What's so bad about USB flash drives? Isn't it great that, for less than $50, I can buy device the size of my thumb that holds 16Gb of emails, product designs, and drafts of confidential memos? In a word, NO.
From an e-discovery perspective, tracking and managing all these potential sources of responsive information is a nightmare. Brad Carlson of Fios, Inc. outlines a helpful process in his article, "Collecting Personal Data for E-Discovery" in Computer Technology Review (you can read it here:
But the sheer scope of the problem is overwhelming. Here at Microsoft, USB flash drives are a frequent promotional giveaway: I've seen flash drive key chains, flash drive Swiss army knives, flash drive flashlights, even a flash drive wristwatch. How can attorneys possibly have any confidence that they've identified all the sources of data they might use in their claim or defense?
I once knew a sys admin who was so concerned about the potential damage those tiny USB drives could cause his organization that he put epoxy into the USB ports of all new laptops that came into his organization!
Needless to say, there's a better way to manage USB devices in Windows Vista and Windows Server 2008.
There's a new set of Group Policy Objects (GPOs) specifically for managing USB devices. If you're not familiar with Group Policy, here's a one sentence description: it lets administrators turn off certain features of Windows in a way that users can't turn them back on. You can learn more at the Group Policy center here:
TechNet Magazine has an article that explains how to use Group Policy to control which USB devices (if any) can connect to the USB ports of Vista machines. The article was written from a security perspective, but it's easy to see how it applies to e-discovery. " Security: Managing Hardware Restrictions via Group Policy"
The controls are quite granular. In a more in-depth article on MSDN, you can learn how to "authorize" USB connections down to the individual device manufacturer's make and model. The article is "Step by Step Guide to Controlling Device Installation Using Group Policy:"
Here are some of the highlights:
- Prevent users from installing any device.
- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
- Deny read or write access to users for devices that are themselves removable, or that use removable media, such as CD and DVD burners, floppy disk drives, external hard drives, and portable devices such as media players, smart phones, or Pocket PC devices.
This gives administrators much more flexibility around using and deploying USB devices in a responsible manner. For instance, you could provide your users with a large "authorized" USB drive that they can use for their local backups. Meanwhile, all other USB drives won't be able to connect to the computer, because of your policy. It's the best of both worlds: you don't have to worry about all those USB thumb drives scattered about, and end users can still enjoy some of the benefits of USB.
No epoxy required!