Portable USB flash drives have become an integral part of the workspace for many people. Ease of use, form factor, capacity and simplicity have truly made USBs a disruptive and pervasive technology over the last few years. USBs come in many forms, including small external hard drives, card readers, cameras and mobile phones to mention a few. With these great benefits have come some significant challenges from a security perspective, most notably the ability of USB-based devices to circumvent an organization's existing security controls.
In this tip, we'll review how to use Group Policy to secure and restrict USB devices in your organization.
USB data security threats
The security threats posed to companies by USB flash drives have been known for some time now. They range from the ability to spread viruses and malicious software, to data theft and data loss. In my experience, most malicious code uploads occur by accident and unknowingly to the end user: A USB-based device contains a malicious program that transfers itself onto a laptop or PC and then looks for confidential information from the computer, transferring it to an unauthorized third party. Short of disabling all of the USB ports in your environment, these risks are next to impossible to defend against.
Restricting USB devices in your environment is a challenge. To establish a minimum level of security, it is absolutely necessary to control which users can connect USB memory sticks to a computer and what type of USB-based devices can connect.
How to use Group Policy to restrict USB devices
While there are many commercial products that can help solve the problem of disabling USB storage, it turns out a simple solution is to extend Group Policy, which will handle the problem of disabling USB storage on Windows machines. Group Policy is the de facto tool for managing the configuration of machines on Windows-based networks (i.e. networks that have Active Directory deployed).
To use Group Policy, create a new administrative template (.adm file) that defines a policy setting for disabling the usbstor.sys driver on Windows machines. Then import your .adm file into a Group Policy Object (GPO). You now have the option as administrator to disable USB storage on any domain or organizational unit to which your GPO is linked. To deny the installation of the USB devices, you need to modify the security on each file. You can do this by right-clicking on the file, then selecting "Properties." In the "Properties" window, choose the "Security tab." Then, select the group name that the user(s) belongs to (of which you want to deny installation of USB drives) and then select the "Deny- Full Control permission," as shown below:
With Windows Vista, Microsoft has implemented a much more advanced method for controlling USB disks via GPO. If you have Windows Vista computers in your organization, you can use the GPO settings edited from one of the Vista machines to control users' ability to install and use USB disks. In addition, you have the ability to control exactly what device can or cannot be used on their machines. You can create your own USB device policy of what is allowed and what is denied on a case-by-case basis, providing far greater flexibility than previously available.
With this method you will need to discover the USB ID for the device. The ID will then be used in the policy to control the USB device. The catch, however, of discovering the USB ID is to install it. Here, you just need to have a test computer where you can install the device. Below are the steps you need to follow to discover the USB ID for an installed device:
- Open Device Manager from the Control Panel.
- Find the device in the list of devices. USB drives will typically be located under the disk drives section.
- Right-click the USB device and select "Properties," which will open up the device property sheet.
- Select the "Details" tab from the USB Properties sheet.
- Click the dropdown list labeled "Property."
- Select the "Hardware Ids" option.
This USB ID will allow you to create and configure a GPO.With any GPO setting, this option will only work on Windows 2000 operating systems or higher.
For Windows 2000 and XP there is a different way to restrict USB device installation compared to that of Windows Vista. If the device is already installed, you have two options. One option is to uninstall the USB drive, which will put the computer in the state of not having the USB drive installed. (This is not a desired option. It is difficult to manage and impossible to implement in a large organization.) Option two will force you to modify the Registry to restrict its use. This method can be done manually, via a script, or by using Group Policy. You can use the new "Registry" preference, or you can customize an ADM template and import it into a GPO, as Microsoft details.
Policy before technology
The first place that any organization should start, however, is to determine if any formal policy is in place regarding portable USB flash drives. If not, create one, and if one already exists ask yourself, is it appropriate? Does it address misuse and provide clear guidance to employees as to what they can and cannot use portable USB flash drives for? Does it outline the consequences for misuse? The misuse of technology like USB drives is generally not something solved through more technology; it's fundamentally a management issue and needs to be addressed at the policies and procedures level first, prior to deploying technology-based solutions.
If you need additional information on the step-by-step process for implementing Windows GPO in your environment, visit Microsoft support and search under Windows GPOs to access installation and configuration guides for various types of Microsoft environments and configurations in addition to useful FAQs.
Send comments on this technical tip firstname.lastname@example.org.
Join us on LinkedIn.
About the author:
Robbie Higgins is vice president of security services at GlassHouse Technologies. Higgins has spent his entire professional career in the technology arena, focusing predominantly on the alignment of information technology and information Security with business requirements. For more than 16 years, he has been a significant contributor to major global corporations, most notably Motorola and Intel. He has held a wide range of positions, including Product Engineer, Information Technology Business Development and Director of Information Security. In his most recent role as Managing Director of the Security Services division within Motorola, he was responsible for the development and delivery of professional services, managed services and security solutions across all business units serving telecom, enterprise and government markets.
This was first published in July 2010