-1

I am looking to beef up security on an office network. Aside from the obvious: physical security, limiting user privileges using Active Directory, running a firewall that does stateful packet inspection and running anti-virus software; I would like to prevent users from copying a file to a USB flash drive and taking it home or cloning a hard disk or just removing the hard disk from a work station.

I can block all email sites using the Dell SonicWall so that employees cannot email themselves sensitive corporate data but what do I do about USB drives. The BIOS on the workstations does not allow them to be disabled.

I once had a client who used a computer at a bank that she was working on to transfer photos from her camera to a USB flash drive. She came to me complaining that she can’t open the photos on the USB drive on her home computer. It turns out that the computer encrypted the photos so that they can only be opened on the bank computer. How can I do something like this to prevent employees removing data.

I know that intel offers hardware drive encryption on systems with vPro technology but most of our workstations do not have this. Is there a way to do this via software? Would full disk encryption even prevent an employee from copying data to a flash drive? Please advise.

Also, is there a way to encrypt data in transit. For example: when the server is backing up to a NAS drive, is it possible to encrypt the data while it is going over the network and is this level of security even necessary.

And is there a way to have windows server keep a transaction log of exactly who accesses and changes any file or system setting?

user314554
  • 1
  • 1

2 Answers2

2

Your question should probably be broken up into multiple questions, so I'm not going to go into great detail.

"I would like to prevent users from copying a file to a USB flash drive and taking it home or cloning a hard disk or just removing the hard disk from a work station."

You could lock the workstation cases to keep people from removing the hard drive. That won't stop people from tossing their computer into a trash can and walking out with it (an actual crime at a previous workplace).

As for the flash drives, you can block removable drives through group policy.

enter image description here

(Image from this article, which you might find useful.)

"Would full disk encryption even prevent an employee from copying data to a flash drive?"

No, you need to block flash drives for that.

"Also, is there a way to encrypt data in transit. For example: when the server is backing up to a NAS drive, is it possible to encrypt the data while it is going over the network and is this level of security even necessary."

Whether it's "worth it" depends on what you're protecting. You could implement IPSEC, depending on your version of Windows.

"And is there a way to have windows server keep a transaction log of exactly who accesses and changes any file or system setting?"

Yes, you should investigate auditing policies.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
-1

I've used Trend Micro Antivirus at clients before. it has an option you can disable USB drives (except KB and mouse of course)

Jason
  • 251
  • 2
  • 3