Sep 20 2007

Define Acceptable Use of USBs in Your Company

Control their use and protecting the data stored on them.

Organizations have spent years and invested huge sums of money to secure and protect network resources within their environment. Antimalware applications on the perimeter and at the desktop protect computers from viruses, worms and other malware threats. Network and personal firewalls secure computers against unauthorized network traffic.

The basic, essential layers of security are fairly universal and relatively effective at guarding the network against outside threats and malware attacks. However, a newer threat to network security bypasses the traditional network defenses. Portable media, specifically USB flash drives, are capable of transporting malware and infecting devices on the internal network. They also pose a significant risk of information leakage or data loss.

With capacities up to 8 gigabytes for USB flash drives smaller than a person’s thumb, and even higher capacities available for USB storage devices that fit easily into a pocket, users can store huge amounts of sensitive or confidential data. In addition, the drives’ small size puts them at risk of being stolen, lost or misplaced, which puts the data at even greater risk than if it were on a notebook computer.
Organizations need to take proactive steps to define the acceptable use of portable storage devices such as USB flash drives within the environment, and then put the tools and technology in place to help monitor and enforce the policy and protect the network and data from the risk posed by USB flash drives.

Define Acceptable Use

The first step in restricting or controlling the use of USB flash drives within your environment is to develop a written policy. The policy should outline what, if any, are the acceptable uses for portable storage devices. You should also spell out specific actions that are banned or include a blanket statement that any action not specifically allowed is, by default, banned.

Most organizations already have an acceptable use policy defined, which users must agree to and sign. The acceptable use policy (AUP) essentially defines how users are allowed to use the Internet, e-mail, telephones, and other communications and network resources. Users must read and agree to abide by the AUP. The AUP is an official document that should have the approval and support of both the legal department and the human resources department.

Defining the acceptable use of USB flash drives and other portable storage media, and ensuring that users have read the policy and agree to abide by the policy help educate users about the risks of using portable storage devices and give the organization more solid grounds for taking action against users who abuse or ignore the policy.

Restricting USB Flash Drives

Group Policy is an effective tool for managing computers on your network and enforcing security policies. Unfortunately, there are no default Group Policy settings for restricting or denying the ability to use USB flash drives and other portable storage devices. The good news is that you can extend Group Policy to add that functionality yourself.

Microsoft Knowledge Base article KB 555324 (http://support.microsoft.com/kb/555324) provides detailed instructions to create an administrative template (.adm) file that you can add to Group Policy to enable the ability to block the use of USB flash drives, CD-ROM drives and floppy drives. If you copy the text from the Knowledge Base article (below) into Notepad and save it as an .adm file, you can add the template to Group Policy.

CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
       VALUENAME "Start"
        NAME !!Enabled VALUE NUMERIC 4
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
       VALUENAME "Start"
        NAME !!Enabled VALUE NUMERIC 4
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
       VALUENAME "Start"
        NAME !!Enabled VALUE NUMERIC 4
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED
       VALUENAME "Start"
        NAME !!Enabled VALUE NUMERIC 4
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"

The default directory for storing templates is %windir\inf. After you have saved the .adm file, you need to import it into Group Policy so that you can apply the settings. Follow the steps below to import it:

  1. Using Group Policy Editor, open your GPO (Group Policy Object).
  2. Under Computer Configuration, right-click on Administrative Templates.
  3. Select Add/Remove Templates.
  4. Click Add and browse to the directory where you saved your .adm file.
  5. Select your new template and click Open.
  6. Click Close to exit the Add/Remove Templates console.

The new settings from your .adm template should now be visible and available for you to use in your GPO. The .adm templates are imported and applied at the GPO level, so you will need to import the .adm template to the GPOs that the computers or users you are trying to manage are linked to.

Encrypt Portable Data

Even if you restrict access to USB flash drives or other portable storage devices through Group Policy, the fact is that these devices are fairly inexpensive, are simple to use, and can increase productivity and efficiency if used properly. Rather than creating a blanket policy that such devices are simply not allowed or implementing a GPO that denies access to portable storage for all Users and Groups, you will probably want to allow their use under certain circumstances and by certain users.

One solution is to issue company-sanctioned USB devices to those users who are authorized to use them. Some devices, such as the Lexar JumpDrive Secure II (http://www.cdw.com/shop/products/default.aspx?EDC=852700), provide password protection and 256-bit AES encryption to protect the data in the event that the device is lost or stolen. Another device, the SanDisk Cruzer Profile (http://www.cdw.com/shop/products/default.aspx?EDC=824282), provides biometric security for your portable data. It comes complete with a fingerprint scanner and requires biometric authentication before providing access to the data it contains.

Alternatively, you can use normal, unencrypted USB flash drives but provide software that will ensure the data stored on them is secure. Pointsec Protector (http://www.cdw.com/shop/products/default.aspx?EDC=1221712) helps you lock down USB ports and can be configured to ensure that any data written to removable storage is properly encrypted. It also provides some flexibility and control over how the data is accessed once it is on the USB flash drive.

Control Access to Data

A broader solution for protecting data and guarding against information leakage or theft is to use Windows Rights Management Services. WRMS will not work for every organization, but it will for organizations that are running Windows Server 2003 networks and rely primarily on Microsoft for their desktop operating systems and office productivity applications.

WRMS allows you to implement security that is persistent and continues to protect the data no matter where the data goes. With WRMS, you can mark an e-mail or a Word attachment as confidential and apply security to control how the information is accessed. You can designate that only certain users can view the information and restrict them from editing, copying, printing, saving or forwarding the information.

If a user does not usually have rights to certain data but needs access to sensitive information for a specific project or deliverable, that access can be provided on a short-term basis with a pre-defined expiration date. Once the expiration passes, the user will no longer be able to access the data even if they have copied it and taken it home to their personal computer.

Diving into all of the functions and benefits of WRMS is beyond the scope of this article. Suffice it to say that WRMS can be a powerful tool in your arsenal for securing data and protecting against information leakage. For more information about WRMS, visit Microsoft’s Windows Rights Management Services Web site:  http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx.

Embracing Portable Storage Securely

It might seem simpler to just issue a draconian mandate that portable storage devices are not allowed. Sticking your head in the sand and pretending that USB flash drives don’t exist doesn’t make the risk go away, though. Users still own them and can easily bring them into the office and connect them to computers on your network without your knowledge.

It is much better to embrace the technology. Learn about the advantages of using such devices and understand the risks. Determine how they improve efficiency and increase productivity for your users and define a policy to restrict and control their use to specified users or tasks. Most important, though, for those who ignore policy and bring in USB flash drives from home, or for those who are authorized to use them but lose their USB flash drives or have them stolen, implement security controls and technology to restrict the ability to use them and to secure and protect the data that is stored on USB flash drives.

Tony Bradley, a Microsoft Most Valuable Professional in Windows security, is a computer security consultant with BT INS in Houston and author of Essential Computer Security.