Wednesday, July 19, 2017

windows 10 - Block USB access, but allow only specific ones (in particular, one USB mass storage device)



In Windows 10 Pro, is there a way to block all USB devices, but allow specific ones?



In particular, I want to allow only one specific USB mass storage device - i.e. one specific vendor model, with a unique serial number.



This article claims that it's possible: https://community.spiceworks.com/how_to/1488-lockdown-usb-to-specific-removable-usb-drives. However it was written in 2010 and the instructions don't seem to work on Windows 10: I couldn't change the permissions of the usbstor.inf file and the machine still mounts previously unseen models of USB sticks.


Answer



Following @Ramhound's suggestion, I got it working using group policy.




The general direction is documented here: https://technet.microsoft.com/en-us/library/2007.06.grouppolicy.aspx



In particular, the "Prevent installation of removable devices" rule is what I need.



So here's a summary of what I ended up doing:




  1. In Device Manger, uninstall all USB devices that I don't want, including the ones that are currently not connected - there's an environment variable called DEVMGR_SHOW_NONPRESENT_DEVICES that enables the display of installed, but currently disconnected devices; just search the web for "DEVMGR_SHOW_NONPRESENT_DEVICES";

  2. Install the USB device that I want; in this case, a USB mass storage device;

  3. Enable the "Prevent installation of removable devices" rule in Group Policy.




Caveat emptor:




  1. Group policy probably can't effectively block some devices that don't expose a unique serial ID. E.g if a certain vendor model of USB mass storage device doesn't expose a unique serial ID, and you have installed one, then group policy might allow any other instances of the same vendor model to be mounted. I don't have such a model of USB mass storage device with me, so I can't really verify.

  2. As far as I understand, USB device IDs are not signed and thus cannot be verified - i.e. if a USB device claims to be a certain device, with a particular serial ID, there is no way for the computer to tell whether that's true. A bad guy could build a USB device with forged USB device ID and forged serial ID, in order to get it accepted by you computer, though even then.



With all that said, this solution works if you assume that all your devices expose unique serial IDs and that nobody tries to forge a USB device to get it accepted by your computer.



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...