Restricting and Securing USB Storage Devices
Thanks to: http://blogs.catapultsystems.com
Consider the following situation: you work in a secure organization, such as a bank, and need to limit the types of USB storage devices that can be used in the company. Furthermore, if the storage device is approved, then it must be encrypted. And if it is not an approved USB storage device, then you need to prevent access to it. Makes sense, right?
Consider the following situation: you work in a secure organization, such as a bank, and need to limit the types of USB storage devices that can be used in the company. Furthermore, if the storage device is approved, then it must be encrypted. And if it is not an approved USB storage device, then you need to prevent access to it. Makes sense, right?
This is a common situation that many IT folks face in secure environments. As manufacturers of USB storage continue to fit more memory into smaller form factors, the risk of someone walking out of your organization with a hefty amount of sensitive data becomes more of a vital concern that IT needs to prevent.
This concern is a tough one to address. From IT’s point of view, data theft is simply not acceptable, period. But from the end user’s perspective, USB storage devices improve workflow, productivity, and flexibility.
In an ideal world, both sides would have what they need. But for the majority of secure environments today, IT departments win this argument by preventing their end-users from installing USB storage devices on their computers.
But the time is still changing (albeit faster than I’d prefer). And with the introduction of new technology in Windows 7 comes a more embracing side of the argument for allowing end user access to USB storage devices in secure environments.
Let’s take a step back in time to today…
Most secure organizations have not yet upgraded to Windows 7, have skipped the move to Windows Vista, and are still using Windows XP. The problem with Windows XP is that there is no way of ensuring the security of USB storage devices, so IT departments generally prevent their installation per KB823732.
Now let’s take a step forward in time to today…
I want to show you why the investment in Windows 7 is worth its weight in gold in terms of giving end users the ability to use USB storage devices while at the same time allowing IT to remain confident that the data on these devices remains secure from theft.
There are two key technologies in Windows 7 that make this solution feasible: BitLocker Drive Encryption and Device Installation Restrictions.
BitLocker Drive Encryption for USB Storage Devices
BitLocker Drive Encryption protects the data on your computer from theft by encrypting the volume (C: drive, D: drive, etc.) on which your data resides. This makes it difficult for any unauthorized person to access the encrypted contents.
In terms of USB storage devices, Windows 7 offers several mechanisms for securing data on them. But it is important to understand that the end user will ultimately be responsible for initiating the encryption process, as there are no group policy settings built into Windows 7 that automatically encrypt USB devices when inserted. You can get clever with the manage-bde.exe (manage BitLocker Drive Encryption) command to script this scenario, but I’ll save this topic for another discussion.
However, there are group policy settings that can restrict which actions a user may perform after inserting a USB device. For instance, IT can prevent write access to all USB storage devices until the end user encrypts the device. Here is an example of a window that pops up when a user inserts a USB storage device when the group policy “Deny write access to removable drives not protected by BitLocker” is enforced:
The default policy settings in Windows 7 allow a user to provide a password for accessing the contents of the USB storage device. IT can further enforce that this password adheres to the minimum password requirements of the organization. IT can also disallow the use of a password and opt for the end user to provide authentication via Smart card. Smart card authentication and/or an end-user password are the only two ways of encrypting a USB storage device in Windows 7 (that I know of).
The fact that encrypted USB devices can be sealed with user-generated passwords leaves some cause for concern, as it may be relatively easy for a hacker to run a dictionary-based attack for cracking the password. In this scenario, IT should either (1) mandate that the encryption process for the USB device adhere to the password policy restrictions of the organization or (2) enforce the usage of Smart cards.
Tightening BitLocker Security for USB Storage Drives
IT can tighten the wrench a bit more to restrict write access to only devices that have been encrypted within the organization. This eliminates users from bringing in encrypted USB drives from outside of the company. To enforce this policy, there is a setting called “Allowed BitLocker identification field” found in the “Provide the unique identifiers for your organization” policy. Before you allow encryption of any devices in your company, you will need to define this field. This will mark the USB flash drive with an identification tag which states that the encryption took place from within the network. The last step you will take is to check the setting called “Do not allow write access to devices configured in another organization” in the group policy “Deny write access to removable drives not protected by BitLocker”. This setting enforces write access to only those drives which have been encrypted within the organization.
Okay, so if you’ve stuck with me thus far, then you know we’re on the topic of restricting USB devices in the organization. The next section explains how to restrict USB storage devices based on a vendor-specific hardware information.
Device Installation Restrictions for USB Storage Devices
Windows Vista/7 and Server 2008/R2 bring in new group policy settings called Device Installation Restrictions (CC\Administrative Templates\System\Device Installation), that allow you to dictate which specific USB devices can be brought into the organization. I don’t have any experience using these settings in our organization, but my understanding is as follows:
1. You configure a group policy setting to prevent installation of all devices not described by other policy settings. All other system components will work fine. This setting just applies to new devices, including video cards, printers, and such.
2. You configure a group policy setting to allow general devices based on their Device Class properties (i.e. Processor, Net, SCSIAdapter, DiskDrive, Display). You don’t want to specify the DiskDrive option here, because USB removable drives fall under this category. Basically when someone needs to add a new piece of hardware, you need to account for the category of the hardware and not the specifics of it.
3. You configure a group policy setting to allow particular devices based on their Hardware ID. This is the setting that differentiates whether you can insert vendor-specific USB drives.
Steps 2 and 3 take precedence over step 1. You can also specify that Administrators have the right to override device installation restriction policies.
As an example, here’s what I did on my Win7 laptop at home. If you’re interested, then follow along with your machine. You’ll need two different USB flash drives to test.
Keep in mind that these steps should be performed in a test environment only, as the following settings are not completely sufficient for supporting Device Installation Restrictions in a corporate environment.
1. Enabled “Prevent installation of devices not described by other policy settings”.
2. Ran gpupdate /force. Inserted flash drive and received message that installation was prevented by policy.
3. Inserted driver on another computer and pulled the Hardware ID from the properties of the device in Device Manager.
4. Copied the Hardware ID and pasted into the group policy setting for allowing specific Device IDs.
5. Ran gpupdate /force and re-inserted my U3 Cruzer Micro USB drive. Installation successful.
6. Tried to insert a USB flash drive from a different vendor and installation could not take place:
So we now see how Device Installation Restrictions operate. The next step here is to gather your list of Device Class properties and Hardware ID’s and determine which ones you want to allow on your network.
Hopefully after reading this article, you’ve gathered an understanding for how Windows 7 introduces security and restrictions with USB storage devices. Good luck with it all, and thanks for reading!
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.