Locking Down USB Drives with Windows Server 2008 R2 and Windows Vista/7

Author David !u""ett #u$"ished %a& 2'( 20)0 Version )*00 +o,&right 20)0( S&--etri. /echno"ogies htt, //www*s&--etri.tech*co-

/a$"e o0 +ontents
A* 1ntroduction )* 23ui,-ent Assu-,tions 2* 4now"edge Assu-,tions 5* 2nd Resu"t B* #rocedure )* 6,erating S&ste-s a* Windows Server 2008 R2 $* Windows Vista and Windows 7 2* Windows 2008 !rou, #o"icies %odi0&ing the Server 2008 !rou, #o"icies 5* Resu"ts A0ter the !rou, #o"ic& +* 6ther +onsiderations

A* 1ntroduction
1t7s certain"& no sur,rise with the ,ro"i0eration o0 ,orta$"e devices such as USB 0"ash drives( USB hard drives( -o$i"e ,hones and even ca-eras that e.tra care -ust now $e taken to ,revent data the0t* /he ,ur,ose o0 this docu-ent is to ,rovide a -ethod o0 ,reventing users in a Windows Server 2008 and Windows Vista/7 cor,orate environ-ent 0ro- ,"ugging in a re-ova$"e USB device into a workstation and co,&ing data to it*

)* 23ui,-ent Assu-,tions
A Windows 2008 R2 do-ain with grou, ,o"icies ena$"ed +"ient workstations running Windows Vista or Windows 7* /his wi"" not work with Windows 8#*

2* 4now"edge Assu-,tions
Basic Windows server -anage-ent ski""s inc"uding grou, ,o"icies 9 this docu-ent out"ines e.act ste,s to ,revent USB drives 0ro- $eing connected to workstations $ut &ou need to have a 0u"" understanding o0 grou, ,o"icies and &our 0orest/do-ain structure as there can easi"& $e adverse e00ects in co-,"e. environ-ents* :ou7ve $een warned;

5* 2nd Resu"t
/he goa" is to ,revent the co,&ing o0 an& data to re-ova$"e USB drives < inc"uding thu-$( =u-,( 0"ash and ,orta$"e hard drives* 2ven whi"e testing this the ,rocedures in this docu-ent the resu"ts weren7t a"wa&s consistent so it7s rea""& i-,ortant that &ou test the -ethod in &our environ-ent* At the ver& "east it wi"" give &ou a good starting ,"ace* As a"wa&s( 0eed$ack is high"& a,,reciated and we wou"d "ike to u,date this docu-ent with &our e.,eriences*

B* #rocedure
)* 6,erating S&ste-s
We tested with the o,erating s&ste-s out"ined $e"ow* 10 &ou7re reading this &ou wi"" "ike"& $e a$"e to insta"" these on &our own* Windows Server 2008 R2 < /his docu-ent was tested with Windows Server 2008 R2 insta""ed as a do-ain contro""er* 2ar"ier versions -a& work si-i"ar"& $ut $ecause o0 ti-e considerations we =ust used the newest re"ease* Windows Vista and Windows 7 < We a"so used on"& Windows Vista and Windows 7 on the c"ient -achines 0or testing 0or reasons that &ou7"" see in the screenshots $e"ow* /here are third ,art& uti"ities that wi"" ena$"e this 0unctiona"it& in Windows 8# $ut that is $e&ond the sco,e o0 this docu-ent*

2* Windows 2008 !rou, #o"icies

/he 0irst ste, is to -odi0& the do-ain7s grou, ,o"icies* Log on to a do-ain contro""er as a do-ain ad-inistrator e3uiva"ent account* +"ick on Start( then Ad-inistrative /oo"s( then 0ina""& o,en !rou, #o"ic& %anage-ent as ,ictured $e"ow* >ote this can a"so $e done 0ro- a workstation i0 &ou have the ,ro,er too"s insta""ed on it*

Dri"" down through the grou, ,o"ic& -anage-ent ,ane unti" &ou reach the De0au"t Do-ain #o"ic&* Right<c"ick on it and se"ect 2dit*

#L2AS2 >6/2 When &ou -ake this change it wi"" a00ect ever& -achine on &our network inc"uding a"" workstations( servers and do-ain contro""ers* 1n order to a,,"& this on"& to &our workstations or grou,s o0 workstations &ou wi"" need to create custo- grou, ,o"icies and organi?ationa" units which is 0ar $e&ond the sco,e o0 this docu-ent* 1t has $een e.haustive"& docu-ented e"sewhere* Dri"" down through the ,o"ic& settings on the "e0t to +o-,uter +on0iguration/#o"icies/Ad-inistrative /e-,"ates/S&ste-/Device 1nsta""ation/Device 1nsta""ation Restrictions* 1n the right ,ane dou$"e c"ick on the @#revent 1nsta""ation o0 Re-ova$"e DevicesA "ine*

1n the ne.t $o.( c"ick the 2na$"ed radio $utton and c"ick 64* As &ou can see in the i-age $e"ow( this -odi0ication wi"" on"& work with Windows Vista or newer* /here are thrid ,art& uti"ities that can he", &ou "ock down Windows 8# workstations*

5* Resu"ts
6nce the ,o"ic& takes e00ect &ou wi"" get an @Device insta""ation was ,revented $& ,o"ic&A error in Windows 7 when a USB drive is inserted into the target -achine Bshown $e"owC*

When &ou c"ick on the $a""oon error &ou get get a standard dia"og $o. a"so reading @Device insta""ation was ,revented $& ,o"ic&A in the center o0 the screen*

+* 6ther +onsiderations
As with an& docu-ent re"ating to securit&( don7t take this guide as a$so"ute gos,e"* :ou need to ,er0orthorough testing in &our environ-ent* We a"so high"& reco--end reviewing %icroso0t7s docu-entation regarding grou, ,o"icies* #a& ,articu"ar attention to contro""ing the ,o"ic& sco,e through "inking to organi?ationa" units* Another e.ce""ent too" ,rovided $& %icroso0t is the !rou, #o"ic& Resu"ts Wi?ard Bthis used to $e ca""ed the Resu"tant Set o0 #o"ic&( or @RSo#A too" in ear"ier versions o0 WindowsC* 1t generates re,orts that show &ou e.act"& how ,o"icies are a,,"ied to s,eci0ic users or co-,uters*

<<<<<<< +o--ents( 0eed$ack and contri$utions are we"co-e and encouraged at artic"esDs&--etri.tech*co-* Visit us on the we$ at htt, //www*s&--etri.tech*co- 0or the "atest news on Snort Re,ort and to down"oad the newest version* Revision Eistor& 20)0<0'<2' 9 )*0 < 1nitia" re"ease