Just as they were gaining traction in the corporate cubicle, Sushi USB keys are being foiled by a new feature in Longhorn Server and Vista: the ability for IT admins to lock out removable storage.
Companies running Longhorn Servers and Vista desktops will get the ability to do something that users will hate: lock down access to all forms of forms of removable storage.
The new feature will infuriate end-users who already have to contend with locked-down internet proxies and the inability to install iTunes on the corporate desktop. But now, it's being taken to a new level: employees will no longer be able to plug in a USB Sushi key bought from home... (or an iPod for that matter).
Despite the end-user annoyance, it's not actually a bad feature. The increasingly common trick of scattering USB memory keys in a company's car park pre-loaded with auto-loading custom trojans targeted at the company's network will also be stymied.
Data thieves whose tool of trade is a 5GB USB hard drive will now be blocked by a major obstacle to local copying.
Companies can still allow employees to use USB devices, of course, but it might only allow the use of IT-approved encrypted memory keys, so that if they're dropped in an airport gatelounge, the contents will be meaningless to anyone who looks.
Microsoft is winding up the hype cycle on this feature, indicative of the fact that data theft and virus/trojan infection from removable media sources is a key concern for corporate customers.
And yes, before you say it, there are many third-party tools offering USB device blocking but as usual, having it built into the OS makes for a tastier treat -- it is implemented as an extension of the existing Windows Group Policy system, making it easy to manage on a network-wide level.
How it works
You can set limits in the following ways:
- Only allow users to install devices that you have approved
- Prevent users from installing devices on a prohibited list
- Control read and / or write access to removable devices
And since all this is Group Policy based you can filter this approach based on group membership.
Windows has two ways of identifying devices for installation and configuration; device ID strings and device setup classes.
If you plug a device into a Windows PC that it has never seen before, the item lets Windows know its ID strings. The same strings are in the .inf file that's used for the installation of the drivers - Windows matches one to the other (Plug and Play). There are two types of ID strings, Hardware IDs and Compatible IDs.
Be aware that some devices create multiple logical devices when they're installed -- multifunction printers will often appear as printers, scanners and faxes, while mobile phones often have 10-15 virtual devices for different purposes.
For each possible driver Windows assigns a ranking, zero being the best possible match. Exactly matching hardware IDs get zero, other hardware IDs a higher number and compatible IDs gets the highest numbers.
Device setup classes are identified by a globally unique identifier (GUID), for instance all CD drives belong to the CDROM class. Once again make sure you include all GUIDs for multifunction devices.
The group policy settings that control device installation in Vista and Longhorn server are:
- Prevent installation of devices not described by other policy settings
- Allow administrators to override device installation policy
- Prevent installation of devices that match these device IDs
- Prevent installation of drivers matching these device setup classes
- Allow installation of devices that match any of these device IDs
- Allow installation of devices using drivers for these device classes
As you can see it's easy to build up a list of allowed devices or conversely a list of banned gadgets. Local administrators can be allowed to install all devices and you can also block installation of all devices not specifically allowed. Deny takes precedence if an item is on both the allow and the deny list.
There's also a new policy for Removable Storage Access, divided into categories:
- CD/DVD
- Floppy Drives (not my first choice when stealing company secrets really)
- Removable Disks (includes flash memory keys)
- Tape Drives
- Windows Portable Devices (mobile phones and Windows PDAs etc)
- PAP devices (media players)
- Custom Classes (based on GUID)
- All removable storage classes (your users really will hate you but your security rating will go through the roof)
So does all this work as expected? I tested on a Windows Longhorn Server beta 2 but if you have access to a Vista PC you can use local group policy to test the same setup.
First I determined both the Hardware and Compatible ID strings for my SanDisk Cruiser U3. This is done under Properties, details in Device Manager. Since there are a lot of underscores I copied all the strings to a txt file. I then uninstalled the USB key.
The only reason I need those IDs is if I wanted to block or allow access to this particular device; blocking all removable drives is doesn't rely on individual IDs.
Logged on as an ordinary user I have no access to Device Manager and when I plug the USB key back in the system it asks me for the driver. As I'm not an Administrator I get asked for administrative privileges and the installation fails. This certainly achieves the desired results but what the user sees is less than intuitive.
Next I tested the policy settings for Removable Storage Access by denying write access to removable disks. Plugging my USB key in worked fine but when I tried to create a folder I get an error message. No more stealing the company's client database this way! Notice that I also turned this policy on for CD/DVD drives, in effect turning a burner into a reader.
Read more about USB device blocking.