blocking USB drives in company

waltdee · May 2011

hello, i've been trying to find either a product or through GPO that will allow me to achieve the following:

1. block flash drives that are not encrypted and only allow the ones that are.

Any idea would be greatly apreciated.

RobertKaucher · May 2011

Disable USB Disks with GPO

colemic · May 2011

Technical restrictions can be applied through Domain Security Policy, HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.

Also check out gfi.com/endpointsecurity, and Symantec Endpoint protection.

Everyone · May 2011

colemic wrote: »

Technical restrictions can be applied through Domain Security Policy, HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.

Also check out gfi.com/endpointsecurity, and Symantec Endpoint protection.

McAfee has a product for this too. Pick your poison.

shaqazoolu · May 2011

LanDesk and Desktop Authority from ScriptLogic are other options I believe.

colemic · May 2011

Everyone wrote: »

McAfee has a product for this too. Pick your poison.

Hey, I'm just throwing out suggestions... he didn't say they had to be good ones.

waltdee · May 2011

thanks guys!, this will really help me get started.

jtoast · May 2011

I looked at doing this a few months ago and found the below thread helpful. Yes its old but most of the info is still valid.
How to disable USB Drives (jump/flash/external/etc.) - Petri.co.il forums by Daniel Petri

We decided against putting a block in place though because its all or nothing. If you block flash drives, you also block smartphones, external HD's, and all other USB storage devices. This can be an issue as external HD's especially often have a valid business purpose.

3rd party applications such as McAfee mentioned above will give you a little more flexibility but you then have to create a whitelist with manufacturer ID's which could become a nightmare to manage if you are in a large company (we have over 50,000 machines worldwide in our environment.)

MickQ · May 2011

You can also place restrictions via GPOs based on hardware identity. Maybe you'd clear one particular batch of USB sticks which are encrypted. The only problem would be that the same model would be allowed to operate, even if unencrypted.

Asif Dasl · May 2011

Use Bitlocker To Go and GPOs if you have Windows 7. You might need to install the Bitlocker To Go Reader on Vista & XP.

ChooseLife · May 2011

To those who did/tried to implement USB device blocking at work - care to share your non-technological part of the experience? Did it actually last as a solution, does everyone hate you with passion now, do you still get little cards on a Sysadmin day?...

jtoast · May 2011

We discussed it and decided that it just wouldn't be feasable but our problem wasn't really our local users. They could transfer files via VPN when needed. The problem was our local support guys. We discovered that it was standard procedure for our techs to carry around troubleshooting/malware/virus remediation tools on flash drives. Denying access would have required a change in process world wide.

We are also in the process of converting our ZTI build from CD to Flash drive for windows 7 with the goal being faster buildtimes.

After about 2 months of discussion and basic testing, we came to the conclusion that disabling autorun combined with user education and an effective AV solution (we use McAfee ePO and its associated client security suite) was our best option.

colemic · May 2011

Finally found the email, this will turn off just the mass storage part of USBs. It works, (at least for us) and is very effective. We had this built into our images, as opposed to pushing via GPO.

Here are the Regkeys that are modified to turn off USB Mass Storage devices.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start", "00000004"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Type", "00000001"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\ErrorControl", "00000001"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\ImagePath", "system32\DRIVERS\USBSTOR.SYS"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DisplayName", "USB Mass Storage Driver"

Set Start to 1.

waltdee · May 2011

so i came across this application which will do exactly what i'm looking for, is called eUSB by cryptzone. What it does is forces any unincrtypted flash drive to be encrypted, or else it only allows read and not write access to it.

I just wish there was a free way to achieve this

or at least much cheaper. its $31/license and we have 300 machines

colemic · May 2011

Test out the registry hacks above. It worked absolutely perfectly for us. You may have to go to each machine, but at least it's free.

Forsaken_GA · May 2011

ChooseLife wrote: »

To those who did/tried to implement USB device blocking at work - care to share your non-technological part of the experience? Did it actually last as a solution, does everyone hate you with passion now, do you still get little cards on a Sysadmin day?...

Well, I can't speak as an implementor, but I can speak as someone who's forced to live with it.

It's annoying, but I've adapted. I've just been forced to implement network storage repositories to replace the portability of USB devices.

If your company ever starts using the term "Data Loss Prevention", you can be sure this is coming to an enterprise near you!

There was alot more pushback generated from migrating our squid proxies to IronPort's (which I am responsible for) than there was about the USB lockout.

QHalo · May 2011

Screw you DLP! That is all.

mikedisd2 · May 2011

My experience with the technology is about 3x years old but here are the issues we found with it.

There's a heap of apps out there that can be applied and all claim to block a raft of removable storage and it can be configured as complex as you want. They all did the job in blocking USB, CD burning, firewire etc and could be applied through GPO.

There was also the feature of whitelisting serial numbers of USB keys to allow a controlled set to be used.

The problem was that all the tested solutions failed in reporting. None gave a comprehensive report on what data was being blocked, when/where it was blocked, what was trying to copy data and what was being accessed.

If you are trying to curb data leakage you need to know who is trying download files from the company and what those files are. Simply blocking isn't enough.

We let the vendors know this and maybe the technology has improved since then.

mikedisd2 · May 2011

waltdee wrote: »

I just wish there was a free way to achieve this or at least much cheaper. its $31/license and we have 300 machines

Don't be cheap, you get what you pay for.

If you want an enterprise solution, expect to pay for it.

Fugazi1000 · May 2011

Consider user education.

People will ALWAYS find ways around technical controls if they prevent them getting work done.

With 300 machines, it sounds a small firm. They are likely to be more engaged and 'happy to help', so tell them why encrypting flash devices prevents data loss should the flash drive be lost. Make it easy for them to get/use encrypted devices. i.e. don't just tell them to use encrypted devices, actually supply them configured with your chosen encryption method. Make password/key management part of that education process.

Forsaken_GA · May 2011

Fugazi1000 wrote: »

Consider user education.

People will ALWAYS find ways around technical controls if they prevent them getting work done.

With 300 machines, it sounds a small firm. They are likely to be more engaged and 'happy to help', so tell them why encrypting flash devices prevents data loss should the flash drive be lost. Make it easy for them to get/use encrypted devices. i.e. don't just tell them to use encrypted devices, actually supply them configured with your chosen encryption method. Make password/key management part of that education process.

It all depends on the business. For companies that are following some kind of best practices for DLP, allowing access to removable media may be non-negotiable, and may very well be a compliance issue (this is the case with my employer). In that case, no matter how well reasoned your argument, it may not fly.

Finding ways around the DLP policy is certainly possible (I'm a big fan of reverse ssh tunnels), but with us, doing so is an offense that will very likely lead to termination.

blocking USB drives in company

Comments