Locking down USB flash drives in Windows 7

Archive for February, 2010

Locking down USB flash drives in Windows 7

Posted by

There are two ways that USB storage drives are commonly misused. The first is people transferring confidential data on their personal drives. These drives are then lost, stolen, or damaged. Second, the USB storage drive becomes a way to transmit malware. People then end up bringing infected drives into clean networks, which then spreads the malware. (See the end of this post for one such example.)

We read about this all the time in information security magazines. Some pentest company or another is always loading up USB sticks and leaving them in parking lots. Creating such drives is trivial with Metasploit with Meterpreter. USB drives are clearly a weak link.

Windows 7 has a couple new system policies to address these threats. Start with an administrative control mandating corporate approved USB storage drives. (IronKey are my favorite here due to encryption, high quality, and near indestructible design.) Turn off autorun which, just by itself, will thwart most malware. Turn on Device Installation Restriction and limit the USB drivers to just the corporate approved drives. Push out the group policy and, bingo, USB just became that much safer.


Open Group Policy Management and edit the applicable GPO in your Active Directory.

Disable autorun
Computer Configuration \ Administrative Templates \ Windows Components \ AutoPlay Policies
Turn off Autoplay: Enabled

Limit to approved devices
Computer Configuration \ Administrative Templates \ System –>Device Installation \ Device Installation Restrictions
Allow installation of devices that match any of these device IDs: (add the corporate device)
Prevent installation of devices not described by other policy settings: Enabled

Example threat vector:

Google Case in China Reveals Growing Holes in Security

Often, malware infections are a result of high-tech twists on old fashioned cons. One scam, for example, involves small USB flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document.

In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC.