USB has given us fast, easy access to devices and files – but it’s also a security nightmare. How can you lock it down for clients?
USB technology can be both a blessing and a curse. The tiny ports transfer data at extremely high speeds, and, thanks to plug and play technology, make it very easy for users to attach devices to a computer without handling the headache of device drivers. The use of USB-based memory sticks has eliminated the need for floppy drives and drastically increased the amount of information that can be transferred from a device to a removable media.
With those benefits, however, come serious security concerns. One of the biggest worries is the loss of data from a company. Making it easy to transfer information to a tiny device that can be slipped into someone’s pocket invites people to copy large amounts of data to be taken out of the organisation. This can be done for legitimate reasons, by those that need to work from home, for example, or it can be done maliciously, with the intent of passing that information on to a third party, such as a new employer. And losing a USB stick with customer data on doesn’t have to be malicious to make your customer liable.
The other danger is that USB devices can be used to introduce unwanted data into an organisation, particularly in the form of executable files. The Conficker worm, which swept the world in 2008, was distributed via a number of mechanisms, one of which was its ability to run itself from a USB stick inserted into a host, via Windows’ AutoRun facility.
Broadly speaking, there are two ways to implement USB security in a client’s workplace: lock down the USB port to varying degrees, or encrypt any data that will be copied to whatever device they’re putting into it. Over the last three generations, Windows has evolved to the point where you can do both.
Workarounds in XP
Originally Windows XP required an inelegant workaround for USB lockdowns. Instead of defining a group policy to stop the port being used, you had to instead deny access to the system files that were used to access the device by configuring an administrative template group policy file to disable system access to the USBSTOR.SYS and USBSTOR.INF driver files, which stops USB ports from reading or writing any device inserted into them.
Vista introduced more granular controls at the Group Policy level. Administrators could use a group policy setting called Remote Storage Access, which would stop reading and/or writing to a whole device type (such as USB sticks or CD-ROM burners).
A second setting, Device Installation Restrictions, lets you prevent the installation of removable storage driver files in the first place; you can configure group settings that, for example, only prevent removable USB devices from connecting to a laptop while allowing other devices to be used, meaning that users can now plug in their USB mice but not a joystick or USB stick, for example.
This feature can be used to grant access only to specific vendors’ devices. A USB device’s vendor and model information are found in a hardware ID stored on the device, which can be accessed via the device properties information in the Device Manager. To grant access to specific devices you need to either have those devices handy, so you can plug them in and retrieve their hardware ID from the device properties information, or look up the ID online.
It is also possible to use Compatible ID, also stored on the device, which covers hardware that is similar to the device ?in question. This would be useful for blacklisting specific groups of hardware, rather than being extremely specific and whitelisting only very specific devices.
Bitlocker to Go
Windows 7 gives you simpler options. Bitlocker To Go, an extension of the BitLocker fixed drive encryption technology in Windows Vista can encrypt USB memory sticks. Via group policy, you can force users to encrypt any USB memory stick when it is inserted into a USB port, if it hasn’t been already. Group policy also lets you dictate what encryption is used, including the cipher strength, which is important for compliance management in certain jurisdictions and vertical sectors.
USB memory sticks encrypted via BitLockerToGo can be accessed via a password, a certificate contained on the laptop, or via a passcard carried by the user, providing two-factor authentication capabilities; on Vista and Windows XP you get read-only access to BitLocker-encrypted USB drives.
Although native USB security in Windows has come a long way, there are still limitations. For example, while group policy can be used to block access to a USB key that has not been encrypted, it cannot automatically encrypt the drive. That is still a manual process that must be carried out by the computer user. If the user chooses not to encrypt the drive, then the group policy grants only read access, preventing the user from writing to the drive.
Another limitation lies in the types of device that users can be forced to encrypt. While you can force encryption of USB memory sticks, you can’t force users to encrypt data copied to a USB-connected CD-ROM drive, for example.
Finally, while Windows 7 supports vendor and model information, it does not yet allow devices to be programmed with a completely unique ID. This prevents you from buying and issuing a specific set of USB keys to users and whitelisting them using an entirely unique GUID. It is possible to buy, say, a hundred 8Gb Veritas USB memory sticks, issue them to users, and set a group policy saying that only that vendor and model can be used in USB ports at the endpoint. However, an intruder who has identified the types of USB memory sticks used could bring in their own 8Gb Veritas USB stick and still gain access to a port.
To deal with that you need third-party security tools, which fall into two related areas: encrypted USB keys (from suppliers like Blockmaster, Ironkey and McAfee as well as more familiar USB suppliers like Lexar, Verbatim and Kingston), and port lockdown. Taken together, they are part of a broader category of data loss prevention systems, which brings many additional features to the party, such as content analysis.
Various companies offer port lock-down options. SafeEnd Protector installs an agent on the endpoint operating at the kernel level. It can be set to block not only USB memory sticks, but also other removable storage devices such as external hard drives and CDs or DVDs that might also be connected via USB ports. DeviceLock, another USB security solution, enables administrators to set rules that only allow USB ports to be used at certain times of the day. It can also be set to authorise access only to specific DVD and CD-ROM discs, which can be uniquely identified by date and signature, even when DeviceLock has blocked the DVD/CD-ROM drive from general use. And DeviceLock includes an optional data shadowing capability that can capture full copies of any files copied to an authorised removable device (including Windows Mobile, iPhone, and Palm OS-based PDAs and smart phones).
Symantec’s Endpoint Protection system also blocks the use of USB devices selectively according to the administrator preferences, while encrypting data that is transferred to such devices. When a user needs to share content securely using a USB stick, it can be copied to the USB drive, where it is subject to a data loss prevention check by a software agent installed on the client device. The Endpoint Encryption product secures the file by encrypting it automatically.
When the USB key is plugged into another computer that doesn’t have the Symantec agent installed, an access utility auto runs from the USB stick, enabling the files stored there to be decrypted after a shared password is entered. Any changes made by the user are automatically re-encrypted when saved onto the USB stick, to maintain its security.
The Endpoint Protection suite also includes data loss prevention technology that scans the content being copied to a device. The content engine can spot data formats such as credit card or social security numbers in Word documents and spreadsheet files, for example. The DLP technology, which will look at the binary format of a file to ascertain its real format (to stop the use of false file extensions) can also be used to prevent the transfer of zipped files. Those files can also be automatically unpacked and scanned.
These security tools cost extra and they mean more work in terms of installation and maintenance but you get security options that go well beyond the expanded but still relatively limited native features that Windows offers. In particular, being able to force encryption on all types of removable device, including DVD burners, is particularly important if an organisation really wants to protect its data. If you have a customer with multiple versions of Windows you’re already looking at different options for protecting data on each of them, so a third-party tool may simplify things as well as improving security – but at the very least you should be enabling the USB security Windows already has before any more data walks out of the door.
Managing hardware restrictions via group policy
A description of group policy settings for USB security in Windows Vista:
Using Windows Vista group policy to prevent unauthorised USB device use
A guide to locking down USB ports in Vista:
USB in Windows 7
A guide to USB features in Windows 7:
Preventing Windows XP users from writing to USB drives
An alternative client-side method to stopping USB drive copying in XP SP2:
Volume 1, Edition 1
Specifying and supporting disk encryption
feature finder code 1154a
Volume 3, Edition 1
Protecting networks; securing new boundaries
feature finder code 3142a
Volume 2, Edition 4
Dealing with a data breach
feature finder code 2441a
Step by Step
Setting up security on an IronKey USB drive
IronKey’s USB security management system combines highly-secured USB memory sticks with an enterprise management console. Instead of locking down USB ports, IronKey concentrates on making its keys logically and physically secure, with a combination of 256-bit data encryption, and shielded metal chips protected by an epoxy resin coating. Here’s how you set up a device from the management console.
Each IronKey can be configured with a range of different software applications, which can be run directly from the key when it is inserted into a drive. These can be defined centrally so that users setting up their IronKeys via the network receive a standard installation. Other options that can be configured from the central console include frequency of backups, and a ‘silver bullet’ option that forces the key to phone home to a central server operated by the customer whenever it is plugged in.
Once the policies for software installation, password protection, and other security mechanisms have been set up, you can bind each device that you’re distributing to an administrative account, so that it can be controlled centrally by an administrator. Once this process is complete, users are enrolled by sending them an email that they can use to activate their key. At this point no further administrative input is required. You can concentrate on monitoring device use in the field via a central console that reports all key activity.
Setting group policy to allow only approved USB devices in Windows.
To restrict access to approved USB devices in Windows, you must first clear the installed USB device driver from Device Manager; right click USB Device > Uninstall. Then Open the Group Policy Management Console, and edit the appropriate Group Policy under Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.
Set ‘Allow installation of devices that match any of these device IDs’ to Enabled, ?click Show, and then enter the Plug and Play hardware id (for example USBSTOR\DiskGeneral_USB_Flash_Disk__1100).
You can now open a Command prompt and run GPUPDATE/FORCE, which will refresh group policies. The policy setting is now complete. When an approved USB device is inserted, it gets access to the machine.
Forcing BitLocker To Go encryption ?on all inserted USB memory sticks
To force BitLocker To Go encryption on approved drives, open the Group Policy Management Console, and edit the appropriate Group Policy – and remember ?to keep track of the encryption passwords.
Navigate to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives, and enable ‘Deny write access to removable drives not protected by BitLocker’, and then set ‘Configure use of passwords for removable data drives’ to Enabled. Enable ‘Require password for removable data drive’, set ‘Configure password complexity for removable data drives’ to ‘Require password complexity’. Set “Minimum password length for removable data drive” to 12, and click OK. Finally, enable ‘Choose how BitLocker-protected removable drivers can be recovered’.
Open a CMD prompt and run GPUPDATE/FORCE to refresh group policies, before inserting an approved USB device. When you see the prompt indicating the drive needs to be encrypted before use, click ‘Encrypt this drive using BitLocker Drive Encryption’. Then, type a password in the ’Choose how you want to unlock this drive prompt’ field.
Click Next, and then select ‘Save the recovery key to a file’ or ‘Print the recovery key’. Click Next, and then when asked whether you are ready to encrypt the drive, click ‘Start Encrypting’. The USB device will now begin the encryption process. Users will get this prompt for any unencrypted USB stick they try to use.