USB storage - a possible security risk?
Decent
IT administrators secure their networks behind firewalls. They install
mail filters on their SMTP servers and deploy anti-virus software on all
client workstations. But securing the network is not sufficient -- what
happens if the users bring their own USB memory sticks and connect them
to the computers at their office? A 1 Gb USB stick can sometimes hold
an entire company's vital data. Within minutes or even seconds an
employee has all the files they need in order to start up their own
business and take all the customers with them. Alternatively, what
happens if a careless user accidentally compromises the network with an
infected USB stick?
What does Microsoft have to say about it?
If
you, the administrator, want to establish a minimum level of security,
it is absolutely necessary to control which users can connect USB memory
sticks to a computer. Unfortunately, a default Windows XP or Windows
2000 installation comes with no limitations on who is able to install
and use USB storage media. Microsoft knowledge base article 823732 contains
instructions on how to disable USB storage access for a certain group
of users; however, the article only distinguishes between whether or not
a USB storage device has been installed on a particular computer.
Furthermore, the instructions are limited to a stand-alone computer.
According to the general rule of thumb "If it's tedious, there is a
better way", I try to avoid techniques that force me to repeat certain
tasks for each computer that I manage. That's what group policy objects
(GPO) are for.
Suggestions?
Mark Heitbrink describes
how to disable USB storage devices entirely on all or some computers in
the network. He employs an ADM template in a group policy object that
disables the USB storage driver (USBSTOR). The ADM template simply sets
the registry valueHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to
4 (Disable). But his technique has a serious drawback. It only works if
the USB storage driver is already installed. If it has not yet been
installed, Windows' plug & play subsystem automatically resets the
Start value to 3 (Manual) when it installs USBSTOR after a USB storage
device is plugged in for the first time. In that case, USBSTOR remains
enabled until the GPO is re-applied, usually at the next reboot. If the
storage device is plugged in during that reboot, it will still be
available because the USBSTOR driver is started before any GPOs are
processed.
The Howto!
If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732,
we get a more reliable solution. Firstly, we need to prevent USBSTOR
from being installed unless the currently logged on user is allowed to
use USB storage. We do that by restricting access toUSBSTOR.INF and USBSTORE.PNF in
a GPO such that PNP can't automatically install the driver. This is
possible because when PNP installs a driver, the installation is
performed using the priviledges of the currently logged on user.
Secondly, we need to make sure that USBSTOR is not started when a USB
storage device is plugged in. For that we use Mark's ADM template. The
only minor drawback of my solution is that users with access to USB
storage need to manually start USBSTOR before connecting USB storage
devices.
1. In
Active Directory Users and Computers, open an existing GPO or create a
new one and open it. Use the security settings of that GPO to specify
which computers it affects.
2. In
that GPO, go to Computer Configuration – Windows Settings – Security
Settings – File System and create a new entry (right-click File System
and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
3. Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings ofUSBSTOR.INF will
be overwritten by the ones given in the GPO. It is therefore
recommended to grant full control to SYSTEM and local administrators.
But unlike in the default security settings of USBSTOR.INF,
you should not grant any priviledges to Everybody. You do not need to
explicitly deny access – just omit an entry for Everybody. Optionally,
you can grant read access to a certain group. Members of this group will
be able to use USB storage.
4. Repeat the above two steps for USBSTOR.PNF.
6. Back
in the GPO, right-click Administrative Templates under Computer
Configuration and select Add/Remove Templates. Click Add and browse to
the location of USBSTOR.ADM. Close the dialog.
7. You
should now have an additional entry called Services and Drivers in
Administrative Templates. Click on it. If it is empty, select View from
the menu and uncheck Show Policies Only. Click back on Services and
Drivers in Administrative Templates. It should now show the USB Storage
policy. Double click it, select Enabled and pick Disabled from the
Startup Type drop down. Again, the policy must be enabled wheras Startup
Type must be Disabled.
8. Close
the dialog as well as the GPO and boot/reboot one of your workstations.
Make sure no USB strorage device is connected to that computer. Log on
with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
9. On
the same workstation, log off and back on as a user that should not
have access to USB storage. Connect a USB memory stick or a similar
device. Nothing should happen. Remove the memory stick.
10. Log on as a user that should have access to USB storage and execute net start usbstorin
a command shell or at Start – Run before connecting the memory stick.
The memory stick should initialized and mapped to a drive letter. If
USBSTOR fails to start, it's probably because this is the first time a
memory stick is plugged into the workstation in which case USBSTOR is
not yet installed. Nevertheless, the memory stick should be initialized
and mapped correctly but you need to reboot in order to reapply the
administrative template such that USBSTOR is disabled again.
Alternatively, you can disable it manually by downloading and double
clicking USBSTOR.REG as well as executing net stop usbstor.
11. Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
|
Attachment
|
Size
|
|
|
530 bytes
|
|
|
258 bytes
|
Source : http://diaryproducts.net/
Courtesy : http://rms sa.blogspot.in/
