Restricting and Securing USB Storage Devices

Thanks to: http://blogs.catapultsystems.com

image_thumb7Consider the following situation:  you work in a secure organization, such as a bank, and need to limit the types of USB storage devices that can be used in the company.  Furthermore, if the storage device is approved, then it must be encrypted.  And if it is not an approved USB storage device, then you need to prevent access to it.  Makes sense, right? 
This is a common situation that many IT folks face in secure environments.  As manufacturers of USB storage continue to fit more memory into smaller form factors, the risk of someone walking out of your organization with a hefty amount of sensitive data becomes more of a vital concern that IT needs to prevent. 
This concern is a tough one to address.  From IT’s point of view, data theft is simply not acceptable, period.  But from the end user’s perspective, USB storage devices improve workflow, productivity, and flexibility.
In an ideal world, both sides would have what they need.  But for the majority of secure environments today, IT departments win this argument by preventing their end-users from installing USB storage devices on their computers. 
But the time is still changing (albeit faster than I’d prefer). And with the introduction of new technology in Windows 7 comes a more embracing side of the argument for allowing end user access to USB storage devices in secure environments.
Let’s take a step back in time to today…
Most secure organizations have not yet upgraded to Windows 7, have skipped the move to Windows Vista, and are still using Windows XP.  The problem with Windows XP is that there is no way of ensuring the security of USB storage devices, so IT departments generally prevent their installation per KB823732.
Now let’s take a step forward in time to today… 
I want to show you why the investment in Windows 7 is worth its weight in gold in terms of giving end users the ability to use USB storage devices while at the same time allowing IT to remain confident that the data on these devices remains secure from theft. 
There are two key technologies in Windows 7 that make this solution feasible:  BitLocker Drive Encryption and Device Installation Restrictions.
BitLocker Drive Encryption for USB Storage Devices
BitLocker Drive Encryption protects the data on your computer from theft by encrypting the volume (C: drive, D: drive, etc.) on which your data resides.  This makes it difficult for any unauthorized person to access the encrypted contents.
In terms of USB storage devices, Windows 7 offers several mechanisms for securing data on them.  But it is important to understand that the end user will ultimately be responsible for initiating the encryption process, as there are no group policy settings built into Windows 7 that automatically encrypt USB devices when inserted.  You can get clever with the manage-bde.exe (manage BitLocker Drive Encryption) command to script this scenario, but I’ll save this topic for another discussion. 
However, there are group policy settings that can restrict which actions a user may perform after inserting a USB device.  For instance, IT can prevent write access to all USB storage devices until the end user encrypts the device.  Here is an example of a window that pops up when a user inserts a USB storage device when the group policy “Deny write access to removable drives not protected by BitLocker” is enforced:
image_thumb17[5]
The default policy settings in Windows 7 allow a user to provide a password for accessing the contents of the USB storage device.  IT can further enforce that this password adheres to the minimum password requirements of the organization.  IT can also disallow the use of a password and opt for the end user to provide authentication via Smart card.  Smart card authentication and/or an end-user password are the only two ways of encrypting a USB storage device in Windows 7 (that I know of).
image_thumb18
The fact that encrypted USB devices can be sealed with user-generated passwords leaves some cause for concern, as it may be relatively easy for a hacker to run a dictionary-based attack for cracking the password.  In this scenario, IT should either (1) mandate that the encryption process for the USB device adhere to the password policy restrictions of the organization or (2) enforce the usage of Smart cards. 
Tightening BitLocker Security for USB Storage Drives
IT can tighten the wrench a bit more to restrict write access to only devices that have been encrypted within the organization.  This eliminates users from bringing in encrypted USB drives from outside of the company.  To enforce this policy, there is a setting called “Allowed BitLocker identification field” found in the “Provide the unique identifiers for your organization” policy.  Before you allow encryption of any devices in your company, you will need to define this field.  This will mark the USB flash drive with an identification tag which states that the encryption took place from within the network.  The last step you will take is to check the setting called “Do not allow write access to devices configured in another organization” in the group policy “Deny write access to removable drives not protected by BitLocker”.  This setting enforces write access to only those drives which have been encrypted within the organization.
 image_thumb22
Okay, so if you’ve stuck with me thus far, then you know we’re on the topic of restricting USB devices in the organization.  The next section explains how to restrict USB storage devices based on a vendor-specific hardware information. 
Device Installation Restrictions for USB Storage Devices
Windows Vista/7 and Server 2008/R2 bring in new group policy settings called Device Installation Restrictions (CC\Administrative Templates\System\Device Installation), that allow you to dictate which specific USB devices can be brought into the organization.  I don’t have any experience using these settings in our organization, but my understanding is as follows:
1. You configure a group policy setting to prevent installation of all devices not described by other policy settings.  All other system components will work fine.  This setting just applies to new devices, including video cards, printers, and such.
2. You configure a group policy setting to allow general devices based on their Device Class properties (i.e. Processor, Net, SCSIAdapter, DiskDrive, Display).  You don’t want to specify the DiskDrive option here, because USB removable drives fall under this category.  Basically when someone needs to add a new piece of hardware, you need to account for the category of the hardware and not the specifics of it. 
3. You configure a group policy setting to allow particular devices based on their Hardware ID.  This is the setting that differentiates whether you can insert vendor-specific USB drives. 
Steps 2 and 3 take precedence over step 1.  You can also specify that Administrators have the right to override device installation restriction policies. 
As an example, here’s what I did on my Win7 laptop at home.  If you’re interested, then follow along with your machine.  You’ll need two different USB flash drives to test. 
Keep in mind that these steps should be performed in a test environment only, as the following settings are not completely sufficient for supporting Device Installation Restrictions in a corporate environment.
1. Enabled “Prevent installation of devices not described by other policy settings”. 
image_thumb62
2. Ran gpupdate /force.  Inserted flash drive and received message that installation was prevented by policy.
image_thumb61
3.  Inserted driver on another computer and pulled the Hardware ID from the properties of the device in Device Manager.
image_thumb60
4.  Copied the Hardware ID and pasted into the group policy setting for allowing specific Device IDs.
image_thumb59
5. Ran gpupdate /force and re-inserted my U3 Cruzer Micro USB drive.  Installation successful. 
image_thumb58
6.  Tried to insert a USB flash drive from a different vendor and installation could not take place:
image_thumb63 
So we now see how Device Installation Restrictions operate.  The next step here is to gather your list of Device Class properties and Hardware ID’s and determine which ones you want to allow on your network. 
Hopefully after reading this article, you’ve gathered an understanding for how Windows 7 introduces security and restrictions with USB storage devices.  Good luck with it all, and thanks for reading! 

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

Policy Based Routing example: route one subnet via ISP A and another via ISP B

Imagen
thanks to: http://glennmatthys.wordpress.com/ Goal Setup a network with a Cisco router that routes one local subnet via internet connection A and another local subnet via internet connection B. In this example we’ll use one LAN side, which has two subnets: 192.168.1.0/24 192.168.2.0/24 We want traffic destined for the internet, originating from the 192.168.1.0/24 network, to be sent to ISP A, which is connected to FastEthernet0 We want traffic destined for the internet, originating from the 192.168.2.0/24 network, to be sent to ISP B, which is connected to FastEthernet1 Both internet connections get their IP address via DHCP. Prerequisites For this  configuration you’ll need: One dual WAN router, such as a 1811 Two internet connections (or simulated ones) 2 nodes, one for the 192.168.1.0/24 subnet and one for the 192.168.2.0/24 subnet. These can be two different computers, or two virtual machines, etc… ClientA, Windows 7, will connect to 192.168.1.0/24 and sur
Leer más