blocking USB drives in company

hello, i've been trying to find either a product or through GPO that will allow me to achieve the following:

1. block flash drives that are not encrypted and only allow the ones that are.

Any idea would be greatly apreciated.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

RobertKaucher

Disable USB Disks with GPO

colemic

Technical restrictions can be applied through Domain Security Policy, HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.

Also check out gfi.com/endpointsecurity, and Symantec Endpoint protection.

Everyone

colemic wrote: »

Technical restrictions can be applied through Domain Security Policy, HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.

Also check out gfi.com/endpointsecurity, and Symantec Endpoint protection.

McAfee has a product for this too. Pick your poison.

shaqazoolu

LanDesk and Desktop Authority from ScriptLogic are other options I believe.

colemic

Everyone wrote: »

McAfee has a product for this too. Pick your poison.

Hey, I'm just throwing out suggestions... he didn't say they had to be good ones.

waltdee

thanks guys!, this will really help me get started.

jtoast

I looked at doing this a few months ago and found the below thread helpful. Yes its old but most of the info is still valid.
How to disable USB Drives (jump/flash/external/etc.) - Petri.co.il forums by Daniel Petri

We decided against putting a block in place though because its all or nothing. If you block flash drives, you also block smartphones, external HD's, and all other USB storage devices. This can be an issue as external HD's especially often have a valid business purpose.

3rd party applications such as McAfee mentioned above will give you a little more flexibility but you then have to create a whitelist with manufacturer ID's which could become a nightmare to manage if you are in a large company (we have over 50,000 machines worldwide in our environment.)

MickQ

You can also place restrictions via GPOs based on hardware identity. Maybe you'd clear one particular batch of USB sticks which are encrypted. The only problem would be that the same model would be allowed to operate, even if unencrypted.

Asif Dasl

Use Bitlocker To Go and GPOs if you have Windows 7. You might need to install the Bitlocker To Go Reader on Vista & XP.

ChooseLife

To those who did/tried to implement USB device blocking at work - care to share your non-technological part of the experience? Did it actually last as a solution, does everyone hate you with passion now, do you still get little cards on a Sysadmin day?...

jtoast

We discussed it and decided that it just wouldn't be feasable but our problem wasn't really our local users. They could transfer files via VPN when needed. The problem was our local support guys. We discovered that it was standard procedure for our techs to carry around troubleshooting/malware/virus remediation tools on flash drives. Denying access would have required a change in process world wide.

We are also in the process of converting our ZTI build from CD to Flash drive for windows 7 with the goal being faster buildtimes.

After about 2 months of discussion and basic testing, we came to the conclusion that disabling autorun combined with user education and an effective AV solution (we use McAfee ePO and its associated client security suite) was our best option.

colemic

Finally found the email, this will turn off just the mass storage part of USBs. It works, (at least for us) and is very effective. We had this built into our images, as opposed to pushing via GPO.

Here are the Regkeys that are modified to turn off USB Mass Storage devices.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start", "00000004"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Type", "00000001"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\ErrorControl", "00000001"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\ImagePath", "system32\DRIVERS\USBSTOR.SYS"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DisplayName", "USB Mass Storage Driver"

Set Start to 1.

waltdee

so i came across this application which will do exactly what i'm looking for, is called eUSB by cryptzone. What it does is forces any unincrtypted flash drive to be encrypted, or else it only allows read and not write access to it.

I just wish there was a free way to achieve this

or at least much cheaper. its $31/license and we have 300 machines

colemic

Test out the registry hacks above. It worked absolutely perfectly for us. You may have to go to each machine, but at least it's free.

Forsaken_GA

ChooseLife wrote: »

To those who did/tried to implement USB device blocking at work - care to share your non-technological part of the experience? Did it actually last as a solution, does everyone hate you with passion now, do you still get little cards on a Sysadmin day?...

Well, I can't speak as an implementor, but I can speak as someone who's forced to live with it.

It's annoying, but I've adapted. I've just been forced to implement network storage repositories to replace the portability of USB devices.

If your company ever starts using the term "Data Loss Prevention", you can be sure this is coming to an enterprise near you!

There was alot more pushback generated from migrating our squid proxies to IronPort's (which I am responsible for) than there was about the USB lockout.

QHalo

Screw you DLP! That is all.

mikedisd2

My experience with the technology is about 3x years old but here are the issues we found with it.

There's a heap of apps out there that can be applied and all claim to block a raft of removable storage and it can be configured as complex as you want. They all did the job in blocking USB, CD burning, firewire etc and could be applied through GPO.

There was also the feature of whitelisting serial numbers of USB keys to allow a controlled set to be used.

The problem was that all the tested solutions failed in reporting. None gave a comprehensive report on what data was being blocked, when/where it was blocked, what was trying to copy data and what was being accessed.

If you are trying to curb data leakage you need to know who is trying download files from the company and what those files are. Simply blocking isn't enough.

We let the vendors know this and maybe the technology has improved since then.

mikedisd2

waltdee wrote: »

I just wish there was a free way to achieve this or at least much cheaper. its $31/license and we have 300 machines

Don't be cheap, you get what you pay for.

If you want an enterprise solution, expect to pay for it.

Fugazi1000

Consider user education.

People will ALWAYS find ways around technical controls if they prevent them getting work done.

With 300 machines, it sounds a small firm. They are likely to be more engaged and 'happy to help', so tell them why encrypting flash devices prevents data loss should the flash drive be lost. Make it easy for them to get/use encrypted devices. i.e. don't just tell them to use encrypted devices, actually supply them configured with your chosen encryption method. Make password/key management part of that education process.

Forsaken_GA

Fugazi1000 wrote: »

Consider user education.

People will ALWAYS find ways around technical controls if they prevent them getting work done.

With 300 machines, it sounds a small firm. They are likely to be more engaged and 'happy to help', so tell them why encrypting flash devices prevents data loss should the flash drive be lost. Make it easy for them to get/use encrypted devices. i.e. don't just tell them to use encrypted devices, actually supply them configured with your chosen encryption method. Make password/key management part of that education process.

It all depends on the business. For companies that are following some kind of best practices for DLP, allowing access to removable media may be non-negotiable, and may very well be a compliance issue (this is the case with my employer). In that case, no matter how well reasoned your argument, it may not fly.

Finding ways around the DLP policy is certainly possible (I'm a big fan of reverse ssh tunnels), but with us, doing so is an offense that will very likely lead to termination.