Jump to content

Block Removable USB storage except listed by serial


mchipser

Recommended Posts

I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

Link to comment
Share on other sites


I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

The USB specs do impose a serial on any USB mass storage device (controller) and actually I would say 99.99% sticks I have ever seen do sport - from factory - such a serial number.

The Vid and Pid on the contrary, besides same "brand" has often and still are misused, some brand will have their own Vid, some will use the generic Vid of the maker of the controller.

A number of "brands" will additionally use te same Pid for very different models.

HOW exactly you have (currently) blocled *all* "removable" USB storage devices?

What exactly do you mean by "Removable" devices (most if not all USB stick controllers are set in factory as Removable but the bit can be "flipped" and you can have for a very large number of models/brands/controllers a USB stick set as "Fixed" - just like a USB hard disk normally is).

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

The USB specs do impose a serial on any USB mass storage device (controller) and actually I would say 99.99% sticks I have ever seen do sport - from factory - such a serial number.

The Vid and Pid on the contrary, besides same "brand" has often and still are misused, some brand will have their own Vid, some will use the generic Vid of the maker of the controller.

A number of "brands" will additionally use te same Pid for very different models.

HOW exactly you have (currently) blocled *all* "removable" USB storage devices?

What exactly do you mean by "Removable" devices (most if not all USB stick controllers are set in factory as Removable but the bit can be "flipped" and you can have for a very large number of models/brands/controllers a USB stick set as "Fixed" - just like a USB hard disk normally is).

jaclaz

We are currently blocking via localGP via the Removable Storage Access. These systems are not part of a domain. Is there a better way to do this, and allow certain removable storage drives?

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Edited by mchipser
Link to comment
Share on other sites

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Yep, that was with the intent of disambiguating, as often happens the MS guys are using the same term to completely different concepts.

Additionally I presume you are not blocking "USB Removable" you are blocking ALL Mass Storage devices belonging to the "Removable class" (i.e.also Firewire).

http://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

And by "exactly" I meant something like:

http://gps.cloudapp.net/Default.aspx?PolicyID=2282#2281

IF the thing is done for some "serious" security reason, you might want/need to also look in the WPD classes.

I don' t think that you can get a "by serial" limitation through GPO or Registry, see this:

http://www.itexpertmag.com/security/danger-usb

(AND relevant links in it)

The "common" solution is a service running in the background, AFAIK, BUT you can use another approach, preventing installation of drivers:

http://community.spiceworks.com/how_to/show/1488-lockdown-usb-to-specific-removable-usb-drives

Basically you install all "authorized" devices, then you "lock" the install of any further device. (I have NO idea how much secure this approach is).

Personally, I would TRY getting the Mass Production Tool for the "authorized" sticks and combine the solutions based on several ways:

With the appropriate MPT you can customize Vid, PId, Device ID and serial, so that you create a "unique" set of "authorized" sticks.

This way the "intruder" would probably need to bypass a couple of "layers" instead of just one.

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Yep, that was with the intent of disambiguating, as often happens the MS guys are using the same term to completely different concepts.

Additionally I presume you are not blocking "USB Removable" you are blocking ALL Mass Storage devices belonging to the "Removable class" (i.e.also Firewire).

http://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

And by "exactly" I meant something like:

http://gps.cloudapp.net/Default.aspx?PolicyID=2282#2281

IF the thing is done for some "serious" security reason, you might want/need to also look in the WPD classes.

I don' t think that you can get a "by serial" limitation through GPO or Registry, see this:

http://www.itexpertmag.com/security/danger-usb

(AND relevant links in it)

The "common" solution is a service running in the background, AFAIK, BUT you can use another approach, preventing installation of drivers:

http://community.spiceworks.com/how_to/show/1488-lockdown-usb-to-specific-removable-usb-drives

Basically you install all "authorized" devices, then you "lock" the install of any further device. (I have NO idea how much secure this approach is).

Personally, I would TRY getting the Mass Production Tool for the "authorized" sticks and combine the solutions based on several ways:

With the appropriate MPT you can customize Vid, PId, Device ID and serial, so that you create a "unique" set of "authorized" sticks.

This way the "intruder" would probably need to bypass a couple of "layers" instead of just one.

jaclaz

The main problem with that approach, for me at least, is our systems are not local and sometimes on the other side of the world. I would need a way to allow certain Removable devices, but block all others. These removable devices need to be approved by management in order to get allowed onto the system. Again these systems are not on a domain, which make this much more difficult.

Edited by mchipser
Link to comment
Share on other sites

The main problem with that approach, for me at least, is our systems are not local and sometimes on the other side of the world.

WHICH approach?

(THREE of them were listed)

I would need a way to allow certain Removable devices, but block all others. These removable devices need to be approved by management in order to get allowed onto the system.

Yes, you already stated this, and still you fail to describe the kind of "security level" needed/required and the amount of money you (or your company) value this, as said there are Commercial solutions that use a running service to prevent access to USB thingies not "approved".

Again these systems are not on a domain, which make this much more difficult.

I cannot see why.

Having them in a domain may be an easier way to deploy/re-deploy or update a given solution, but right now you are missing this solution outright, and as said it seems like GPS (and consequently GPO as well) by itself is not "enough".

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...