Blocking USB Drives

You have probably heard about the, "Whoops! I dropped my USB stick in the parking lot" penetration test that was performed years ago. If not, here is the short version: pen testers configured a bunch of USB memory sticks so that as soon as those sticks were plugged into a computer, they would immediately run some malicious code that the user was completely unaware of. Anybody who used one of these USB sticks would think it was a blank volume, waiting for them to store documents, pictures, whatever they needed. In the background, however, the USB stick would "phone home" and record when it was plugged in, proving that code can be executed by simply plugging in one of these USB drives.

Then... the pen testers dropped a bunch of these USB sticks in a company's parking lot. This is recalled strictly from my own memory, but the numbers were pretty staggering. I want to say that 80-something percent of users who found USB sticks walked right inside the office, and plugged them into their corporate, domain-joined computer to see what was on them. "What's the big deal?" you ask, "How bad could a little USB stick really be?"

I remember sitting in a Microsoft TechEd session once where our presenters convinced an attendee to bring their brand new Microsoft Surface to the front of the room, and to plug their USB stick into it. After reassuring him that they would remove the malware when the demonstration was finished, he reluctantly (this was an IT professional, after all) went ahead and plugged in the memory stick. Within seconds, I mean like three seconds, we were staring at a live video stream of him up on the big screen in front of the room. That USB stick had installed itself, established a connection with a server out on the internet, taken over his camera and was live-streaming his face to the web. Oh, and the software also made sure to disable the little light next to his camera, so other than seeing himself larger-than-life on the screen, he would have absolutely zero idea of what was happening to his computer. They could have done so much more, that little tablet was completely owned and theirs for the taking at that point.

Do not plug in USB drives unless you know for sure what is on them!

It is "cool" these days for businesses to hand out memory sticks full of marketing materials, rather than dumping business cards and paper product sheets in your lap. You should take those free USB sticks and throw them straight in the trash. Do not plug them in, do not think that you can be fast enough to format them before they do anything bad to your computer. It's not worth the risk.

Unfortunately, this is something that many IT folks don't even know, let alone end users. So, we need to proactively protect our computers from this vulnerability. The easiest way to do this is to wholesale disable USB drives from working, via one single policy setting inside Group Policy:

User Configuration | Policies | Administrative Templates | System | Removable Storage Access:

You can see that there are many different options here, if you wanted to selectively disable only floppy drives or CD/DVD drives. Even tape drives are listed! But, seriously, who uses those things anymore? Even CD/DVD drives don't come in many computers these days, we simply don't need them most of the time. So let's take the most secure approach and configure just a single setting: All Removable Storage classes: Deny all access. This blocks all drives identified as "removable storage" and gives us the best chance at protecting against those rogue USB devices, while still maintaining the ability to use our USB ports for things such as keyboards and mice.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.128.205