9

How can I prevent network administrators from accessing, mapping to etc. a USB drive that's in a PC on their network?

I'm mainly concerned about files being edited or deleted.

Rose
  • 405
  • 1
  • 4
  • 9
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/21855/discussion-on-question-by-rose-how-to-prevent-network-administrators-from-access). – Rory Alsop Mar 11 '15 at 13:38

4 Answers4

28

You effectively can't. If you're on somebody else's machine and they have administrative rights to it, then that's the game.

The quite fancy answer be mandatory access control systems like SELinux which hold a concept higher than root that would at least require a reboot and direct system access to change the settings.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • 9
    But you wouldn't be able to definitively tell whether such a system was enabled. (they might have patched the kernel to lie) – user253751 Mar 09 '15 at 23:17
  • @immibis if you are worried that your workers have patched/rooted your servers... you have bigger issues. Like why you haven't fired someone you distrust that much? – WernerCD Mar 10 '15 at 04:24
  • 8
    @WernerCD You have this the wrong way around... the *system administrator* might have patched the kernel to lie, so that the kernel tells workers that the system administrator is unable to access their files, when actually he is. – user253751 Mar 10 '15 at 04:27
  • 4
    The question you should really be asking is why does the system admin feel the need to patch the kernel to lie in the first place. – Virusboy Mar 10 '15 at 14:39
  • 4
    @Virusboy: and the question the system admin should really be asking is why the questioner feels the need to restrict admin access to stuff on the network ;-) Fortunately this is really about how, not why. – Steve Jessop Mar 11 '15 at 01:07
11

Seems pretty obvious that you could just disconnect the network cable. Plug in the USB, Dump/Upload files, eject the USB, then reconnect to the network.

This should prevent them from having any kind of access to the drive (read or write)

Unless they own the computers AND have some mechanism to download everything on any connected usb device (which is highly unlikely), there isn't much they can do on a machine that's not connected to their net...

Not exactly high tech, but it will certainly do the trick.

Jay Holister
  • 317
  • 3
  • 8
  • 2
    It's not as unlikely as you think. There's at least a few reasons I can think of why you might want to check what's on devices being attached to your network. – Sobrique Mar 10 '15 at 19:39
  • @Sobrique Checking/Recording what type of devices are connected is quite common, however downloading or modifying the contents of said devices isn't. – Jay Holister Mar 11 '15 at 00:12
  • 1
    Isn't _common_ but isn't _unlikely_ either. Consider anywhere concerned about IP theft, or just a policy that all storage attached to systems must be virus scanned. – Sobrique Mar 11 '15 at 09:14
  • It's quite silly to argue semantics here. But when something is uncommon it's also statistically unlikely to be implemented. As for places concerned with Intellectual Property Theft or Malware, it's more likely that they would have a policy to selectively disable USB storage outright, in which case this would be a non-issue to begin with. – Jay Holister Mar 11 '15 at 23:30
10

A combination of two USB drives and a hub might be a good solution

enter image description here

enter image description here

Use the write-protected USB drive for any data that you dont want to get sabotaged and the other USB drive for anything you want to save and take with you home.

Ulkoma
  • 8,793
  • 16
  • 66
  • 95
5

If you are only concerned about write operations, you could buy a cheap SD card and a USB reader. SD cards have a physical "Write protect" switch on the side. You may be able to find physically write-protectable USB drives too. If all fails, use a good ol' DVD.

Azsgy
  • 151
  • 3
  • 4
    most cheap usb sd readers (every one I have used) ignores the write protect. – hildred Mar 10 '15 at 00:12
  • 3
    Please note that the switch is physical but the write protection is done by software. All this little switch does is say "please don't write on this device". It's not connected to anything, it's just a flag, so it can't enforce write protection. – mimipc Mar 10 '15 at 14:33
  • 3
    @mimipc: To be precise, the SD specifications say that the host MUST detect the switch position and MAY NOT write to a read-only SD card. That does not bar the SD card from being paranoid and having a true read-only switch. No standard-compliant host would be affected by this. Most SD cards of course are cheap and do not have such a physical switch. – MSalters Mar 10 '15 at 15:26
  • 1
    Use a floppy disk. Or a ZIP drive. Yes, those are old, but they are mechanically blocked in a way that no software override will allow to write into the media. Another solution is a tape recorder. But if you want to use recent technology, format it with NTFS and set the permissions to only let a specific user to write on it. – Ismael Miguel Mar 10 '15 at 16:34