Controls & restrictions at the workplace

All offices have numerous controls & restrictions in place, to avoid/reduce the obvious misuse of the facilities offered for work. Access restrictions to hardware device(s) (like CD/DVD Drives, USB ports), restrictions accessing the internet, blocking/limiting uploads & downloads, to only allow restricted software to be installed, and likewise; are very common. Deploying & administering such controls & restrictions are also relative easy today, especially with the system administrator-friendly tools & utilities available today.

However, my primary thought was, no such controlling software utility can be robust enough; And I proved myself right when I was able to (rather easily) break through 2 such strong products (Eureka moment! ;-)). One of the products is a resource hogging anti-virus software (forced onto my computer by my office policy!) and another is an endpoint device blocking system. Me; a tiny petty hacker as compared to the grandmasters of the underground; being able to do this – meant such product developers have *work* to do! 😉

Almost all these utilities do the following to block the unwanted devices and secure their own files/services:

  • The device blocking utilities hook-up themselves to the OS and intercept any calls to the devices they are programmed to block. They detect & allow valid calls to the devices, while blocking the unwanted ones. So – if a USB blocking utility intercepts a new USB device being connected; it checks if its an allowed device – like a USB mouse or a USB keyboard; or if its one of the devices to be restricted – like a USB Stick or an iPod or an external USB Hard Disk Drive (HDD) – and behaves accordingly. The utility passes the allowed device calls through to the OS’s handler, and discards the other calls – to achieve its purpose.
  • These utilities are typically developed as a Windows service which run at the Windows startup. These services cannot be started or stopped by the user.
  • To employ better security these utilities also have a seperate process or a thread or another service running/polling to monitor if the primary service is running. If it finds the service stopped – it restarts the service immediately.
  • These utilities also block the access to its installed folders/directories – such that there’s no way one can venture into the directory and delete/rename/tamper with its files. The blockage is typically in place even in safe-mode or command prompt mode. Probably if the HDD is connected to another computer, as a secondary drive there – the folder restrictions would not apply. (Haven’t tried it myself.)

I’ll talk about the endpoint device blocking product, GFI EndPoint Security (to block iPods, USB Sticks & other such endpoint devices). You can review the $25 per computer product’s features here.

NOTE/DISCLAIMER: I strongly suggest you against doing the following on your office computer – to avoid breach of your office’s security policy & inviting serious trouble for yourself. Well, we can argue about this – however I didn’t disable the GFI product to forcibly breach my office policies, but I had received an external USB HDD from our Las Vegas office, and wanted to access it from my machine. Me; disliking any controls and/or restrictions, and me; being anxious/desperate to break out of the virtual chains – are ‘tangential’ here; if I may plead so. 😉  I was testing the ‘strength’ of the security products, as well as my skills. 😛

All I needed was one free & powerful utility Process Explorer, from Windows Sysinternals (erstwhile SysInternals.com by Mark Russinovich & Bryce Cogswell).

  • I launched the ProcessExplorer and suspended the GFI’s monitoring service (I am not going to name the service here)
  • Next I launched the Windows Services Manager & changed the “Startup Type” to “Disabled”, for the GFI service. The service was left running, untouched. Alternatively, you can also use the AutoRuns utililty from Windows SysInternals again, to disable the service.
  • Finally – just restarted the computer to start to a successfully disabled GFI’s monitoring service.
  • I then renamed the folder name – to ensure it wouldn’t start again – *if* the office’s network policy re-enabled the service when it was redeployed afresh to my computer.

That was all! FREEDOM for my computer’s 4 USB ports! 😀

Similarly (not the exact same method), I was also able to disable the McAfee Viruscan which used to hog my CPU (90-95%) & RAM (upwards of 180 MB) whenever I used Microsoft Outlook or opened/extracted any ZIP/RAR files. There probably is a leak in their real-time scanning module, in the version we have at the office, or the problem occurs only on Windows Vista (which I use); because the hogging is comparitively low on my colleagues’ Windows XP Pro computers.

Nevertheless, instead of implementing such controls & restrictions, if the companies undertake imparting regular education to their employees on workplace ethics, I think it would go a long way. This is just like the traffic policemen standing *after* the traffic signal posts or in the *middle* of the one-ways, to catch the violaters & “extort” fine/bribes. Instead (& I always crib about this), why can’t the traffic policemen stand *at* the traffic signal and STOP the potential violaters from breaking the law in the first place? Similarly they should stop any drivers from entering into a one-way, in the first place. This topic is for another blog, however couldn’t avoid blurting it out.

5 thoughts on “Controls & restrictions at the workplace”

  1. A decent operating system should be able to restrict resource access, especially I/O systems on an integrated os security layer. This way the administrtor can restrict who can have what. It is always safer to use built in security because it can be very robust.

    Adding another layer of security is like putting a 9 lever lock on a house with glass door. It is easier to break the door than breaking the lock.

    I am not sure whether it is by mistake or by purpose, the windows clients used in software and other companies are configured in a way that the user is an administrator for the machine. This is where the problem starts. I was told that most of the development applications require administrative access to run. If that is the case there is nothing much one can do anything about.

    On the other hand if it is done for convenience (who is going to take care of the 100+ machines for trivial issues ?), then the sysadmins of the companies should educate themselves better.

    I am not a system administrator. I use ubuntu distribution at home. I do ‘experiments’ with java at home. It is possible for the developer user to install ide’s tomcat servers and other tools locally to the user. The other user will not have any access to such things. Both users are not root. In fact I could even prevent one of the user from accessing CD drives, pen drives, internet etc if I need.

    I am not sure how it works in Windows. Maybe your company should invest some time to figure out ways to do this than installing costly third party applications.

    Or can switch to Ubuntu 🙂

  2. I’ve been fortunate enough not to work in companies that put down all such restrictions. I always make bindaas use of USB drives, DVD / CD Burners bindaas of my office Macs and Mac books 🙂

    Teaching folks workplace ethics is an excellent idea. Adding to that teaching workplace etiquette is also necessary. I’m stressing on etiquette coz I used to have bad experiences with a lady in my team in my previous company. So manner-less that she would put both her arms behind her head, while wearing a sleeveless top. You wouldn’t know where to look at while talking to her. Its as if she is asking look at my armpits and guess when I last shaved ? Man !! that was gross…

  3. Hi,

    I can say that your skills were better than the strength of your security products [in the above scenario], but could have been difficult if there was strong Windows Domain security implemented via group policy.

    1. We’re a software development company and for a majority of the tasks we do, we need administrative rights.

      And the purpose of the article was NOT to highlight Windows’ weaknesses.

Leave a Reply

Your email address will not be published. Required fields are marked *