A fair amount has been written already about locking down a Microsoft Windows box to protect it against undesired USB flash drive usage. If system owners want to keep data from leaving their network via removable storage there's a simple registry entry the can be tweaked:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect
Or a simple tool I wrote awhile back can be used to manipulate this registry key:
It should be noted that my tool above was meant more for forensics use (though I make no guarantee that it is forensically sound). A security professional may be worried about more than just data leaking out of their systems on removable storage, they may also worry about U3 thumb drives with undesired Autorun payloads. In the case of Autorun/Autoplay concerns, the following Microsoft article has a great amount of detail on disabling Autorun on selected device types:
What the article you are reading will concentrate on is stopping other classes of possibly malicious USB devices, especially the PHUKD (Programmable HID USB Keyboard/Mouse Dongle) from my upcoming Defcon presentation:
One of the advantages of the PHUKD is that human interface devices (HIDs) like mice and keyboards don't require administrative privileges to install and function, at least by default. Another advantage the PHUKD has is that many organizations are beginning to lock down Autorun on their systems to prevent malware like Conficker from spreading via that particular vector, and to keep tools like the Hak5 U3 Hacksaw from functioning. However, since a PHUKD is a USB HID, turning off Autorun has no effect on it. There are however other Windows 7/Vista setting that can be tweaked to disable arbitrary USB devices.
While I did most of my testing of the following Windows Vista/7 security options using a PHUKD device, they should also prove useful in blocking U3 thumb drives, WiFi dongles (think inadvertent rogue access points), non-passive keyloggers and other devices that could be attached to a system. Also, these security options can be applied to restrict other types of hardware, not just USB, though USB peripherals are what I will concentrate on in this article.
Shortly I will be covering Windows 7/Vista Group Policy/Registry tweaks that you can apply to block the automatic install of USB devices, but first there is a tool you may want to download to easy your experimentation. Nirsoft's USBDeview was of great use to me during this research.
USBDeview is quite useful, especially as compared to Device Manager. A few of the more useful features of USBDeview include:
1. View Vendor ID, Product ID, Device Class, Serial Number and etc. all from one line of output.
2. Uninstall devices, even if they are not currently connected to the system.
3. Jump straight to the registry keys related to the USB devices.
4. Export list of installed USB devices to a text file.
Along with USBDeview it may be useful for you to be able to go straight to the MMC plugins we will be using in this article: Device Manager and Local Group Policy Editor. To jump directly to these MMC plugins: Enter the command "devmgmt.msc" to bring up the Device Manager, or "gpedit.msc" to bring up the Local Group Policy Editor. These commands may be entered via the "Search programs and files" bar, the Run bar or via the command console (cmd.exe/ powershell.exe). Putting shortcuts to them on your Desktop is also an option of course.
Now that we have the needed tools, I'll cover the Device Installation Restriction options available in Windows 7/Vista. For each entry the following information will be given:
1. The setting's name.
2. A quote of Microsoft's description of the setting as seen in the Group Policy Editor.
3. My notes from testing where I will try to clarify the use of the settings and certain "gotchas" you may encounter while using them.
4. The registry keys and values that are changed when the option is enabled. This should make it easy for administrators to create their own scripts and interfaces for manipulating these security options.
Now let's take a look at some of the GPO options Windows 7/Vista provides for restricting hardware installation. To bring up the list of Device Installation Restriction options, use the command "gpedit.msc" as covered earlier, and navigate to:
Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions
If at any point you have problems getting hardware to work because of changing these setting, set all of these GPO options to "Not Configured" then go into Device Manager and do an "Action->Scan for Hardware Changes" from the menu bar.
source:http://www.irongeek.com
No comments:
Post a Comment