When you consider security, protection of the network, protection of corporate data, or similar issues like this on your corporate network, you must think about how to control USB thumb drives and hard drives. If a user can take the USB drive out of the office in their pocket, copy nearly any file to it, then plug it into their production desktop to copy or execute the files from the USB drive, the exposure for an attack or introduction of a virus is rather extreme. Until now the control of USB drives has been limited, clumsy, and in most cases all USB devices are affected if you want to control USB drives. However, Microsoft has come to the rescue by adding Device Installation Restrictions to control USB devices on Windows Vista. These settings are easy to configure, control, and are very powerful as they are deployed using Group Policy.
You Must Consider Two Scenarios for Controlling USB Drives
Before we can investigate the options and steps needed to restrict USB drives, we must break down USB drives into two different scenarios. The first scenario is quite simple as it deals with a computer that has never seen a USB drive before. In an instance like this the computer does not have any USB drives installed. A similar scenario would be that you have a USB drive that you want to restrict, which has not been installed on the computer before, even though a different USB drive has been installed. In this case, the USB drive that you want to control has never been installed, so you can still control the installation of the USB drive and its driver.
The second scenario is when the USB drive has already been installed. In this scenario the USB drive has been configured in the registry and the associated driver has been copied to the computer.
Controlling the Installation of USB Drives on pre-Windows Vista
For those that do not have Windows Vista yet, or want to verify the process of controlling the installation of USB devices on Windows 2000 or Windows XP, I wanted to throw in the capabilities that you do have for these operating systems. This process allows you to control USB devices, but not nearly as easy to deploy or control compared to the new option by controlling USB drives using Group Policy.
For Windows 2000 and XP you will need to modify the permissions of existing files to restrict the installation of USB drives. The two files are the USBSTOR.PNF and USBSTOR.INF files, which are located under the %systemroot%\inf folder. To deny the installation of the USB devices, you need to modify the security on each file. To modify the security of each file, right-click on the file, then select Properties. In the Properties window, select the Security tab. Then, select the groupname that the user(s) belongs to (of which you want to deny installation of USB drives) and then select the Deny- Full Control permission, as shown in Figure 1.
Figure 1: Configure the groupname to have Deny permissions of Full Control for both files
Controlling the Installation of USB Drives on Windows Vista
For Windows Vista computers you can use a Group Policy object setting to deny the installation of USB drives. This method provides a very granular method of controlling individual USB devices. This method is not an "all or nothing" situation like so many other options are. With this method you will need to discover the USB ID for the device. The ID will then be used in the policy to control the USB device. The other benefit of the policy via Group Policy is that you can either deny the USB device or allow the USB device. You can craft your own USB device matrix of what is allowed and what is denied.
The catch of discovering the USB ID is to install it. Here you just need to have a test computer where you can install the device.
Below are the steps you need to follow to discover the USB ID for an installed device.
- Open Device Manager from the Control Panel.
- Find the device in the list of devices. USB drives will typically be located under the Disk drives section.
- Right-click the USB device and select Properties, which will open up the device property sheet, as shown in Figure 2.
Figure 2: Select the Properties of your USB storage device from Device Manager
- Select the Details tab from the USB Properties sheet.
- Click the dropdown list labeled Property
- Select the Hardware Ids option, as shown in Figure 3.
Figure 3: The Device class GUID is what you will use for the hardware ID for the policy
With this USB ID you can create and configure a GPO. To configure a GPO to include the USB ID and restrict the installation of the device, follow these steps on a computer where the USB device has not been installed.
- Click the Start button, select Run, then type gpedit.msc, then click the OK button. (If you have UAC enabled you will need to agree to allow the Group Policy editor to run. For more information on UAC refer to Understanding UAC in Vista.)
- Expand Computer Configuration|Administrative Templates|System|Device Installation|Device Installation Restrictions, as shown in Figure 4.
Figure 4: You will configure policies under the Device Installation Restrictions node to control USB devices
- Double-click on the Prevent installation of devices that match any of these hardware IDs policy.
- Select the Enabled radio button.
- Click on the Show button to open the Show Contents dialog box.
- Click the Add button on the Show Contents dialog box.
- Type in the ID for the USB drive using the syntax shown in Figure 5.
Figure 5: Hardware restriction policy input uses the Hardware ID from the device
- Save all of your settings from within the policy and exit the editor.
Now that you have your policy set up, you can test the installation of the USB drive. After you plug in the USB drive on the computer where you configured the GPO, you should get an error message similar to the one shown in Figure 6. You only need to click on the icon in the tray to see this dialog box.
Figure 6: If the policy denies the installation of the device, a message can be displayed
If you want to go the extra mile, you can also configure a custom message display. There are two policies (Display a custom message when installation is prevented by policy (balloon text and balloon title)) above the prevention of the USB IDs, which can be seen in Figure 4.
If the device is already installed, the policy will not deny it from running. You will need to uninstall the device driver for this policy to work, or you can use the option listed above for pre-Vista computers for post-driver installation denials. However, if you use the above post-driver installation denial option, it will deny ALL USB storage devices.
Controlling USB Devices That Have Already Been Installed
For the second scenario, you will need to consider controlling USB devices that are already installed. For this scenario, you have two options. One option is to uninstall the USB drive, which will put the computer in the state of not having the USB drive installed - since this can be difficult to manage and impossible to implement in a large corporation, you need to look at an alternative.
The second will force you to hack the registry. Have no fear of the registry you will be able to hack it without causing a blue screen! With registry hacks you can make the change manually, with a script, or even use Group Policy to deploy the setting. In this case, I would suggest that you use Group Policy. You can use the new Registry Preference or you can customize an ADM template. I show you what the ADM template would look like below. Configuring a Registry Preference policy from the information in the ADM template would be super simple! To create an ADM template, just copy the text below to Notepad and save the file with an ADM extension, making sure you do not append on the .txt extension to the file. Next, just import the ADM template into a GPO using the Group Policy Management Editor. The steps to import an ADM template into a GPO can be found at http://technet.microsoft.com/en-us/magazine/cc162497.aspx as well as from the Group Policy Resource Kit.
CATEGORY "Braincore.net USB Storage Drive Restriction"
POLICY "How do you want USB Drives to Behave?"
#if version >= 3
EXPLAIN "Policy to disable USB removable storage"
VALUEON NUMERIC 3
VALUEOFF NUMERIC 4