Nowadays, you can connect almost anything to a computer via a USB port. Portable storage devices allow you to keep gigabytes of data on your keychain. Cell phones, cameras and GPS units all use USB ports to charge their batteries, receive updates and transfer data. From the user's perspective, the option is very convenient: it reduces the number of cables you need on your desk and allows the easy transfer of information. From a security perspective, however, it can be a nightmare. Consider the following scenarios:
- A user unfamiliar with proper security controls copies sensitive information to a USB drive without using encryption and then loses the drive on the subway.
- An employee brings a USB drive from home containing information and software related to a child's soccer league, runs it, and unknowingly introduces malware onto the corporate network.
- A member of the cleaning staff with nighttime access to the building uses a USB drive to steal large volumes of development plans, seeking to sell them to a competitor.
In this tip, we take a look at three
Block USB access
Perhaps the most brute-force approach is to block the use of USB drives completely. Certainly, you could do this by physically blocking access to the USB port or disabling the USB adapters through the operating system. However, this is not likely a workable solution, as many keyboards, mice, printers and other peripherals require access to the USB port.
Fortunately, within Microsoft Windows you can prevent users from connecting USB storage devices to a system by changing access permissions to the USBSTOR.PNF and USBSTOR.INF files. This will prevent users from installing new USB storage devices on affected systems. To automate the process, you can deploy the policy through a Windows GPO.
Two important notes for this process:
- This policy should be put in place as you build a new system. If a USB storage device is already configured on the system when the policy is deployed, users will still be able to use that device without policy restrictions.
- If you use GPO, you will need to apply the GPO to computers, rather than users, for it to work properly.
Again, this is the quick-and-dirty (and also free!) approach to the problem. If it doesn't suit your needs, consider the other methods described below.
Encrypt USB devices
If your primary concern is protecting the confidentiality of data on your network from disclosure due to accidental loss of a USB device, consider using encryption technology to protect sensitive information stored on portable devices. There are three main strategies to achieve this goal:
- The easiest, most effective and most expensive option is to purchase devices with built-in, strong encryption.
- If you're looking for a less expensive solution, encrypting the filesystem on each device before providing it to users is also easy using the free TrueCrypt Traveler software.
- Finally, if all else fails, you can encrypt individual files before copying them to a USB device.
For more information on these three options, see the tip: Three Portable Data Storage Encryption Methods.
Comprehensive USB port management
If the two USB port management options described above sound like difficult, incomplete options, you've been paying attention! Unfortunately, current operating systems simply don't offer great flexibility in USB management. If you need to go beyond a brute-force block of all USB devices or don't want to rely upon users to use encrypted USB drives properly, you'll need to go to the third-party market and purchase a USB management tool. There are several products on the market in this category, including DataLock, GFI Endpoint Security and DeviceLock.
These packages offer a variety of flexible USB management options, including:
- Limited USB access to particular users/groups
- Integration with Microsoft Active Directory
- Limited USB access to approved devices
- Required encryption on data transfers to USB devices
- Shadow copies of files transferred to USB devices for review
- Logging of all use of USB storage devices
In addition, these products offer control over non-USB peripherals, such as Bluetooth and Firewire connections. While they can be pricey, device management products are the only flexible way currently available to limit use of USB and other peripherals within your environment.
USB devices pose a tricky challenge to the midsized business seeking to control the spread of
confidential information and reduce the risk of malware in its computing environments. In this tip,
we looked at three possible USB port management solutions: two which require some elbow grease and
rely upon administrators and users for much of the heavy lifting, and a third that relieves some of
that administrative burden but requires a financial investment to purchase. The choice is
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
Send comments on this technical tip: firstname.lastname@example.org.
This was first published in June 2010