"usb ports with glue"
Keyboards, Mice, Joysticks for these systems were probably designed with the idea that a USB bus would be available.
It will take a while to replace all of these systems with their non-USB configurations.
Given that BlueTooth is probably a no-no as well, how would one build a system these days that needs to support Mice, Joysticks, and Keyboards without using USB?
A literal chicken-wire-style cage that encloses the PC case, with openings too small to pass the head of a USB device.
The cage would be locked to prevent removal of the machine and have a locked backpanel which allows certified staff to install the various usb devices -- with some sort of cage mount inside to loop the cables around, so that a tug from the user wouldn't pull the usb connector from the machine and cause an obnoxious number of calls to 'the guy with the key' to plug a mouse back in.
The cage would neatly deny access to any and every port or drive that may or may not be present in one fell swoop, which would likely simplify OEM contracts and final installation as well as increase security.
You could build the cage physically larger than the general range of whichever flavor(s) of ATX cases are being used, so that the cages could be manufactured in bulk without too much worry about a switch between PC OEMs causing problems.
You could even add a screw-style bracket or two to hold the PC case firm within the cage and put some acoustic foam pads here and there to cut down on any extra noise.
People do this for kiosks (unattended, public use) all the time. It's a good solution for some things.
It's easier to enforce a security policy on well-managed PCs which turn off various ports in software (AND DISABLE AUTORUN!), vs. trying to physically disable them, but DoD also had people go around and epoxy USB ports, or at the very least put foil seals on them. There are problems with this, like the usb cd-rom token things, and the attack mouse.
One of the few areas of IT security the DoD gets right is physical protection of infrastructure (relatively). Unfortunately, it's usually basically a strong shell with a gooey inside of software/networks, and with big pipes bringing lots of stuff in and out of the shell constantly. Once something bad gets in, it's kind of too late.
There's a lot of awesome new Intel stuff to make PC hardware potentially more secure -- secure boot, CPU features, memory protection, etc. Combined with the right OS, you could go a long way. Unfortunately a lot of people are also against this technology because it has been used for Digital Rights Management (DRM) anti-piracy, other privacy violations, etc. I was really against it for those reasons, but have come to think it would on the whole be a net win for society to have more secure IT, even if not being able to break it so easily means some people can use computers for bad things.
on the topic of disabling autorun, there was a patch earlier this year to disable autorun on non-shiny media by default in XP and Vista (it's already turned off in 7.)
Lenovo on their business machines still includes PS/2 ports, and USB can be completely disabled by setting a jumper on the motherboard, or changing a setting in the BIOS.
When asked why they were told that for government contracts, and for businesses that wanted to make sure that USB devices could not just be used at random.
> "usb ports with glue" Keyboards, Mice, Joysticks for these systems were probably designed with the idea that a USB bus would be available.
Its not particularly hard to modify/remove the drivers which make only the usb-disks work on linux. I can't imagine it being much harder on windows either.
All other usb devices could work, but not external storage.
Even better the usb drivers could contain a whitelist of device classes for which drivers can be loaded.
It will take a while to replace all of these systems with their non-USB configurations.
Given that BlueTooth is probably a no-no as well, how would one build a system these days that needs to support Mice, Joysticks, and Keyboards without using USB?