[mchipser]

I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

[jaclaz]

mchipser, on 17 January 2013 - 09:33 AM, said:

I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

The USB specs do impose a serial on any USB mass storage device (controller) and actually I would say 99.99% sticks I have ever seen do sport - from factory - such a serial number.
The Vid and Pid on the contrary, besides same "brand" has often and still are misused, some brand will have their own Vid, some will use the generic Vid of the maker of the controller.
A number of "brands" will additionally use te same Pid for very different models.

HOW exactly you have (currently) blocled *all* "removable" USB storage devices?
What exactly do you mean by "Removable" devices (most if not all USB stick controllers are set in factory as Removable but the bit can be "flipped" and you can have for a very large number of models/brands/controllers a USB stick set as "Fixed" - just like a USB hard disk normally is).

jaclaz

This post has been edited by jaclaz: 17 January 2013 - 09:52 AM

[mchipser]

jaclaz, on 17 January 2013 - 09:51 AM, said:

mchipser, on 17 January 2013 - 09:33 AM, said:

I am attempting to block all removable USB storage devices, which is complete, but I am trying to allow certain devices to be installed.

I was hoping i could do this by Hardware ID, but it appears if I have two thumb drives of the same brand both items will work since they share the same Hardware ID. It would be nice to allow items based on serial since that is different per flash drive or any removable media. .

The USB specs do impose a serial on any USB mass storage device (controller) and actually I would say 99.99% sticks I have ever seen do sport - from factory - such a serial number.
The Vid and Pid on the contrary, besides same "brand" has often and still are misused, some brand will have their own Vid, some will use the generic Vid of the maker of the controller.
A number of "brands" will additionally use te same Pid for very different models.

HOW exactly you have (currently) blocled *all* "removable" USB storage devices?
What exactly do you mean by "Removable" devices (most if not all USB stick controllers are set in factory as Removable but the bit can be "flipped" and you can have for a very large number of models/brands/controllers a USB stick set as "Fixed" - just like a USB hard disk normally is).

jaclaz

We are currently blocking via localGP via the Removable Storage Access. These systems are not part of a domain. Is there a better way to do this, and allow certain removable storage drives?

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

This post has been edited by mchipser: 17 January 2013 - 10:23 AM

[jaclaz]

mchipser, on 17 January 2013 - 10:00 AM, said:

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Yep, that was with the intent of disambiguating, as often happens the MS guys are using the same term to completely different concepts.
Additionally I presume you are not blocking "USB Removable" you are blocking ALL Mass Storage devices belonging to the "Removable class" (i.e.also Firewire).
http://technet.micro...c772540(v=ws.10).aspx

And by "exactly" I meant something like:
http://gps.cloudapp....icyID=2282#2281

IF the thing is done for some "serious" security reason, you might want/need to also look in the WPD classes.

I don' t think that you can get a "by serial" limitation through GPO or Registry, see this:
http://www.itexpertm...rity/danger-usb
(AND relevant links in it)

The "common" solution is a service running in the background, AFAIK, BUT you can use another approach, preventing installation of drivers:
http://community.spi...able-usb-drives
Basically you install all "authorized" devices, then you "lock" the install of any further device. (I have NO idea how much secure this approach is).
Personally, I would TRY getting the Mass Production Tool for the "authorized" sticks and combine the solutions based on several ways:

• by Vid/PId <- this is the one that you reported as working but without the needed details
  
• by DeviceID <- with DeviceiD changed by the MPT, this is the approach with "Device ID" seen here: http://www.itexpertm...02/Shot%202.jpg
  
• by serial <- IF one of the above allows for specification of the serial
  
• by serial once installed the authorized ones <- this is the approach seen here: http://community.spi...able-usb-drives

With the appropriate MPT you can customize Vid, PId, Device ID and serial, so that you create a "unique" set of "authorized" sticks.

This way the "intruder" would probably need to bypass a couple of "layers" instead of just one.

jaclaz

This post has been edited by jaclaz: 17 January 2013 - 11:46 AM

[mchipser]

jaclaz, on 17 January 2013 - 11:44 AM, said:

mchipser, on 17 January 2013 - 10:00 AM, said:

EDIT: The GP we are using blocks, from what i can tell, all USB drives fixed or removable.

Yep, that was with the intent of disambiguating, as often happens the MS guys are using the same term to completely different concepts.
Additionally I presume you are not blocking "USB Removable" you are blocking ALL Mass Storage devices belonging to the "Removable class" (i.e.also Firewire).
http://technet.micro...c772540(v=ws.10).aspx

And by "exactly" I meant something like:
http://gps.cloudapp....icyID=2282#2281

IF the thing is done for some "serious" security reason, you might want/need to also look in the WPD classes.

I don' t think that you can get a "by serial" limitation through GPO or Registry, see this:
http://www.itexpertm...rity/danger-usb
(AND relevant links in it)

The "common" solution is a service running in the background, AFAIK, BUT you can use another approach, preventing installation of drivers:
http://community.spi...able-usb-drives
Basically you install all "authorized" devices, then you "lock" the install of any further device. (I have NO idea how much secure this approach is).
Personally, I would TRY getting the Mass Production Tool for the "authorized" sticks and combine the solutions based on several ways:

• by Vid/PId <- this is the one that you reported as working but without the needed details
  
• by DeviceID <- with DeviceiD changed by the MPT, this is the approach with "Device ID" seen here: http://www.itexpertm...02/Shot%202.jpg
  
• by serial <- IF one of the above allows for specification of the serial
  
• by serial once installed the authorized ones <- this is the approach seen here: http://community.spi...able-usb-drives

With the appropriate MPT you can customize Vid, PId, Device ID and serial, so that you create a "unique" set of "authorized" sticks.

This way the "intruder" would probably need to bypass a couple of "layers" instead of just one.

jaclaz

The main problem with that approach, for me at least, is our systems are not local and sometimes on the other side of the world. I would need a way to allow certain Removable devices, but block all others. These removable devices need to be approved by management in order to get allowed onto the system. Again these systems are not on a domain, which make this much more difficult.

This post has been edited by mchipser: 17 January 2013 - 02:40 PM

[jaclaz]

mchipser, on 17 January 2013 - 02:39 PM, said:

The main problem with that approach, for me at least, is our systems are not local and sometimes on the other side of the world.

WHICH approach?
(THREE of them were listed)

mchipser, on 17 January 2013 - 02:39 PM, said:

I would need a way to allow certain Removable devices, but block all others. These removable devices need to be approved by management in order to get allowed onto the system.

Yes, you already stated this, and still you fail to describe the kind of "security level" needed/required and the amount of money you (or your company) value this, as said there are Commercial solutions that use a running service to prevent access to USB thingies not "approved".

mchipser, on 17 January 2013 - 02:39 PM, said:

Again these systems are not on a domain, which make this much more difficult.

I cannot see why.
Having them in a domain may be an easier way to deploy/re-deploy or update a given solution, but right now you are missing this solution outright, and as said it seems like GPS (and consequently GPO as well) by itself is not "enough".

jaclaz