Tag Archives: Endpoint

Controls & restrictions at the workplace

All offices have numerous controls & restrictions in place, to avoid/reduce the obvious misuse of the facilities offered for work. Access restrictions to hardware device(s) (like CD/DVD Drives, USB ports), restrictions accessing the internet, blocking/limiting uploads & downloads, to only allow restricted software to be installed, and likewise; are very common. Deploying & administering such controls & restrictions are also relative easy today, especially with the system administrator-friendly tools & utilities available today.

However, my primary thought was, no such controlling software utility can be robust enough; And I proved myself right when I was able to (rather easily) break through 2 such strong products (Eureka moment! ;-)). One of the products is a resource hogging anti-virus software (forced onto my computer by my office policy!) and another is an endpoint device blocking system. Me; a tiny petty hacker as compared to the grandmasters of the underground; being able to do this – meant such product developers have *work* to do! ūüėČ

Almost all these utilities do the following to block the unwanted devices and secure their own files/services:

  • The device blocking utilities hook-up themselves to the OS and intercept any calls to the devices they are programmed to block. They detect & allow valid calls to the devices, while blocking the unwanted ones. So – if a USB blocking utility intercepts a new USB device being connected; it checks if its an allowed device – like a USB mouse or a USB keyboard; or if its one of the devices to be restricted – like a USB Stick or an iPod or an external USB Hard Disk Drive (HDD) – and behaves accordingly. The utility passes the allowed device calls¬†through to the OS’s handler, and discards the other calls – to achieve its purpose.
  • These utilities are typically developed as a Windows service which run at the Windows startup. These services cannot be started or stopped by the user.
  • To employ better security these utilities also have a seperate process or a thread or another service running/polling to monitor if the primary service is running. If it finds the service stopped – it restarts the service immediately.
  • These utilities also block the access to its installed folders/directories – such that there’s no way one can venture into the directory and delete/rename/tamper with its files. The blockage is typically in place even in safe-mode or command prompt mode.¬†Probably if the HDD is connected to another computer, as a secondary drive there – the folder restrictions would not apply. (Haven’t tried it myself.)

I’ll talk about the endpoint device blocking product,¬†GFI EndPoint Security (to block iPods, USB Sticks & other such endpoint devices). You can review the $25 per computer product’s features here.

NOTE/DISCLAIMER: I strongly suggest you against doing the following on your office computer – to avoid breach of your office’s security policy¬†&¬†inviting serious trouble for yourself. Well, we can argue about this – however I didn’t disable the GFI product to forcibly breach my office policies, but¬†I had received an external USB HDD from our Las Vegas office, and¬†wanted to access it from my machine.¬†Me; disliking any controls and/or restrictions, and me; being¬†anxious/desperate to break out of the virtual chains – are¬†‘tangential’ here; if I may plead so. ūüėȬ† I was testing the ‘strength’ of the security products, as well as¬†my skills. ūüėõ

All I needed was one free & powerful utility Process Explorer, from Windows Sysinternals (erstwhile SysInternals.com by Mark Russinovich & Bryce Cogswell).

  • I launched the ProcessExplorer and suspended the GFI’s monitoring service (I am not going to name the service here)
  • Next I launched the Windows Services Manager & changed the “Startup Type” to “Disabled”, for the GFI service. The service was left running, untouched. Alternatively, you can also use the AutoRuns utililty from Windows SysInternals again, to disable the service.
  • Finally – just restarted the computer to start to a successfully disabled GFI’s monitoring service.
  • I then renamed the folder name – to ensure it wouldn’t start again – *if*¬†the office’s network policy re-enabled the service when it was redeployed afresh to my computer.

That was all! FREEDOM for my computer’s 4 USB ports! ūüėÄ

Similarly (not the exact same method), I was also able to disable the McAfee Viruscan which used to hog my CPU (90-95%) & RAM (upwards of 180 MB) whenever I used Microsoft Outlook or opened/extracted any ZIP/RAR files. There probably is a leak in their real-time scanning module, in the version we have at the office, or the problem occurs only on Windows Vista (which I use); because the hogging is comparitively low on my colleagues’ Windows XP Pro computers.

Nevertheless, instead of implementing such controls & restrictions, if the companies undertake imparting regular education to their employees on workplace ethics, I think it would go a long way.¬†This is just like the traffic policemen standing *after* the traffic signal posts or in the *middle* of the one-ways,¬†to catch the violaters & “extort” fine/bribes. Instead (& I always crib about this), why can’t the traffic policemen stand *at* the traffic signal and STOP the potential violaters from breaking the law in the first place? Similarly they should stop any drivers from entering into a one-way, in the first place. This topic is for another blog, however couldn’t avoid blurting it out.