Force USB encryption Windows and Mac
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?
because a policy is not a technical solution.. a policy doesn't stop the crazy person from plugging a drive. only a technical solution prevents the computer from accessing a non authorized drive.
A policy is enforceable through any solution you implement. IE Whenever we purchase a USB device, it's volume is encrypted before it's used. Anyone who is found to be using a non-company usb storage or unencrytped storage device is reprimanded.
Did you see what you just wrote? WHEN I PURCHASE... what about when crazy person purchases? and brings from home?
Sure I can fire them... AFTER they plug the drive into our computers - but that's to late.
-
@Dashrender said in Force USB encryption Windows and Mac:
what about when crazy person purchases? and brings from home?
YOU TERMINATE THEM. That's HR's policy to follow, not your problem to fix FFS.
-
@Dashrender said in Force USB encryption Windows and Mac:
Sure I can fire them... AFTER they plug the drive into our computers - but that's to late.
No it's not, because they've broken the policy not once but twice.
By using a non-company storage device and two, a non-encrypted one at that!
-
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
-
Just like cops don't actually Enforce the law, they simply report law breakers to the Court, and a Jury and Judge then validate the claim and punish the law breaker.
You're the cop, you see and report, you don't enforce.
Arresting someone doesn't mean you're enforcing the law, it means you're taking someone in to be judged by those who's job it is to enforce the law and pass punishment.
-
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
-
I also would think they want your devices in the office to be Encrypted at a minimum as well.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
You're assuming that a policy is simply good enough for the insurance company... if they come back with Product X satisfies the technical requirements, then clearly, policy alone does not solve the problem to their requirements.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
You're assuming that a policy is simply good enough for the insurance company... if they come back with Product X satisfies the technical requirements, then clearly, policy alone does not solve the problem to their requirements.
So I am thinking they have a technical requirement hence why you are asking right?
-
@DustinB3403 said in Force USB encryption Windows and Mac:
Just like cops don't actually Enforce the law, they simply report law breakers to the Court, and a Jury and Judge then validate the claim and punish the law breaker.
You're the cop, you see and report, you don't enforce.
Arresting someone doesn't mean you're enforcing the law, it means you're taking someone in to be judged by those who's job it is to enforce the law and pass punishment.
In this case I'm being asked to install the vault door on the vault - i.e. the technical implementation. Not simply the security guard.
-
@dbeato said in Force USB encryption Windows and Mac:
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
While i agree that a policy SHOULD be enough - they specifically said - technical.
FYI - No AD in this environment.
-
@dbeato said in Force USB encryption Windows and Mac:
I also would think they want your devices in the office to be Encrypted at a minimum as well.
You know - you would think, but they haven't breathed a word on that...
-
@Dashrender said in Force USB encryption Windows and Mac:
You know - you would think, but they haven't breathed a word on that...
Because they don't know about it, so just keep quite on it.
-
@dbeato said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
You're assuming that a policy is simply good enough for the insurance company... if they come back with Product X satisfies the technical requirements, then clearly, policy alone does not solve the problem to their requirements.
So I am thinking they have a technical requirement hence why you are asking right?
yeah - I quoted it above... they basically said - policy is not good enough - we want to see a technical solution.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
You know - you would think, but they haven't breathed a word on that...
Because they don't know about it, so just keep quite on it.
That is my current plan.
-
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
You're assuming that a policy is simply good enough for the insurance company... if they come back with Product X satisfies the technical requirements, then clearly, policy alone does not solve the problem to their requirements.
So I am thinking they have a technical requirement hence why you are asking right?
yeah - I quoted it above... they basically said - policy is not good enough - we want to see a technical solution.
My bad.
-
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
While i agree that a policy SHOULD be enough - they specifically said - technical.
FYI - No AD in this environment.
You can still enforce via local group policy for Windows.
-
@Dashrender said in Force USB encryption Windows and Mac:
we want to see a technical solution.
I also want to see Unicorns and Flying Dragons in the world, doesn't mean such a tool exists or works in a way that would be good for your business.
Just like Unicorns and Flying Dragons may exist in one form, but certainly aren't what many people think about when you say this is my unicorn or see the flying dragon.
-
@dbeato said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
While i agree that a policy SHOULD be enough - they specifically said - technical.
FYI - No AD in this environment.
You can still enforce via local group policy for Windows.
yep... though I would/should use something like Salt or some other agent based solution to push out changes for this if for no other reason than consistency.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You would have no way to do this.
You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
I'm wondering if there is some type of MDM/end user device management (something like Intune).
How would it encrypt the drive? That would mean it would realistically ransomware people's devices if they mistakenly plug a personal USB into a work computer.
I think the only option is blocking unencrypted drives. But it wouldn't be encrypted versus not, it would be encrypted by a certain tool or not. That's about the only possible solution.
So the issue here is with the Apple computers, that unless you are granting the user administrative rights, they wouldn't be able to mount the drive, and thus the encrypted data would remain encrypted.
So how would the computer (windows or otherwise) know "what tool was used". This is a schrodinger's cat scenario. You can't know that the data is encrypted, without first opening it up and checking. Which if the computer can just open everything up than it knows how to decrypt every disk and volume that may come in contact with said system.
Which essentially means a backdoor so your users can't go dark.
