24 January 2012

Control Removable Storage Access for Improved Security

Personal drives are an increasing problem for corporate networks.  These drives are not only a major source of malware but also represent a data leakage problem.

For years I have looked at malware infection attempts against corporate machines.  One thing that always shows up right at the top of the list is removable storage.  High capacity, high speed, highly portable drives are everywhere and they go everywhere.  People also shove them in everywhere, and they catch just about everything out there.

With Windows Vista and even more so with Windows 7 there are policies to assist with curbing or allowing administrators the desired access levels for removable media.

What you can Set
There are three permission options

  • Deny execute access
  • Deny read access
  • Deny write access

These apply over the following Removable Media Types

  • CD & DVD
  • Floppy Drives
  • Removable Disks
  • Tape Drives
  • Custom Classes 
  • WPD Devices ( media players, cell phones, CE devices)

There are also a few other settings here:

  • All Removable Storage classes : Deny all access  -- The good old fashioned kill switch
  • All removable Storage:  Allow direct access in remote sessions -- This related to Remote Desktop sessions
  • Time (in seconds) to force reboot -- I found that forcing a gpupdate worked fine in Windows 7

The amount of settings available in the policies now makes it possible to not only give the on or off options, but to have the granular control that is required.

What the user will see
Here is a scenario where read and write is allowed to a USB drive but execute is denied


The drives show up normally and we can read and write files to it all we want.  However if you try and execute an executable in the drive you will get the following error.



Here is a scenario where read and rite and execute has been denied.


The drive hardware is installed but no I/O to the disk is allowed.  Any attempt to access the disk returns this error 


How to setup the policy
Open MMC add the Local Computer Policy
Expand the tree to:
\Computer Configuration\Administrative Templates\System\Removable Storage Access\


Selectively choose which options to enable.
Using the the principle of the minimum required, you would normally only deny execute, but allow read and write.

Conclusion
For years it has been considered essential to disable auto-run for removable media.  With Windows 7 you can extend that to any executable content on removable media.  Unless you are a person routinely installing software from USB drives or a malicious bit of code, you will most likely never miss the ability to execute files directly on the USB drive.

Enforcing the control at the operating system level ensure you target all the current removable storage classes.  This is a far better approach than the old school thinking of "disable all the USB ports..."


For more reading on this check out http://msdn.microsoft.com/en-us/library/bb530324.aspx

No comments:

Post a Comment