One of the largest internal threats to network security, and a major source of worry for network administrators,...
is the use of USB storage devices. USB storage devices can be used to steal large quantities of data from your network. Anything a user has access to can be copied to a USB storage device.
In a previous tip titled USB storage devices: Two ways to stop the threat to network security, I discussed some of the advantages and shortcomings of disabling USB ports, either physically or through the system's BIOS. In this article, I will continue the discussion by showing you how you can use group policies to prevent the use of USB storage devices.
One relatively new option for preventing users from using USB storage devices on Windows Vista systems is to create a group policy setting that prevents USB storage devices from being used. Before I show you how to do this, there are a few things you need to know.
First, the technique I am about to show you is valid only for Windows Vista. This means that for the time being, you will be able to implement these types of group policy settings only as a part of a workstation's local security policy. This will change when Windows Server 2008 (previously known as Longhorn Server) is released because Windows Server 2008 domain controllers will support these group policy settings -- thus allowing you to implement these settings at the domain level of the Active Directory.
Another important thing you need to know is that these group policy settings do not actually prevent USB storage devices from being used. Instead, they prevent users from installing the device drivers that are needed in order for a USB storage device to work.
This is an extremely important distinction, for two reasons. First, whether or not a user can use a particular storage device depends on whether or not a device driver is installed. If a user has already installed a device driver prior to your implementing the group policy, then the user will be able to continue to use the storage device, regardless of any group policy settings.
Another reason why this is such an important distinction is that there is a group policy setting that allows an administrator to override the various settings that prohibit device driver installation. Suppose for a moment that an administrator needs to use a USB storage device on a workstation for maintenance purposes. When the administrator connects the device, Windows will install the device driver. Unless the administrator manually removes the device driver when he or she is finished, the driver will remain on the PC. This means that the driver is available to the end user, who will now be able to use a USB storage device (assuming that the end user has one of the same type that the administrator used).
The group policy settings that control device installation are located in the Group Policy Object Editor at: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. As you can see in Figure A, there are several device installation restriction settings available to you.
Unfortunately, you can't just tell Windows to block the use of USB devices. Instead, you can only block devices based on a device ID or device setup class (although there is an option to prevent the installation of removable devices). Device IDs and Device Setup Classes are unique to each device. For example, if you had two different USB flash drives, they would probably use different device IDs and Device Setup Classes, even though the flash drives do basically the same thing, because device IDs and Setup Classes are unique to device models. That being the case, it is impractical to try to block every USB device a user may attempt to use. There are simply too many different devices on the market, and new ones come out all the time.
If you really want to use device IDs and Class Setup IDs, then my advice would be to provide Windows with a list of authorized devices and block all others, rather than trying to block devices individually.
A better solution, though, is to install all the necessary device drivers, then create a policy that will prevent end users from installing any additional device drivers. To do so, I recommend beginning by enabling the "Allow Administrators to Override Device Installation Restriction Policies" setting. That way, administrative staff will still have the ability to install new device drivers if necessary.
Next, I recommend enabling the "Display a Custom Message When Installation Is Prevented by a Policy" (Balloon Title) and the "Display a Custom Message When Installation Is Prevented by a Policy" (Balloon Text) settings. These settings allow you to configure Windows to display a message when a user attempts to install a device driver. Typically, you would set the balloon title to say something like: Installation Error. You could then configure the balloon text to explain that installing unauthorized hardware devices is a violation of the corporate security policy.
The next setting I recommend enabling is "Prevent Installation of Removable Devices." This is the setting that will prevent users from being able to install device drivers for USB storage devices. As an added precaution, I also recommend enabling the "Prevent Installation of Devices Not Described by Other Policy Settings" setting. This is a sort of catch-all policy which will ensure that users are not allowed to install any device drivers themselves.
Device installation restriction-related group policies are certainly not a perfect solution to preventing users from using USB storage devices. Even so, device installation restriction policies can be effective so long as the user's workstations do not already contain device drivers for USB storage devices.
In Part 3, I will continue the discussion by showing you how software restriction policies can be used to combat the use of USB storage devices. I will also talk about some third-party applications that can be used to gain tighter control over USB storage devices in your organization.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.