My company has recently had a fair amount of data stolen from internal servers - probably with a usb drive. Does anyone know of any software that will copy the contents of a usb drive to a folder on the hard drive upon insertion and silently? We're trying to determine who might have caused the leak, but since they are local admins it's a bit more of a pain. Any ideas?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
USB Drives and Corporate IT policy
- Thread starter UberSwank
- Start date
Malk-a-mite
[H]ard|Gawd
- Joined
- Feb 16, 2002
- Messages
- 2,023
There was something about this on one of the security focus mailing lists. Someone did put together a POC software that would do a USB grab of predefined folders. I do believe it's since become paid software only.
Edit:
Found it:
Vulnerability Development: reconsidering physical security: pod slurping
http://seclists.org/lists/vuln-dev/2005/Jun/0004.html
Edit:
Found it:
Vulnerability Development: reconsidering physical security: pod slurping
http://seclists.org/lists/vuln-dev/2005/Jun/0004.html
Malk-a-mite
[H]ard|Gawd
- Joined
- Feb 16, 2002
- Messages
- 2,023
If you are going to look at locking down the usb ports these threads might be helpful:
http://www.securityfocus.com/archive/88/392194/30/0/threaded
http://www.securityfocus.com/archive/105/417517
http://www.securityfocus.com/archive/88/392194/30/0/threaded
http://www.securityfocus.com/archive/105/417517
mngl1500
2[H]4U
- Joined
- Feb 28, 2005
- Messages
- 3,812
I remember seeing that GFI has a product to lock down usb and other (firewire) drives.
http://www.gfi.com/lanpsc/
from their website:
note: I have never used this product.
http://www.gfi.com/lanpsc/
from their website:
note: I have never used this product.
I would enable auditing on your file servers. Then configure the directories to be audited for Full Controll/Success and Failure.Boscoh said:
Depending on how much access the shares get, you may need to up your security event log size.
I do all of this through group policy so if an local administrator disabled or reconfigures it, it will get re-enabled the next time the machine refreshes policy.
Other thing you should do is limit the number administrators you have. We have several people who perform administrative functions on machines, but don't need full domain admin rights. For example: our SQL DBA has local admin rights to our SQL servers and nothing else.
I don't know how your environment is configured, but the less admins the better.