Written by Mark Farrugia, Senior Microsoft Premier Field Engineer
You stop in at your local coffee shop that offers free Wi-Fi access. Sure enough you have someone hanging around with their laptop. They step away and leave their machine unattended; they may have locked the screen, but they left the laptop powered up and unattended while they grab another beverage. Have you seen this situation? Because I know I have, and I think to myself how easy it is for someone to plug something into that laptop, and how little time would that person would need to install a malicious piece of code.
Recently I came across this article titled “25% of new worms are designed to spread through USB devices”. Immediately I thought, what am I going to do to protect myself? As a Microsoft representative standing before my customers, the last thing I would want is for my machine to be compromised. As well, I don’t want to be in a situation where I am not practicing what I preach.
What Can You Do To Protect Yourself from Malicious Removable Devices?
Fortunately for me and Microsoft’s customers, since the launch of Windows Vista many years ago, Microsoft has enabled users the ability to lock out removable devices from their machines and whitelist a trusted number of devices. This functionality works great across both the client and server operating systems: Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
Microsoft Windows has the ability to control what gets plugged into the USB ports of a machine through the local group policy. But what about a large enterprise organization? Same rules apply; centralized group policy through Active Directory can be used to control what devices are whitelisted and blacklisted within your organization. For the purpose of this article, I am going to concentrate on our friend in the coffee shop.
Where Do You Find This Magical Control?
Control of USB removable media is built right into your operating system. You will need to have elevated privileges on your local machine to implement the policy, but you can make it so it applies to all users of your machine.
Once the local group policy editor opens, you will be presented with two panes, and on the left pane will be your navigation tree. This is broken into two sections, Computer Configuration and User Configuration. The policy we are going to be interested in working with is within the Computer Configuration context. Navigate to the following location:
Computer Configuration –> Administrative Templates –> System –>Device Installation –> Device Installation Restrictions
How Do You Configure Device Restrictions?
You are now presented with a screen that has the following options available to you:
Instead of me explaining all of these settings, I will run through a couple of situations.
Situation #1 - Lockout All Devices
If I wanted to lockout all devices connecting to my system I can configure the one policy titled “Prevent installation of removable devices”. This is a catch all policy that will prevent all removable devices attached to the machine from being configured and accessible.
You can even create a nice custom message that describes the lockout policy by configuring the “Display a custom message when installation if prevented by a policy setting”.
Situation #2 – Allow Only Trusted Devices
More realistically, you will probably want to only allow your USB keys to be connected to your machine to transfer data at any time. Therefore you would have to configure two policies.
From within Windows 7, you will want to go to “Device Manager” (Windows Pearl –>Search Box –> devmgmt.msc –> Disk Drives) to find out the USB keys Hardware IDs. You will want to find a string like the following:
Enter this information into the Group Policy Setting “Allow installation of devices that match any of these device IDs”
Within this policy you will want to set it to ENABLED, and then click on the “Show” button to enter all of your USB keys hardware IDs that you gathered earlier.
The other policy you will want to invoke will be the “Prevent installation of devices not described by other policy settings” set to be ENABLED.
One thing to note here, if you had enabled “Prevent installation of removable devices”, this policy setting will take precedence over all other policies configured, hence why it is important to configure the right policy for the right task.
Run a gpupdate /force from an elevated command prompt and test out the USB lockout functionality.
For further reading you can check out the following link also: Step-By-Step Guide to Controlling Device Installation Using Group Policy
Can This Apply To The Enterprise?
Absolutely. You can control groups of machines and/or all machines connected to a Microsoft Active Directory domain through group policy. This is a topic I hope to expand on in a future post to discuss the operational guidance and some group policy design suggestions to help you effectively manage your machines.
What About Windows XP Users?
Microsoft has not forgotten about our friends running Windows XP. Unfortunately for XP users, much of the automation present within Windows 7 is not present within Windows XP. A series of manual steps will be necessary to lockout removable devices, and the control over it is not as flexible as it is with Windows 7.
If you’re interested in learning about locking out removable devices with Windows XP refer to the following two articles:
- How can I prevent users from connecting to a USB storage device?
- HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
I hope you have found this helpful.