Need to limit USB storage access to specific devices

briangoldstein1246 · 2019-10-10T17:34:13.000Z

For the past several years, we have wanted to block use of USB storage devices. We know how to do it through AD group policy, but there is a problem. We have numerous scenarios where we need to allow specific users to access specific external storage devices. This includes company-owned digital cameras, as well as company-owned flash drives used to transfer data from offline equipment (i.e. devices not capable of network access). Blanket exceptions for specific users or computers are not sufficient, as in some cases users who need access to external storage devices have also exhibited high-risk behavior, and other employees see them and think that high-risk behavior is supposed to be the norm.

We have been trying to use the device control component of Vipre Endpoint Security for a while, but we find that it doesn’t properly identify a lot of devices, and often it doesn’t even report a blocked device back to the server. Both problems mean we can’t create exceptions for the equipment we want to allow. This leaves us with the same flaws as we would have if we used group policy.

Just to provide one example: We have a specialized digital camera. When connected to a computer, the Vipre device control logs identify it as device name “USB Device, Disk drive, (Standard disk drives)”, model ID “USBSTOR\Disk____________________________”, and it has no serial number. Despite the obvious flaw, I tried creating an exception for these values, and it didn’t work.

Is there another, reliable, hopefully not too expensive, solution out there that we can use specifically to regulate USB storage device access? Alternatively, is there some standalone application that we can use to probe devices and acquire the information Vipre needs to accurately identify them?

big-green-man · 2019-10-10T18:02:18.000Z

Do the devices report their hardware IDs correctly in Device Manager? If so, you could still use GPO to only allow certain devices.

learn.microsoft.com

Group Policy Allowing certain USB stick but Deny ALL other USB devices?

You can use loopback processing to lock it down further.

learn.microsoft.com

Loopback processing of Group Policy - Windows Server

This article describes why you need to enable loopback processing for Group Policy.

briangoldstein1246 · 2019-10-10T18:14:13.000Z

That’s a start, but if I understand correctly, the device IDs only narrow it down to a device model, not a specific unit, and only prevent driver installation, not mounting a device for which the system already has drivers. Is there something I missed in the description that would allow one device and block another, even if they are the same model hardware?

It also sounds like this policy would affect all devices, not just those that store data. This means we would need to create allowances for things like keyboards, mice, and numerous other non-storage peripherals. And we have a lot of specialized equipment around here, so that’s a can of worms.

We started using the Vipre device control utility because it allows restriction by individual devices. Unfortunately that is only helpful if the software can identify all the devices we need to allow.

big-green-man · 2019-10-10T18:26:44.000Z

SunShade:

That’s a start, but if I understand correctly, the device IDs only narrow it down to a device model, not a specific unit, and only prevent driver installation, not mounting a device for which the system already has drivers. Is there something I missed in the description that would allow one device and block another, even if they are the same model hardware?

It also sounds like this policy would affect all devices, not just those that store data. This means we would need to create allowances for things like keyboards, mice, and numerous other non-storage peripherals. And we have a lot of specialized equipment around here, so that’s a can of worms.

I think you would also need to combine it with the GPOs to block based on storage class.

gpsearch.azurewebsites.net

Group Policy Search

The GPS is a group policy search tool for Microsoft Active Directory Group Policy Settings.

But that still would allow them to use different devices of the same model, which sounds like a non-starter for you.

The first policy I linked would stop new device from getting drivers installed, so anything existing (keyboards, mice, etc.) should be fine.

Still, though. Needing to lock down by serial number is a requirement GPO won’t fulfill.

briangoldstein1246 · 2019-10-10T18:34:39.000Z

Thanks for trying, BGM. We may be able to use a GPO to block specific device groups, like cell phones, but unfortunately group policy just doesn’t have the level of control we need. That’s why we’re looking for a third-party utility.

Since we are already using a solution from @VIPRE , it would be nice if someone from there could offer a suggestion to make their product work better.

big-green-man · 2019-10-10T18:47:14.000Z

No problem. Nirsoft has a utility that could pull the info you’re looking for, which you could pass on to Vipre. But if Vipre is having issues identifying the device itself, it might still block it even if you have the correct info entered.

NirSoft

View any installed/connected USB device on your system

USBDeview is a software that lists all USB devices that connected to your computer, and allows you disable, enable or uninstall them.

Have you opened a ticket with Vipre support at all? Looks like their GGs aren’t active, so I wouldn’t count on a response from them here.

gary-m-g · 2019-10-12T01:26:20.000Z

Ivanti’s product—was Lumension—does the job exactly as required.

markharburn0580 · 2019-10-13T08:03:05.000Z

Since you can already do it via AD all you need to do is assign a group to an allow GPO that uses a filter to override the deny gpo and teach the user to do a gpupdate /force It just means you will have to put everyone else in the deny group. Worst case is a reboot for the user.

Phones etc can be blocked by using WPD block.