Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Block Removable USB storage except listed by serial


  • Please log in to reply
5 replies to this topic

#1
mchipser

mchipser

    Junior

  • Member
  • Pip
  • 69 posts
I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .


How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,383 posts
  • OS:none specified
  • Country: Country Flag

I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

The USB specs do impose a serial on any USB mass storage device (controller) and actually I would say 99.99% sticks I have ever seen do sport - from factory - such a serial number.
The Vid and Pid on the contrary, besides same "brand" has often and still are misused, some brand will have their own Vid, some will use the generic Vid of the maker of the controller.
A number of "brands" will additionally use te same Pid for very different models.

HOW exactly you have (currently) blocled *all* "removable" USB storage devices?
What exactly do you mean by "Removable" devices (most if not all USB stick controllers are set in factory as Removable but the bit can be "flipped" and you can have for a very large number of models/brands/controllers a USB stick set as "Fixed" - just like a USB hard disk normally is).

jaclaz

Edited by jaclaz, 17 January 2013 - 09:52 AM.


#3
mchipser

mchipser

    Junior

  • Member
  • Pip
  • 69 posts


I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

The USB specs do impose a serial on any USB mass storage device (controller) and actually I would say 99.99% sticks I have ever seen do sport - from factory - such a serial number.
The Vid and Pid on the contrary, besides same "brand" has often and still are misused, some brand will have their own Vid, some will use the generic Vid of the maker of the controller.
A number of "brands" will additionally use te same Pid for very different models.

HOW exactly you have (currently) blocled *all* "removable" USB storage devices?
What exactly do you mean by "Removable" devices (most if not all USB stick controllers are set in factory as Removable but the bit can be "flipped" and you can have for a very large number of models/brands/controllers a USB stick set as "Fixed" - just like a USB hard disk normally is).

jaclaz


We are currently blocking via localGP via the Removable Storage Access. These systems are not part of a domain. Is there a better way to do this, and allow certain removable storage drives?

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Edited by mchipser, 17 January 2013 - 10:23 AM.


#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,383 posts
  • OS:none specified
  • Country: Country Flag

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Yep, that was with the intent of disambiguating, as often happens the MS guys are using the same term to completely different concepts.
Additionally I presume you are not blocking "USB Removable" you are blocking ALL Mass Storage devices belonging to the "Removable class" (i.e.also Firewire).
http://technet.micro...c772540(v=ws.10).aspx

And by "exactly" I meant something like:
http://gps.cloudapp....icyID=2282#2281

IF the thing is done for some "serious" security reason, you might want/need to also look in the WPD classes.

I don' t think that you can get a "by serial" limitation through GPO or Registry, see this:
http://www.itexpertm...rity/danger-usb
(AND relevant links in it)

The "common" solution is a service running in the background, AFAIK, BUT you can use another approach, preventing installation of drivers:
http://community.spi...able-usb-drives
Basically you install all "authorized" devices, then you "lock" the install of any further device. (I have NO idea how much secure this approach is).
Personally, I would TRY getting the Mass Production Tool for the "authorized" sticks and combine the solutions based on several ways:
  • by Vid/PId <- this is the one that you reported as working but without the needed details
  • by DeviceID <- with DeviceiD changed by the MPT, this is the approach with "Device ID" seen here: http://www.itexpertm...ep 2/Shot 2.jpg
  • by serial <- IF one of the above allows for specification of the serial :unsure:
  • by serial once installed the authorized ones <- this is the approach seen here: http://community.spi...able-usb-drives

With the appropriate MPT you can customize Vid, PId, Device ID and serial, so that you create a "unique" set of "authorized" sticks.

This way the "intruder" would probably need to bypass a couple of "layers" instead of just one.

jaclaz

Edited by jaclaz, 17 January 2013 - 11:46 AM.


#5
mchipser

mchipser

    Junior

  • Member
  • Pip
  • 69 posts


EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Yep, that was with the intent of disambiguating, as often happens the MS guys are using the same term to completely different concepts.
Additionally I presume you are not blocking "USB Removable" you are blocking ALL Mass Storage devices belonging to the "Removable class" (i.e.also Firewire).
http://technet.micro...c772540(v=ws.10).aspx

And by "exactly" I meant something like:
http://gps.cloudapp....icyID=2282#2281

IF the thing is done for some "serious" security reason, you might want/need to also look in the WPD classes.

I don' t think that you can get a "by serial" limitation through GPO or Registry, see this:
http://www.itexpertm...rity/danger-usb
(AND relevant links in it)

The "common" solution is a service running in the background, AFAIK, BUT you can use another approach, preventing installation of drivers:
http://community.spi...able-usb-drives
Basically you install all "authorized" devices, then you "lock" the install of any further device. (I have NO idea how much secure this approach is).
Personally, I would TRY getting the Mass Production Tool for the "authorized" sticks and combine the solutions based on several ways:
  • by Vid/PId <- this is the one that you reported as working but without the needed details
  • by DeviceID <- with DeviceiD changed by the MPT, this is the approach with "Device ID" seen here: http://www.itexpertm...ep 2/Shot 2.jpg
  • by serial <- IF one of the above allows for specification of the serial :unsure:
  • by serial once installed the authorized ones <- this is the approach seen here: http://community.spi...able-usb-drives

With the appropriate MPT you can customize Vid, PId, Device ID and serial, so that you create a "unique" set of "authorized" sticks.

This way the "intruder" would probably need to bypass a couple of "layers" instead of just one.

jaclaz



The main problem with that approach, for me at least, is our systems are not local and sometimes on the other side of the world. I would need a way to allow certain Removable devices, but block all others. These removable devices need to be approved by management in order to get allowed onto the system. Again these systems are not on a domain, which make this much more difficult.

Edited by mchipser, 17 January 2013 - 02:40 PM.


#6
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,383 posts
  • OS:none specified
  • Country: Country Flag

The main problem with that approach, for me at least, is our systems are not local and sometimes on the other side of the world.

WHICH approach?
(THREE of them were listed)

I would need a way to allow certain Removable devices, but block all others. These removable devices need to be approved by management in order to get allowed onto the system.

Yes, you already stated this, and still you fail to describe the kind of "security level" needed/required and the amount of money you (or your company) value this, as said there are Commercial solutions that use a running service to prevent access to USB thingies not "approved".

Again these systems are not on a domain, which make this much more difficult.

I cannot see why.
Having them in a domain may be an easier way to deploy/re-deploy or update a given solution, but right now you are missing this solution outright, and as said it seems like GPS (and consequently GPO as well) by itself is not "enough".

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN