and still game over.
well then the only safe computer is one with no network, no drives at all, and no means to power it up.
3 Likes
i dont think we are talking anyone one with our levels of expertise. i think Chevy_Monsenhor is talking the average user.
Yup, pretty much that…
And no way for another human to get access to it physically
1 Like
Even myself, i’m more of a hardware guy than i am software, i would have to research a lot of these more advanced solutions before implementing anything.
We do have a colleague with a full degree on computer engineering, but he’s not one bit interested in keeping these machines clean, as long as his own is, the rest can perish…
Checkpoint has a solution if you can afford it. It works but we pay out the nose for it.
Or did, we moved away from checkpoint because their firewall was 90% fixing problems, 10% doing its actual job.
1 Like
Hmm, so my options are pretty much scarce then.
Well, as long as i don’t bring any personal storage belongings into the job, i should be good…
Look the thing is no one cares about you or me. We dont matter so protect against scattershot malware and your ok. If someone wants to target you and has the skills, your fucked outside of encryption when they did not get the key / password.
As I understand the diskpart thing I posted only disables automount, you could still mount manually I think. Not sure if a regular user can do that though or if that is an admin thing.
Why not try out the sandbox applications I suggested? If you’re looking for a software solution, akin to antivirus that stops USB drives from being able to do any kind of damage to your PC*, then what I suggested sounds like it’s right up your alley.
Edit: *While still giving you access to the USB drive and its contents. It just takes a few extra clicks to get those contents outside of the sandbox should you want to save it to your PC/elsewhere.
Physical access is key. Limiting physical access is the only way to secure your machine. It would be better if you had a ventilated locking cabinet to keep the computer in and that way, only the person with the key (You) can access the USB ports without damaging them with glue or making your life difficult by disabling all the USB functionality.
USB exploits are so bad that its possible to take control of the Intel management engine via USB and run code on the ME out of reach of any software or OS. Reinstalling your OS will not clean out such an infection. Researchers just recently showed off this capability:
https://mobile.twitter.com/h0t_max/status/928269320064450560
First, stop using administrator accounts for daily use, apart from being a security risk, they also screw about with the system due to their permissions, use a standard user account and only elevate when you expect it.
You can use bitlocker, using gpedit.msc navigate to administrative templates > Windows Components > Bitlocker Drive Encryption > Removable Data Drives > Deny write access to removable drives not protected by Bitlocker.
The only issue is this will stop any unencrypted drive from working, but to be honest if this is business use drives should be encrypted by default.
Also in the Bitlocker Drive Encryption section change Drive encryption method and cipher strength (1511+).
To add to the above go into gpedit.msc again and go back to Windows components, go into AutoPlay policies and turn off auto play and set the default behaviour to ‘Do not execute any autorun commands’
Features like Applocker are avaliable for Enterprise, software like CISCO FireAMP can help with this, also group policy software restrictions can help.
Sysinternals and watch Malware hunting with sysinternals tools
Furthermore anti-malware suites are useless now, proactive always beats reactive, this has been outlined by heads at companies like Intel (McAfee) and Norton (Symantec)
1 Like