Thursday, May 10, 2007

Blocking U3 USB devices


I get this question a lot: how can we block U3 devices on the network?

Well, one approach that some companies take is to simply block the physical USB ports by glue etc. - no USB devices are able to get in, so we have a "secure" system... Hmmm, this would mean that we are not able to use other USB devices either - maybe not the best solution for all of us then...

If you have Windows Vista deployed the new Device Control functionality, but most companies have Windows XP and Windows Server 2003 products in production (and probably waits for Vista Service Pack 1 before they go ahead with the Vista deployment)... So, what could they do then?

Third party software, like GFI EndPointSecurity is capable of blocking USB devices etc. - and it's does a very good job too, but there's also a free way to do it (if you ask me it's the best way to do it): implement Software Restriction Policies (SRP)!

I've been writing about the "Default Deny All Applications" approach and this is (of couse) also capable of blocking U3 devices - out of the box, built-in Windows functionality.

When the Default Security Level is set to Disallowed, nothing is able to launch except what the administrator defines as Unrestricted (and some default rules and limitations on top of this). When a user plugs in the U3 USB device NOTHING happens - no weird hacker tools, utilities, applications and whatever those 'wonderful' devices normally introduce.

Behind the scenes SRP restricts access to the U3 LaunchPad and leaves only an event in the Windows Event log:

Source: Software Restriction Policy
Event ID: 865
Type: Warning

"Access to C:\...\LaunchPad.exe has been restricted by your Administrator by the default software restriction policy level"

This limitation can be set on user and/or computer level.

After introducing SRP on your Windows computers (Windows XP and above) - you can consider your network "U3 free".