I hope this is not out of topic (if it is, is there a good forum where these questions could be answered?)
I would like to be able to manage USB flash drives, detect their insertion and removal, and automatically encrypt data sent to the USB device.
I would also like to be able to verify the MAC address of the PC and log events in some PC file (hour of insertion, removal, encryption, etc.).
What is the best technological solutions for this given that I would prefer to use C# (but could use C/C++ if nothing else is available) and an encryption library like System.Security.Cryptography for AES 256?
Do I have to write a driver? Or could a service [a daemon in Unix parlance] intercept all the calls needed to do this?
If it is a driver should/could it be a user-mode client driver? A kernel-mode client driver? Is WDK the framework one should use?
>What is the best technological solutions for this given that I would prefer to use C# (but could use
C/C++ if nothing else is available)
Do I have to write a driver? Or could a service [a daemon in Unix parlance] intercept all the calls needed
to do this? If it is a driver should/could it be a user-mode client driver? A kernel-mode client driver?
Is WDK the framework one should use?
Sorry, but judging from the way you have presented your questions " the best technological solution" here is just to hire someone to do this job if you want it to be accomplished within a reasonable timeframe…
Can the whole solution mentioned above be done using User mode drivers?
What if the application needed to block all ports except those where an appropriate USB key has been inserted? Appropriate meaning for instance a USB key with a valid serial number.
wrote in message news:xxxxx@ntdev… > Can the whole solution mentioned above be done using User mode drivers? > > What if the application needed to block all ports except those where an appropriate USB key has been inserted? Appropriate meaning for instance a USB key with a valid serial number. > > >
wrote in message news:xxxxx@ntdev… > Can the whole solution mentioned above be done using User mode drivers? > > What if the application needed to block all ports except those where an > appropriate USB key has been inserted? Appropriate meaning for instance a > USB key with a valid serial number. >
Maybe the simplest solution is patching the INF file of USB storage so that the devices will be not detected by their class, but only by hardware IDs. If your USB drives have “serial numbers”, IT even can preinstall the driver for end users.
However, keep in mind that hardware IDs and “serial numbers” can be forged, and it is not too hard (-_-). For a more serious solution, you possibly want a hardened computer platform that has BIOS and hardware support.
That doesn’t work. UsbStor is inbox and you just made it unsigned.
Bitlocker is already available as a disk level encryption service. I’d go
with the zero development option.
Mark Roddy
On Fri, Sep 24, 2010 at 7:17 AM, Pavel A. wrote:
> wrote in message news:xxxxx@ntdev… > >> Can the whole solution mentioned above be done using User mode drivers? >> >> What if the application needed to block all ports except those where an >> appropriate USB key has been inserted? Appropriate meaning for instance a >> USB key with a valid serial number. >> >> > Maybe the simplest solution is patching the INF file of USB storage > so that the devices will be not detected by their class, but only by > hardware IDs. If your USB drives have “serial numbers”, IT even can > preinstall the driver for end users. > > However, keep in mind that hardware IDs and “serial numbers” can be > forged, and it is not too hard (-_-). For a more serious solution, you > possibly want > a hardened computer platform that has BIOS and hardware support. > > Regards, > --pa > > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
“Maxim S. Shatskih” wrote in message news:xxxxx@ntdev… >> Maybe the simplest solution is patching the INF file of USB storage > > Is it not signed by come .cat?
Of course it is signed and a change will break the signature. But on XP system, the IT (administrator) can still install what the end user needs, and on later systems IT may be able to re-sign with their own certificate or temporary restore the original inf & cat. This is not a serious security anyway, just a quick hack to avoid writing kernel code.
I have no idea of what you’re trying to do or what your contractual
obligations are, but if that’s the only reason you’re not willing to use
BitLocker, there are other options. PGP Whole Disk Encryption, for example,
works on all versions of Windows (or close to that) from W2KSP4 forward, as
well as Mac OS X and some strains of Linux (recent builds of Ubuntu and
Fedora, probably among others).
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hapax.qc.ca
Sent: Friday, September 24, 2010 3:04 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Best technical solution, advice?
"Bitlocker is already available as a disk level encryption service. I’d go
with the zero development option. "
I believe Bitlocker is not supported by Windows XP, and I have thousands of
machine on XP that need to be supported.
“If such a mechanism is too unflexible - then writing a filter is the only chance.”
May I ask why? What does a filter offer in this case that a User mode driver would not?
* any necessary functionality?
* easier debugging?
* easier development?
* more security against crashing?
Let me be even more heretical, why not build on top on WinUSB? (I want to be the only application/driver speaking to all USB flash drives or at least everything has to go through that driver.)
You can’t write a user mode driver for the storage stack. You can write user
mode drivers for some usb devices, but that set of devices does not include
storage.
Mark Roddy
On Fri, Sep 24, 2010 at 3:52 PM, wrote:
> Maxim wrote : > > “If such a mechanism is too unflexible - then writing a filter is the only > chance.” > > May I ask why? What does a filter offer in this case that a User mode > driver would not? > > * any necessary functionality? > * easier debugging? > * easier development? > * more security against crashing? > > Let me be even more heretical, why not build on top on WinUSB? (I want to > be the only application/driver speaking to all USB flash drives or at least > everything has to go through that driver.) > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
If such a mechanism is too unflexible - then writing a filter is the only chance.
Did you mean a minifilter? Or a KMDF driver like Toaster Filter?
Why the one and not the other?
At the stage the only thing I really need to do, if disable USB ports with unauthorized USB flash drives. Encryption could be done in an application (in user mode) as a first step.
> Did you mean a minifilter? Or a KMDF driver like Toaster Filter? Why the one and not the other?
Because everything depends on what stack you are about to filter. For example, minifilter applies only to FSD stack - if you want to filter the storage one you need a storage filter…
At the stage the only thing I really need to do, if disable USB ports with unauthorized USB flash drives.
I guess this is NOT what one normally wants in your situation…
Please read the advice that I gave you earlier on this thread once again. If this advice is unacceptable to you for some reason…well, then get ready to do A LOT of studies and don’t expect to produce a workable driver anytime soon …
If you want to allow a certain flash drive, an administrator can install the instance. Other drives won’t be installed automatically. Non-administrator won’t be able to install and use a random drive.
Yes well suppose you want to allow the automatic installation of
‘some’ usb flash drives without administrator intervention? I believe
that is a reasonable use case and is more or less what the OP is
trying to do.
Mark Roddy
On Wed, Sep 29, 2010 at 12:59 PM, wrote: >>Of all USB flash drives, as far as I know. > > If you want to allow a certain flash drive, an administrator can install the instance. Other drives won’t be installed automatically. Non-administrator won’t be able to install and use a random drive. > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >