Raven is a Miniature Schnauzer that doesn’t like small critters in the yard unless they can fly. This gives Raven an insurmountable challenge, since my wife is such an avid gardener. We live on the side of a hill and at the top of the backyard is a manmade bog which feeds a downhill river to a to a pond with trees and flowers everywhere. Along with this are bird feeders and some birds love to scatter the feed from the feeders to the ground. So, our back yard is a perfect setting to get a lot of squirrels', chipmunks, etc… When we go out the back door to the yard, Raven races out trying to catch up with the critters, but she just isn’t fast enough, and all the animals disperse quickly.
This chaos makes me think about some enterprise admins who are concerned about having to control the dispersion of enterprise data being stored on unapproved USB devices. The expectation that users are to only use USB data storage devices that are approved by corporate guidelines, without built-in security controls, is a task admins will never be able to achieve. This expectation is similar to the position of Raven ever catching a squirrel out back, it just won't happen. Someone will forget a device, or they just don't appreciate the governance definition and will plug in any storage device they have access to. Even though there are many stories on the internet that talk about attackers loading USB storage devices with malware and intentionally placing them into a location that a target victim will find. The victim then connects the USB device into their workstations and unknowingly gets compromised.
Fortunately, Microsoft has built in security controls in our modern o/s’s to assist our customers in controlling the use of defined USB devices. The explanation below covers USB storage, but it really pertains to ALL USB devices that can be controlled. So, lets walk through the device management and control of devices.
Once a USB device has been inserted within the windows ecosystem, the device driver(s) have been installed and the ability to prevent use is no longer available, until the driver(s) have been removed/uninstalled. The steps for uninstall/removal are defined later in this document, Revoke previously used USB storage.
NOTE Always test and refine these settings with a pilot group of users and devices first, before widely distributing to your organization!
Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access:
The Group Policy controls are located at:
Computer Configuration > Policies > Administrative Templates > System > Device Installation > Device Installation Restrictions
Example highlighted in yellow for keyboard and mouse classes.
To manage USB control from Intune, a “Configuration Profile” will need to be created.
https://endpoint.microsoft.com
There are 5 configuration settings that will allow you to control the use of USB devices.
To define unique classes of devices
Example highlighted in yellow for keyboard and mouse classes.
USB devices that have already been used have had the device driver installed, therefore the control of these devices won’t work until the drivers have first been uninstalled. Looking at the Device Manager console image below, there are two USB storage devices in use. An approved SanDisk and an unapproved Generic USB drive.
Right clicking on the device will provide the admin with the ability to select, “Uninstall”. Once the device has been uninstalled the device will no longer be able to be used on this host. Since the policy controls the installation of the driver for the USB device.
Uninstall device driver(s) via Devcon
In a large enterprise visiting individual workstations isn’t a reasonable situation, therefore processing from a command line will be necessary.
Devcon is a part of the Windows Driver Kit (WDK) so in order to gain access an instance of WDK will be required to be installed. Installing by itself won’t make the WDK fully usable since it requires Visual Studio. Since you are looking to gain access to Devcon, there is no need to install Visual Studio (VS). It would probably be best that this install be completed on a lab device to not pollute a desktop with unnecessary binaries and just copy the files needed.
Downloads:
https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk
Steps required to install WDK to gain access to Devcon
Next
Next
Next
Accept
Close
Once completed find the binaries that will be needed. Generally, it will be x64 and possibly x86 but x64, x86, arm and arm64 will all be available. Copy the files to desired host.
Note: Be extremely careful! ALL devices for the host are exposed with this utility. You could damage the host irreparably if the wrong drivers are removed.
Change directory to the Devcon binary that will be used for the process
Example: cd C:\Program Files (x86)\Windows Kits\10\Tools\x64
This isn't just USB drives shown in this command
devcon hwids =diskDrive
If a drive was added prior to the policy, then the driver already exists and will allow the user to continue to use an unapproved device
devcon /r remove <HdwId>
Example: devcon /r remove USBSTOR\Disk________________________0.00
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon-examples
Find USB Storage in use with Microsoft Defender ATP
With Microsoft Defender ATP you can use the “Advanced Hunting” portal to search for USB devices that have been mounted on your users devices that are being managed by MD ATP.
https://securitycenter.windows.com/
The query below will list ALL Defender clients that have mounted a USB storage device in the past day. This can extend backwards further by adjusting the Timestamp variable.
// Find all "Mounted" storage activity within the past day
DeviceEvents
| where ActionType == "UsbDriveMount" and Timestamp > ago(1d)
| extend DriveLetter = parse_json(AdditionalFields).DriveLetter
| extend BusType = parse_json(AdditionalFields).BusType
| extend ProductName = parse_json(AdditionalFields).ProductName
| extend ProductRevision = parse_json(AdditionalFields).ProductRevision
| extend SerialNumber = parse_json(AdditionalFields).SerialNumber
| extend Manufacturer = parse_json(AdditionalFields).Manufacturer
| extend Volume = parse_json(AdditionalFields).Volume
| project DeviceName, DeviceId, Timestamp, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume
The query below will list ALL Defender clients that have mounted a USB storage device in the past day but aren’t a part of a defined set of approved Manufacturer and Product Name. This can extend backwards further by adjusting the Timestamp variable.
// Find all "Mounted" storage activity that isn't approved via "Manufacturer" and "ProductName" within the past day
DeviceEvents
| where ActionType == "UsbDriveMount" and Timestamp > ago(1d)
| extend DriveLetter = parse_json(AdditionalFields).DriveLetter
| extend BusType = parse_json(AdditionalFields).BusType
| extend ProductName = parse_json(AdditionalFields).ProductName
| extend ProductRevision = parse_json(AdditionalFields).ProductRevision
| extend SerialNumber = parse_json(AdditionalFields).SerialNumber
| extend Manufacturer = parse_json(AdditionalFields).Manufacturer
| extend Volume = parse_json(AdditionalFields).Volume
| extend ClassName = parse_json(AdditionalFields).ClassName
| where Manufacturer !startswith "SanDisk" and ProductName !startswith "Extreme Pro"
| project ClassName, DeviceName, DeviceId, Timestamp, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume
Query for storage connectivity attempts
The query below will list ALL Defender clients that have attempted to mount a USB storage device. This includes both successful and unsuccessful attempts This can extend backwards further by adjusting the Timestamp variable.
// Find all storage device connection activity in the past day
DeviceEvents
| where ActionType == "PnpDeviceConnected" and Timestamp > ago(1d)
| extend ClassName = parse_json(AdditionalFields).ClassName
| extend DeviceId = parse_json(AdditionalFields).DeviceId
| extend VendorIds = parse_json(AdditionalFields).VendorIds
| extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription
| project ClassName, DeviceDescription, Timestamp, DeviceId, VendorIds, DeviceName
| where ClassName contains "drive" or ClassName contains "usb"
Query for storage connectivity attempts or mounts
The query below will list ALL Defender clients that have attempted to connect or mount a USB storage device. This includes both successful and unsuccessful attempts This can extend backwards further by adjusting the Timestamp variable.
// List all Disk storage connection or mount activities in the past day
DeviceEvents
| where (ActionType == "UsbDriveMount" or ActionType == "PnpDeviceConnected") and Timestamp > ago(1d)
| extend DriveLetter = parse_json(AdditionalFields).DriveLetter
| extend BusType = parse_json(AdditionalFields).BusType
| extend ProductName = parse_json(AdditionalFields).ProductName
| extend ProductRevision = parse_json(AdditionalFields).ProductRevision
| extend SerialNumber = parse_json(AdditionalFields).SerialNumber
| extend Manufacturer = parse_json(AdditionalFields).Manufacturer
| extend ClassName = parse_json(AdditionalFields).ClassName
| extend Volume = parse_json(AdditionalFields).Volume
| extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription
| project Timestamp, DeviceName, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume, ClassName, DeviceDescription, DeviceId
| where ClassName contains "drive" or ClassName contains "usb" or DriveLetter contains ":"
Well that covers it for this edition of USB management control. So unfortunately for Raven, there is no way for her to define “Critters allowed in the yard” but there are built-in control features available for Windows desktop and server admins to control what USB devices can be plugged into managed devices.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.