Using Windows Vista group policy to prevent unauthorized USB device use

In a previous tip titled USB storage devices: Two ways to stop the threat to network security, I discussed some of the advantages and shortcomings of disabling USB ports, either physically or through the system's BIOS. In this article, I will continue the discussion by showing you how you can use group policies to prevent the use of USB storage devices.

Group policies

One relatively new option for preventing users from using USB storage devices on Windows Vista systems is to create a group policy setting that prevents USB storage devices from being used. Before I show you how to do this, there are a few things you need to know.

First, the technique I am about to show you is valid only for Windows Vista. This means that for the time being, you will be able to implement these types of group policy settings only as a part of a workstation's local security policy. This will change when Windows Server 2008 (previously known as Longhorn Server) is released because Windows Server 2008 domain controllers will support these group policy settings -- thus allowing you to implement these settings at the domain level of the Active Directory.

Another important thing you need to know is that these group policy settings do not actually prevent USB storage devices from being used. Instead, they prevent users from installing the device drivers that are needed in order for a USB storage device to work.

This is an extremely important distinction, for two reasons. First, whether or not a user can use a particular storage device depends on whether or not a device driver is installed. If a user has already installed a device driver prior to

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Engineering Understand Windows tracert output to troubleshoot network connectivity Using tracert and TTL to troubleshoot network connectivity problems 10 Gigabit Ethernet interconnect solutions: Investigate carefully before choosing Optimization of the data center with 10 Gigabit Ethernet Converged Enhanced Ethernet: New protocols enhance data center Ethernet Test your TCP/IP protocol stack to troubleshoot network connectivity Checking IP configuration to troubleshoot Windows network connectivity Using ping command for troubleshooting Windows network connectivity Top Windows Management Instrumentation (WMI) scripting books, websites HTTP error code troubleshooting, Part 3: Disabling IE friendly error messages Working With Servers and Desktops Understand Windows tracert output to troubleshoot network connectivity Test your TCP/IP protocol stack to troubleshoot network connectivity Checking IP configuration to troubleshoot Windows network connectivity Physical network security key to fighting low-tech threats Using ping command for troubleshooting Windows network connectivity Bandwidth allocation: How can I give a download limit for each user? How to use Netsh WLAN to configure Windows Server 2008 and Windows Vista wireless connections from the CLI How to upgrade Windows Server 2003 to Server 2008 Top Windows Management Instrumentation (WMI) scripting books, websites HTTP error code troubleshooting, Part 3: Disabling IE friendly error messages Network Security Best Practices and Products Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains How to evaluate and manage UTM for network security Profiling -- and protecting against -- network problem users: The Internet Novice How does a firewall work? Physical network security key to fighting low-tech threats Why are TCP/IP networks considered unsecured? Troubleshooting networks: Can vendor software self-install firewalls?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary four-way server  (SearchNetworking.com) mail user agent  (SearchNetworking.com) netstat  (SearchNetworking.com) Technical Office Protocol  (SearchNetworking.com) Telnet  (SearchNetworking.com) two-way server  (SearchNetworking.com) virtual network adapter  (SearchNetworking.com) virtual network computing  (SearchNetworking.com) virtual systems management  (SearchNetworking.com) VxWorks  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

your implementing the group policy, then the user will be able to continue to use the storage device, regardless of any group policy settings.

Another reason why this is such an important distinction is that there is a group policy setting that allows an administrator to override the various settings that prohibit device driver installation. Suppose for a moment that an administrator needs to use a USB storage device on a workstation for maintenance purposes. When the administrator connects the device, Windows will install the device driver. Unless the administrator manually removes the device driver when he or she is finished, the driver will remain on the PC. This means that the driver is available to the end user, who will now be able to use a USB storage device (assuming that the end user has one of the same type that the administrator used).

The group policy settings that control device installation are located in the Group Policy Object Editor at: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. As you can see in Figure A, there are several device installation restriction settings available to you.

Figure A
[IMAGE]
The Group Policy Object Editor includes several device installation restriction settings. (Click to view larger)

Unfortunately, you can't just tell Windows to block the use of USB devices. Instead, you can only block devices based on a device ID or device setup class (although there is an option to prevent the installation of removable devices). Device IDs and Device Setup Classes are unique to each device. For example, if you had two different USB flash drives, they would probably use different device IDs and Device Setup Classes, even though the flash drives do basically the same thing, because device IDs and Setup Classes are unique to device models. That being the case, it is impractical to try to block every USB device a user may attempt to use. There are simply too many different devices on the market, and new ones come out all the time.

If you really want to use device IDs and Class Setup IDs, then my advice would be to provide Windows with a list of authorized devices and block all others, rather than trying to block devices individually.

A better solution, though, is to install all the necessary device drivers, then create a policy that will prevent end users from installing any additional device drivers. To do so, I recommend beginning by enabling the "Allow Administrators to Override Device Installation Restriction Policies" setting. That way, administrative staff will still have the ability to install new device drivers if necessary.

Next, I recommend enabling the "Display a Custom Message When Installation Is Prevented by a Policy" (Balloon Title) and the "Display a Custom Message When Installation Is Prevented by a Policy" (Balloon Text) settings. These settings allow you to configure Windows to display a message when a user attempts to install a device driver. Typically, you would set the balloon title to say something like: Installation Error. You could then configure the balloon text to explain that installing unauthorized hardware devices is a violation of the corporate security policy.

The next setting I recommend enabling is "Prevent Installation of Removable Devices." This is the setting that will prevent users from being able to install device drivers for USB storage devices. As an added precaution, I also recommend enabling the "Prevent Installation of Devices Not Described by Other Policy Settings" setting. This is a sort of catch-all policy which will ensure that users are not allowed to install any device drivers themselves.

Device installation restriction-related group policies are certainly not a perfect solution to preventing users from using USB storage devices. Even so, device installation restriction policies can be effective so long as the user's workstations do not already contain device drivers for USB storage devices.

In Part 3, I will continue the discussion by showing you how software restriction policies can be used to combat the use of USB storage devices. I will also talk about some third-party applications that can be used to gain tighter control over USB storage devices in your organization.

About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.