How do I use group policy to improve security of USB thumb drives in my organization?


A customer wanted to know how they could improve the security of USB thumb drives in their organization. Specifically, they wanted to block access to removable media devices (primarily USB thumb drives), but provide a list of exceptions for specific thumb drives. Fortunately, there's a whitepaper that covers exactly this topic and explains how to set up your policies to accomplish this.

Step-By-Step Guide to Controlling Device Installation Using Group Policy

Comments (15)
  1. I was at a talk at TVP in the run up to the EVO launch, and the MS guy that was talking about security said that the strongest defence you have against unathorised pen drives on the computer is epoxy resin.

  2. Joshua says:

    @Lockwood: Indeed. There was this attack not too long ago that involved scattering what looked like USB thumb drives. They turned out to be USB keyboards with a preset key sequence that boiled down to download and install this virus from the internet.

  3. Jeffrey Bosboom says:

    Speaking of USB "keyboards" that type in something evil, Raymond's almost-experience with an external USB hard drive: blogs.msdn.com/…/9919504.aspx

  4. Christian says:

    You can really buy usb drives that simulate keyboards? Does this really exist?

  5. Jake says:

    Christian, I think the implication is that these were custom-made and placed into thumb drive shells.

  6. pcooper says:

    Not only can you have a USB drive act as a keyboard, you can have a mouse that installs malware from an embedded USB drive:

    http://www.theregister.co.uk/…/mission_impossible_mouse_attack

    pentest.snosoft.com/…/netragards-hacker-interface-device-hid

  7. David Walker says:

    Yep, it's scary that a piece of hardware that looks like a mouse can actually act like a keyboard/mouse combination, or a flash drive, and something that looks like a flash drive can act like a mouse and/or keyboard.

    If a company disallows use of USB flash drives by policy, that doesn't stop something that looks like a flash drive (or a mouse) but acts like a mouse/keyboard, from doing whatever it wants.  It's as if the user's brain was taken over and forced to enter some evil commands.

  8. Eric says:

    Generally this is a waste of time and effort. The driver is to stop company data from leaving the organisation, but what about the DVD burner that they have in the laptop or desktop, or the access to webmail, or ftp sites. My personal experience with companies that tried to do this meant that all of their shiny new 3g USB devices they tried to plug in didn't work because as well as the 3g capabilities it also advertised itself as a virtual drive where the drivers were stored.

  9. David Walker says:

    @Eric: "The driver is to stop company data from leaving the organisation" … That's not the only reason companies disable flash drives; another important reason is to stop executables or viruses from being carried in on flash drives.  The policy of disabling USB flash drives can be very effective for this.

  10. Engywuck says:

    @Christian: This year EMC distributed some magnets with EMC logo and USB connector. When used in a USB port it opened the EMC website in default browser.

    So yes, these exist. Even as advertising.

  11. @Engywuck

    Was that just an autorun to the URL, amking it shell out in the default browser? Rather than a clever fake keyboard/mouse?

  12. Asher says:

    I can imagine a company doing a promotion where they give out USB keys at a county fair.  The USB keys have their logo on them.  But the person giving out the keys doesn't represent the company and the USB keys do bad things to your computer.  Ugh.

  13. Rick C says:

    Also, if you glue up the USB ports, you have to either make sure people aren't using USB peripherals such as real keyboards and mice, or else glue THOSE into the ports so nobody can remove them.  Of course, if your glued-in USB keyboard dies you have a whole new problem.

  14. SimonRev says:

    @Rick C:  The simple solution to that is instead of gluing the keyboard in you just glue in a USB extension cable instead and plug the keyboard into that. . . (Actually, I bet someone somewhere has blindly followed corporate policy in that way before).

    As far as data theft goes, the game of walls and ladders eventually gets ridiculous.  Why not dump the data out your serial port.  Or even encode the data as sound and shoot it out the line out (hello old school modems anyone?).  

    Heck, if I am patient enough, I could install a keyboard wedge between the PS/2 keyboard and the PC.  The wedge can monitor the caps lock state.  I can write a program that then programatically toggles the caps lock to covertly copy the data. (As a bonus it can serve as a nearly undetectible keylogger and I can harvest passwords as well).

  15. ender says:

    @SimonRev: and what prevents the user from unplugging the keyboard from the extension cable and plugging in an USB hub then?

Comments are closed.