Protect a business from rogue external drives/usb's

[Tanspotty]

Can't find an answer on Google for my question as it's being cr*p. But here it goes.

 

A company wants the ability to allow workers to use USB's and external hard drives for outside work but doesn't want that employee to accidentally have their drive injected with malware which can then compromise and inject itself into the companies network. I'm aware drives can inject code upon plugging into a PC which has a potential risk for that such company. Even with locking out powershell and command prompt, they can still get access to such infected device. 

 

Id like to know this as i want to help a company increase security on its network.

How would you get a Windows 10 to temporary prevent a USB from reading and injecting code into a pc so it can be scanned for malware/viruses or to restrict the ability of any unknown pre accepted software from being read/launched for the possible intended malicious use.

Like you don't want to restricted workers from being unable to bring their own USB's or external hard drives at all cause they could have files important for work. Just safety protection to stop a rogue employee or outsider being able to injecting a USB into any PC, gaining access through backdoor access in turn causing malicious harm

 

I do appreciate with the help with getting an answer and if can, please simplify it down so it's not too difficult to follow and understand the instructions/guidances. 

[Agall]

5 minutes ago, Tanspotty said:

Can't find an answer on Google for my question as it's being cr*p. But here it goes.

 

A company wants the ability to allow workers to use USB's and external hard drives for outside work but doesn't want that employee to accidentally have their drive injected with malware which can then compromise and inject itself into the companies network. I'm aware drives can inject code upon plugging into a PC which has a potential risk for that such company. Even with locking out powershell and command prompt, they can still get access to such infected device. 

 

Id like to know this as i want to help a company increase security on its network.

How would you get a Windows 10 to temporary prevent a USB from reading and injecting code into a pc so it can be scanned for malware/viruses or to restrict the ability of any unknown pre accepted software from being read/launched for the possible intended malicious use.

Like you don't want to restricted workers from being unable to bring their own USB's or external hard drives at all cause they could have files important for work. Just safety protection to stop a rogue employee or outsider being able to injecting a USB into any PC, gaining access through backdoor access in turn causing malicious harm

 

I do appreciate with the help with getting an answer and if can, please simplify it down so it's not too difficult to follow and understand the instructions/guidances. 

Are we talking about Microsoft domain type company network or is this company network very basic?

 

I don't see how allowing external media at home for a company device is any different than while plugged into the corporate network. A compromised computer can infect the company network regardless once it's plugged into that network.

 

I'd suggest blocking external media entirely for the user group branch through group policy enforced by the domain. For users who actually need to be able to use external media, like sys admins, have separate accounts outside of that part of the domain where external media is blocked.

[BoomerDutch]

I don't think that's possible in windows so far my knowledge, windows defender already has that feature and does it's job but that's also getting exploited.

 

One way is to disable usb connectors in the bios usually but that's not what people needs.

 

There are more expert levels but that's too janky for a company.

 

Like running linux headless and running VM as front end and have automated script that scans any new usb devices once clean it passes through to VM.

 

That requires quite skill and time.

 

Good luck.

[Skipple]

1 hour ago, BoomerDutch said:

I don't think that's possible in windows so far my knowledge, windows defender already has that feature and does it's job but that's also getting exploited.

 

Why are you using Windows Defender to do this? Use GPO. There is absolutely an option to block removable storage via Group Policy.

Quick google tells me it's under Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

[BoomerDutch]

5 minutes ago, Skipple said:

Why are you using Windows Defender to do this? Use GPO. There is absolutely an option to block removable storage via Group Policy.

Yes that's one way to do it however it's not what OP exactly wants like.

1 hour ago, Tanspotty said:

How would you get a Windows 10 to temporary prevent a USB from reading and injecting code into a pc so it can be scanned for malware/viruses or to restrict the ability of any unknown pre accepted software from being read/launched for the possible intended malicious use.

Not asking us to disable it but to restrict it.

[ToboRobot]

1 hour ago, Tanspotty said:

Can't find an answer on Google for my question as it's being cr*p. But here it goes.

 

A company wants the ability to allow workers to use USB's and external hard drives for outside work but doesn't want that employee to accidentally have their drive injected with malware which can then compromise and inject itself into the companies network. I'm aware drives can inject code upon plugging into a PC which has a potential risk for that such company. Even with locking out powershell and command prompt, they can still get access to such infected device. 

 

Id like to know this as i want to help a company increase security on its network.

How would you get a Windows 10 to temporary prevent a USB from reading and injecting code into a pc so it can be scanned for malware/viruses or to restrict the ability of any unknown pre accepted software from being read/launched for the possible intended malicious use.

Like you don't want to restricted workers from being unable to bring their own USB's or external hard drives at all cause they could have files important for work. Just safety protection to stop a rogue employee or outsider being able to injecting a USB into any PC, gaining access through backdoor access in turn causing malicious harm

 

I do appreciate with the help with getting an answer and if can, please simplify it down so it's not too difficult to follow and understand the instructions/guidances. 

If you do this, the company should consider the worst case scenario, and then have a plan for that eventuality (data stolen, or your core servers and data are locked).  By trading security for convenience, they are inviting a serious problem.  

Before you look at hardware or software solutions, it's important to consider the humans and training and policy they follow.  

Why would they do this, given the risks?  Consider the pros and cons. 

[Skipple]

6 minutes ago, BoomerDutch said:

Not asking us to disable it but to restrict it.

Honestly for a company at any scale, this isn't best practice. All external removable media should be disabled. There isn't a reason for it, especially when your company is dealing with any type of NPI, which almost every company does at some level. Develop a different solution for transfering work files that isn't removable media. End of story. 

[BoomerDutch]

As you can see OP it's not possible.

So disable like @Skipple said or disable usb through bios setting if available.

 

It's best practice.

[AI_Must_Di3]

20 hours ago, ToboRobot said:

If you do this, the company should consider the worst case scenario, and then have a plan for that eventuality (data stolen, or your core servers and data are locked).  By trading security for convenience, they are inviting a serious problem.  

Before you look at hardware or software solutions, it's important to consider the humans and training and policy they follow.  

Why would they do this, given the risks?  Consider the pros and cons. 

YES! The humans working there are def your worst enemy when it comes to security. Humans are lazy, routine oriented and often in their own worlds not paying attention to anything. Disable the usb sockets and close them off physically. Set it up like the 80's dumb terminals, server and goods locked away and everyone gets a tablet to access the info. IT guy, or guys, are the only ones allowed in the locked vault room and can manipulate anything from there.