Force USB encryption Windows and Mac
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
Almost. But in this case the insurance company is asking him to enforce as well. But enforce doesn't mean 100%. Cops don't enforce the speed limit 100%, but that doesn't mean that they don't enforce it.
The cops don't enforce, they ticket people, as a means of getting that person in front of a judge who then validates and punishes.
Judges are enforcement, cops simply act as witnesses to an act.
No, they arrest. They physically remove people from vehicles. I've had friends had it done to them. They put rumble strips on the road, spikes, all kinds of enforcement items.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
Judges are enforcement, cops simply act as witnesses to an act.
Judges are punishment, not enforcement.
-
that's why "law enforcement" is a reference to police, not judges or juries.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
Almost. But in this case the insurance company is asking him to enforce as well. But enforce doesn't mean 100%. Cops don't enforce the speed limit 100%, but that doesn't mean that they don't enforce it.
The cops don't enforce, they ticket people, as a means of getting that person in front of a judge who then validates and punishes.
Judges are enforcement, cops simply act as witnesses to an act.
No, they arrest. They physically remove people from vehicles. I've had friends had it done to them. They put rumble strips on the road, spikes, all kinds of enforcement items.
Items to get the person in front of a judge and jury who actually punishes the person.
You can be detained for a while by a cop, that isn't punishment.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
that's why "law enforcement" is a reference to police, not judges or juries.
Law enforcement generally, yes but the practical explanation is that the police are there to bring people they suspect of a crime to justice to be judged.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
Items to get the person in front of a judge and jury who actually punishes the person.
No amount of punishment is enforcement. No matter how severe. The law is already broken.
Enforcement only can exist if before the act happens or is completed.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
You can be detained for a while by a cop, that isn't punishment.
Correct. Detainment is stopping whatever from completing, hence enforcement. Anything with the term "punishment" in it can't be enforcement.
It is enforcement, not punishment, of concern to the insurnace company in this case.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
that's why "law enforcement" is a reference to police, not judges or juries.
Law enforcement generally, yes but the practical explanation is that the police are there to bring people they suspect of a crime to justice to be judged.
Correct. Cops enforce, judges punish. That's the universal explanation. One is to stop a transaction, one is to exact revenge.
-
This really doesn't seem hard. The insurance agency seems to just want some mechanisms to make breaking policy harder. From GPOs, to glue in the USB ports, to confiscating rogue devices.
The computer itself can't do the checking as Dustin pointed out, it has to mount and use the drive before it can know, so the computer has to be "after the fact". The computer can complain about what you've done, but it can't enforce. it's like a judge, not like a cop.
Any "cop enforcement" mechanism has to be before the USB goes into the computer or at least before the port is enabled.
-
@scottalanmiller that I can agree with.
This is all pre-device connection. There is no realistic way to prevent breaking the policy. Because users...
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller that I can agree with.
This is all pre-device connection. There is no realistic way to prevent breaking the policy. Because users...
No way to absolutely stop them, no. But there are reasonable "technical solutions" to make it less likely. From confiscating rogue drives to disabling ports unless enabled on a use by use basis.
-
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
While i agree that a policy SHOULD be enough - they specifically said - technical.
FYI - No AD in this environment.
You can still enforce via local group policy for Windows.
yep... though I would/should use something like Salt or some other agent based solution to push out changes for this if for no other reason than consistency.
We did it with USB drives that are encrypted on the drive. So you could mix those two. I have one of these personally:
https://www.amazon.com/Corsair-CMFPLA3B-16GB-Padlock-Flash-Drive/dp/B06XNQH822/ref=dp_ob_title_ce
But there are a ton of options like that. The company bought FIPS 140-2 compliant ones, you can decide that or not.Keep in mind this was what I did for Linux, not sure what the Windows guys did. But what I did was leverage USBGuard and when we handed out an encrypted drive we added it to the drive list that was pushed out to all of the systems. Only those USB devices were able to be used on the systems.
However @dbeato pointed this out earlier and you could most likely do the same thing. I just don't know how to add the USB device serial number in Windows (if it was Fedora or RHEL I'd love to help you lol).
-
I do know they also used Kingston DataTravelers. So if you didn't want to have to type the pin on the USB drive, you could just plug that model in and there was a small piece of software that ran and you could type in the password. It worked on both Linux and Windows.
Here's the link to the Kingston site with the encrypted ones:
https://www.kingston.com/en/usb-flash-drives?use=data security -
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
No, An insurance company wants us to have a technical solution in place that when a USB drive is inserted into a computer, that the drive is only usable if the drive is encrypted.
You would have no way to do this.
You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.
You buy the drives with the encryption already built in and only allow those drives serial numbers. This is a commonly done thing in higher security departments. Whether it's actually needed here or not is different, but it's completely doable.
-
Late to the party here, but...
To me, it sounds like they don't want data going from the computer, into a portable storage device, that isn't encrypted... which could be stolen or data taken off by anyone somewhere else.
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted. It will be readonly. This seems exactly what they want, and super easily doable with group policy and bitlocker.
-
@Obsolesce said in Force USB encryption Windows and Mac:
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted.
No there are not.
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted with BitLocker. That is not the same thing.
But the matters not since this is a mixed environment of macOS & Windows.
-
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms...
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
-
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.