USB drives, thumb drives, flash drives, pen drives, memory sticks -- whatever you call them -- pose a unique security challenge for network admins. They’re small, easily portable, and work in any computer. While this makes them great for quickly and easily moving files from computer to computer, these same features make them a serious threat to network and data security.
Viruses can spread from computer to computer via USB drive. Hackers have been known to plant “lost” flash drives outside of targeted businesses that launch backdoor software upon insertion into a target computer. And data that is placed on a flash drive can easily wind up in the wrong hands -- either accidentally or maliciously.
So, administrators need to weigh the conveniences of portable storage with the risks that come with allowing it. We’ll consider three policy options that can increase security on your network.
The Nuclear Option: Block All Removable Media via GPO
If you’re supporting a high-security environment where any data breach could be detrimental, the most secure option is to completely prevent your users from using any sort of removable media, period.
To disable removable media access with group policy, first create a new group policy object that applies to the computers that you would like to secure. Then, edit the policy and navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access. Then, change the setting All Removable Storage classes: Deny all access to Enabled.
The Moderate Approach: Force BitLocker on USB Drives
If your users still need to be able to move data around using removable storage within your company, you can let them -- provided the drive has been secured by BitLocker drive encryption. This way, even if the USB drive gets lost, the data on it will be unreadable to third parties. Of course this approach won’t protect against data exfiltration by someone who knows the BitLocker key; if you’re worried about this, you’d need to block access to all removable storage.
To enable this setting, create a new group policy object, and configure the setting Windows Components > BitLocker Drive Encryption > Removable Data Drives > Deny write access to removable drives not protected by BitLocker. This will allow unencrypted USB drives to be read, but not written until they are encrypted with BitLocker. For even more security, configure the setting Deny write access to devices configured in another organization. This will make sure that only USB drives belonging to your company will be able to be used in your computers.
The Common-Sense Approach: Disable Autorun/Autoplay
Autorun and AutoPlay can be used to spread malicious software quite easily, since it launches any program that the author of the INI file asks it to. Disabling it is a common-sense security measure that all admins should implement, unless you have a very good reason.
To disable Autorun, again create a group policy object, and configure the setting Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies > Turn Off AutoPlay. Then, select All Drives.
This will prevent malicious files from running from USB drives that are inserted into the system. Even if you’ve enabled the BitLocker policy, you’ll want to implement this policy as well, since unencrypted USB drives will still be mounted as read-only and thus could still AutoPlay a malicious file.
E-N Computers is a leading cybersecurity-focused IT service provider, serving businesses in Virginia, Washington, D.C., and Maryland. Contact us today to find out how we can offer you peace-of-mind even in the face of the latest security threats facing your business.