Esther,

Thanks for the article. It sheds light on some of the sources of the problem and in some ways it helps us to develop effective solutions.

There are all kinds of solutions that can be implemented to disable USB ports but would they address the root cause of the problem? What about malicious websites, infected DVDs and even floppies for computers that still have them?

What we have done is remove admin rights from desktops (most laptops are exempt) but setup a system that’s flexible enough to allow for quick privileges escalation when needed. Taking away admin rights was not easy but there was a very significant drop in infected computers which gave us time to work on other important aspects of our jobs.

For what its worth, I am running my computer as a regular domain user and therefore if I were to plug in a device that’s infected, my computer would be protected (hopefully). I will also be protected if I landed on a compromised website by accident.

I am curious to find out what others do with new machines. Do you keep the installations from the factory or do you rebuild from your own in-house computer image?

Firmin Charlot, MCSE, A+, Information Systems Manager
Educational and Support Services 162 Student Services Building East Lansing, MI 48824
[log in to unmask] (517) 432-7541
Submit technical requests at http://help.ess.msu.edu/

From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Esther Reed
Sent: Friday, March 14, 2008 10:39 AM
To: [log in to unmask]
Subject: [MSUNAG] Personal devices and MSU PCs

Do you allow your users to attach their personal devices to the MSU PCs that they use (and you support)?

If yes, do you have any protection in place? What works and what doesn't?

If no, do you have a departmental policy or just rely on good-citizenship? Do you disable the USB ports on the front of PCs?

We've been wrestling with this issue over here. We do not have a policy in place; we do allow staff to attach their own USB keys, etc. but we ask our student staff to not use their devices. Today's CNN article emphasizes more dangers with allowing users to do this, so I am wondering how different departments are handling it.

http://www.cnn.com/2008/TECH/ptech/03/13/factory.installed.virus.ap/index.html

Thanks for any feedback and ideas!

~ Esther

Esther V. V. Reed

IT Systems Administrator

MSU Graduate School