The "solution" I suggested would only work for a situation, where you are
certain the USB device is only used in your controlled environment with your
controlled OS's... =)
As many others already pointed out, one can move the USB stick to an OS that
you do not control. This could be a stand alone NTFS system capable client
WinXP, Win2k or Win2k3 that's not on the domain or something as a Linux
'live filesystem' distribution like Knoppix or whatever...
If you're nervous of people taking the USB device with them in their pocket
and attempting to access it elsewhere you can't do anything else but use EFS
from a windows out-of-the-box kind of setup.
So I guess the conclusion would be, that if you have to be able to control
the access to the USB device when it's not in the controllable environment,
you need to encrypt the file system.
Regards,
r@smus
.
Rasmus Rønlev
Copenhagen Business School, ITSu
-----Original Message-----
From: Danny [mailto:nocmonkey (at) gmail (dot) com [email concealed]]
Sent: 13. januar 2005 01:29
To: Rasmus Rønlev
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: NTFS Security
On Wed, 12 Jan 2005 18:38:39 +0100, Rasmus Rønlev <rr.its (at) cbs (dot) dk [email concealed]> wrote:
> Hi Drew,
>
> How about changing the users away from being Local Administrators and say
> into the Power Users group and then putting NFTS permissions on the usb
> stick to allow only Domain Users? I guess if it was an option you'd have
> already considered this, from the perspective of giving users the least
> amount of rights/permissions needed, but just checking anyway :)
That works at work, but not at home or any other computer a user has
administrative access to.
The "solution" I suggested would only work for a situation, where you are
certain the USB device is only used in your controlled environment with your
controlled OS's... =)
As many others already pointed out, one can move the USB stick to an OS that
you do not control. This could be a stand alone NTFS system capable client
WinXP, Win2k or Win2k3 that's not on the domain or something as a Linux
'live filesystem' distribution like Knoppix or whatever...
If you're nervous of people taking the USB device with them in their pocket
and attempting to access it elsewhere you can't do anything else but use EFS
from a windows out-of-the-box kind of setup.
So I guess the conclusion would be, that if you have to be able to control
the access to the USB device when it's not in the controllable environment,
you need to encrypt the file system.
Regards,
r@smus
.
Rasmus Rønlev
Copenhagen Business School, ITSu
-----Original Message-----
From: Danny [mailto:nocmonkey (at) gmail (dot) com [email concealed]]
Sent: 13. januar 2005 01:29
To: Rasmus Rønlev
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: NTFS Security
On Wed, 12 Jan 2005 18:38:39 +0100, Rasmus Rønlev <rr.its (at) cbs (dot) dk [email concealed]> wrote:
> Hi Drew,
>
> How about changing the users away from being Local Administrators and say
> into the Power Users group and then putting NFTS permissions on the usb
> stick to allow only Domain Users? I guess if it was an option you'd have
> already considered this, from the perspective of giving users the least
> amount of rights/permissions needed, but just checking anyway :)
That works at work, but not at home or any other computer a user has
administrative access to.
...D
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]