[unisog] Pen testers after my own heart...

Paul Asadoorian Paul_Asadoorian at brown.edu
Mon Jun 12 18:15:01 GMT 2006


So, it seems the best recommendation is two-fold:

- Disable autorun via GPO
- Disable usb-storage drivers via GPO

That works rather well (coupled with user education) and covers more than
just USB keys (as Gary points out in this thread as well).

Thanks for the input!

Paul

--
Paul Asadoorian, GCIA, GCIH
Brown University
3 Davol Square
Suite B 250, Campus Box 1885
Providence, RI 02903
Phone: 401.863.7553

IT Securty Blog
http://blogs.brown.edu/project/security




In a bank setting, you'd disable usb-storage drivers via GPO.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________

On 6/12/06 12:25 PM, "David McBride" <dwm at doc.ic.ac.uk> wrote:

> Paul Asadoorian wrote:
> 
>> I am curious as to what their recommendations were for this particular test,
>> "Tell employees not to put things in their computer" or  "fill the USB ports
>> with epoxy". Not so practical....
> 
> Turn off Autorun via a domain group policy?
> 
> At least part of the problem here is not that the users are deliberately
> running untrusted code found on a discarded USB key, but rather that
> their shell is doing it for them!
> 
> Cheers,
> David





More information about the unisog mailing list