Powered by Blogger.

Making USB Storage Read-Only Through Group Policy

Compliance and data security require steps be taken to prevent unauthorized users from copying data. Here's one method to prevent data theft via USB drives (and writable optical media).

Many businesses have a need or desire to protect their data. Perhaps your organization has compliance requirements in your industry, such as HIPAA or PCI. Or perhaps your concerned about employee data theft of trade secrets, client lists, or other information. Whatever your reason, you can prevent users from taking data out of company offices through the use of USB flash drives, media cards, or other external hard drives as well as optical media by using group policy.
Creating the following group policy can help enforce data security, even when administrators are logged on.

The Steps
Open Group Policy Editor and create a new Group Policy Object. I've named mine "Removable Device Write Restriction".

Navigate to and click on Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access or to User Configuration > Policies > Administrative Templates > System > Removable Storage Access.  Applying to the Computer Configuration means that it will apply to the computer, regardless of who is logged on. Applying to the User Configuration means it will apply to the user regardless of the computer they log on to.

Decide which media you want to control and what level of access to grant. It's important to read the Supported on and Help sections of each of the policy options you want to implement. For example, you can deny write access to CD and DVD for Vista and above, but the deny execute option is only available for Windows 7 and above.

Which you apply to - User or Computer - depends on the organizational requirements and how they are to be handled. By applying to the computer, based on the OU you place the computer in, you can make sure that only very specific computers can write to external media. Or, as I did with one client, only the partners of the firm can copy data off the servers, everyone else can access, create, and modify, but had no ability (via USB drives) to remove data from the company network. 

Each type in more detail:
Most of the details provided below are covered in the Help section of each policy. I've provided a slightly re-ordered and re-organized listing here with commentary and suggestions in some places. If you don't need to know this stuff, make sure you read my closing comments for important considerations on data security.

Set time (in seconds) to force reboot
Most of the changes made in this section cannot take effect until a reboot occurs. This policy setting can force a reboot to subsequently enforce these settings. Or you can leave this unset and wait until the next time each of the computers you apply the policy to is restarted.

All Removable Storage classes: Deny all access
Consider this a global disable. It takes priority over all the other individual type settings and will simply deny access to them all. While this may seem like a good idea - and it may be for some users - others may have legitimate needs to access files stored on USB or optical media given them by customers or vendors. For this reason, I usually prefer setting deny write access and deny execute and leaving read available.

All Removable Storage: Allow direct access in remote sessions
Windows can connect remote systems with local drives, including removable storage drives. For example, if you connect to an RDS Server from a home computer, it's possible to access a flash drive on the home computer. This setting, when disabled, should prevent such access.

...: Deny execute access:
Prevents applications on the specified drive type from being run. The user could still copy the content to the computer and then run the executable, however, this may be at least slightly helpful in preventing any "autorun" programs (good or malicious) from running.

...: Deny read access:
Prevents users from reading any files on the removable media. The user should still be able to copy/send files to the media (assuming deny write was not also implemented), but then would be unable to see the content placed there.

...: Deny write access:
Prevents users from writing any files to the removable media. The user should still be able to read/copy files from the media (assuming deny read was not also implemented).

CD and DVD: ...
Probably should be named "optical disks" instead, this section should cover Bluray as well. Always test.

Custom Classes: ...
For storage devices not included in the pre-defined classes, you can create a list of custom classes and apply access controls to them here. (if you don't use any "special" storage devices, you likely don't need to worry about these). This policy will allow you to enter the class GUID(s) you want to restrict.

Floppy Drives: ...
A rare find today, includes USB attachable floppy drives.

Removable Disks: ...
Your more common used USB and flash media. (See also BitLocker Protected Media below).

Tape Drives: ...
Though not widely used, especially on workstations, you can restrict access to tape devices.

WPD Devices: ...
These include media players, cellular phones, tablets, and other devices that don't normally get a drive letter but may have accessible storage when connected to a computer.

Bitlocker Protected Media
A separate policy exists that can enforce BitLocker encryption on external media. It does not enable BitLocker on the media, but does prevent writes to external media UNLESS BitLocker is enabled on that media. Reference the policy setting Deny write access to removable drives not protected by BitLocker found in Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives

At this time, this article will not elaborate on the settings for BitLocker and removable drives, but consider reviewing and testing them for your organization.

In Closing...
ALWAYS create a test OU and test the group policy before applying to any production machines. Make sure you understand all the changes it will make and how they may impact your end user work flow. 

NEVER make changes to the default domain policy (except on rare occasions where clearly instructed by Microsoft)

These policies should work for all removable media you enable them for, whether directly attached through a computer's USB port or connected via a USB hub. Even non-USB connected devices that are considered removable should be protected.

When implementing security policies like this, you need to spend some time thinking about how you might get around them to ensure they can be as effective as you want them to be. Think outside the box!

While this article discusses one common way of obtaining data, there are many, MANY others. Before pronouncing your information secure, you need to review your other security measures, including how users may be able to use file sharing services (such as OneDrive or DropBox), instant messaging services, FTP and similar protocols, web sites that allow file uploads, email (sending of attachments), and even printing and using cameras to take pictures of screens. If the data is that valuable, people will try hard to find a way, even if that way is less than ideal!
    Blogger Comment
    Facebook Comment