Using group policy to control removable devices and media

Removable media, usb drives and other removable devices are on the hot list of security issues. Here are some quick tips on how to leverage Windows Vista’s built-in features for device control and information about a third party solution that addresses pre-Vista computers and provides significant advantages over Vista’s built-in controls.

Windows Vista has a number of new features configurable via group policy for controlling access to such devices. Below is a quick overview of these new policies and my thoughts on where they are lacking. 

Computer Configuration"Administrative Templates"System"Device Installation

The policies in this section allow you to prevent installation of devices based on the device’s “setup class” or “device ID”. For instance, let’s say you want to disable users from installing anything on there computers except for stuff like keyboards and mice (Human Interface Devices – “human” is a stretch for some of my users!). To do this you enable “Prevent installation of devices not described by other policy settings” and configure “Allow installation of devices that match these device setup classes” with any device classes you wish end-users to be able to install. In this case you’d add {745a17a0-74d3-11d0-b6fe-00a0c90f57da} which is the GUID for HIDClass. For a list of device classes see http://msdn2.microsoft.com/en-us/library/ms791130.aspx.

If you just want to restrict users from messing around with “removable” (i.e. USB) devices of any type at all enable “Prevent installation of removable devices” but you are liable to tick off some users with that one.

“Computer Configuration"Administrative Templates"System"Removable Storage Access” and “User Configuration"Administrative Templates"System"Removable Storage Access”

These 2 folders in group policy allow you to implement restrictions on removable storage devices and media. Below is a list of the classes available. For each class you can deny read and or write access.

·         CDs

·         DVDs

·         Floppies

·         Removable Disks (USB drives, flash disks, SD cards, etc)

·         Tape drives

·         WPD (Windows Portable Devices – Windows smart phones, pocket PCs, Media players, etc)

·         Custom Classes (apparently non Windows PDA, phones and the like)

 

While it’s crucial to have these controls over removable devices to prevent information leakage, malware introduction and support calls, there’s a lot missing with Vista built-in controls:

-          Laborious to implement – you have to do a lot of hunting around to figure out the right device IDs and class IDs

                o   Hint: use Device Manager or the devcon tool to find these IDs for a given device

-          Not flexible - When you try to start controlling these devices you are going to need to make all kinds of exception and Vista just doesn’t have the flexibility to easily implement temporary or case by case exceptions

-          No reporting

-          No monitoring of information uploaded or downloaded from devices that are allowed

-          No support for XP or Windows 2000

In looking for solutions to these problems, I have been impressed with GFI’s EndPointSecurity solution which is like Vista’s removable device and storage controls on steroids. These devices aren’t going away. You can try to mandate a No Device! policy but it won’t succeed and in a time when IT departments are increasingly being seen (right or wrong) as an impediment to progress you can’t afford to put your head in the sand. Instead I recommend an “embrace and control” approach to end point security. 

To learn more about implementing an “embrace and control” strategy and how EndPointSecurity helps register for my next webinar. Remember, registering is the only way to get the webinar even if you miss the live event and want to watch the recorded version so register now.

To make this webinar possible your registration data will be shared with our sponsor.

Don’t miss this valuable training. Even if you can’t make the live event register now.

Registering now is the only way to watch the recorded version.

Space is limited.
Reserve your Webinar seat now at:
https://www1.gotomeeting.com/register/474283872

 

Title:   End Point Security for the Real World
Date:  Thursday, December 6, 2007

Time:  12:00 PM - 1:00 PM EDT

Thanks as always for reading and best wishes on security,

Randy Franklin Smith

______________________________________________________________________________

 

All of Randys webinars and more are available online! Click here

Here are some coupon codes you can use! They expire in 7 days though, so don't let this opportunity pass you by.
Edition          Coupon code           Savings
Bronze                QRB                    $10

Silver                  QRS                     $25

Gold                   QRG                    $50

 

________________________________________________________________________________

Event log management & analysis made easy with GFI EventsManager. Free 30 day trial!

_______________________________________________________________________________

 

To foward this to a friend please click here

 

http://www.ultimatewindowssecurity.com/enews/members.aspx?Task=FF&SI=12379&E=security.world%40gmail.com&S=1&N=26&Format=HTML

 

To opt out please click here

 

http://www.ultimatewindowssecurity.com/enews/members.aspx?Task=OO&SI=12379&E=security.world%40gmail.com&S=1

________________________________________________________________________________

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

 

You may forward this email in its entirety but all other rights reserved.