Protect your removable storage and printers with Microsoft Defender for Endpoint

Published Jul 19 2021 11:07 AM 15.5K Views
Microsoft

UPDATE: The Printer protection is now General Availability. We have backported the feature, so now it supports Windows 1809, 1909, 2004 or later.

 

External devices such as USB and home printers are commonplace tools needed to complete daily business operations. These devices help employee productivity, but also pose a threat to enterprise data and serve as a potential entry point for malware and viruses. The move to remote work due to COVID-19 over the last year has raised the risk to another level.

 

End user activities represent one of the most common threat vectors and Microsoft Defender for Endpoint brings a compelling story for organizations looking to reduce their security exposure associated with removable media and printing.

 

We are excited to announce new device control capabilities in Microsoft Defender for Endpoint to secure removable storage scenarios on Windows and macOS platforms and offer an additional layer of protection for printing scenarios. These new device control capabilities further reduce the potential attack surface on user’s machines and safeguard organizations against malware and data loss in removable storage media scenarios.

 

Overview

 

Feature Availability Documentation

Removable storage access control on Windows

General Availability (Defender version 4.18.2106 or later)

Removable storage access control

Removable storage protection on Mac

General Availability (Defender (Mac) version 101.34.20 or later)

Device control for macOS

Printer protection

General Availability (Windows 1809, 1909, 2004 or later)

Printer protection on Windows

 

What’s new

 

Removable storage access control on Windows

We are bringing removable storage access control capabilities on Windows to complement our existing device control protection in scenarios such as Device Installation, removable storage Endpoint DLP, and removable storage BitLocker.

 

The new feature allows to Audit/Allow/Prevent Read, Write, or Execute access to removable storage based on various device properties, e.g., Vendor ID, Serial Number, Friendly Name, with or without an exclusion.

 

Removable storage protection on Mac

We also recently introduced removable storage protection capabilities on Mac. USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies. You can find more details in our Mac USB storage device control blog.

 

  • The capability supports Audit and Block enforcement levels.
  • USB device access can be set to Read, Write, Execute, No access.
  • To achieve a high degree of granularity, USB access level can be specified for Product ID, Vendor ID, and Serial Number.
  • The custom policy allows customization of the URL where user is redirected to when interacting with an end user facing “device restricted” notification.

 

Printer protection on Windows

The new printer protection feature allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This adds an additional layer of security and data protection for work from home and remote work scenarios.

 

Getting started

The next few sections will go over how to get started deploying and using the new device control capabilities.

 

How to deploy removable storage access control on Windows

Removable storage access control policies can be applied for a user or machine via GPO (group policy object). The feature includes group configuration policy and access control policy.

 

For example, here is the most common scenario: Prevent Write and Execute access to all but allow specific approved USBs.

Step 1: Create groups

  • Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group 9b28fae8-72f7-4267-a1a5-685f747a7146 in the sample Any Removable Storage and CD-DVD Group.xml file.
  • Group 2: Approved USBs based on device properties. An example for this use case is: Instance ID – Group 65fa649a-a111-4912-9294-fb6337a25038 in the sample Approved USBs Group.xml file.

Step 2: Create policy

 

 

Deploy policy via Group Policy

  1. Combine all groups within <Groups> </Groups> into one xml file.

The following image illustrates the example of Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs.

Tewang_Chen_0-1626453194255.png

 

 

  1. Combine all rules within <PolicyRules> </PolicyRules> into one xml file.

If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.

 

The following image illustrates the usage of SID property, and an example of Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs.

Tewang_Chen_1-1626453287080.png

 

 

  1. Save both rule and group XML files on network share folder and put network share folder path into the Group Policy setting: Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Device Control: ‘Define device control policy groups’ and ‘Define device control policy rules’. If you cannot find the policy configuration UX in the Group Policy, you can download the WindowsDefender.adml and WindowsDefender.admx file by clicking 'Raw' and 'Save as'.

The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.

 

Here is an example of configuring policy on Group Policy:

Tewang_Chen_2-1626453320757.png

 

 

View device control data in Microsoft Defender for Endpoint

The policy events can be viewed in Microsoft 365 Defender and the Microsoft Defender Security Center via advanced hunting.

Here is an advanced hunting query example:

 

Tewang_Chen_3-1626453367501.png

 

 

For more information, see Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs.

 

 

How to protect removable storage on Mac

To learn more about Mac USB storage device control, refer to our recent Mac USB storage device control blog. For a more in-depth overview of this capability and step by step guidance on configuring USB device control policies on macOS, refer to our Mac USB device control public documentation.

 

View Mac device control data in Microsoft Defender for Endpoint

USB device mount/unmount events on Mac devices can be viewed in Microsoft 365 Defender and in the Microsoft Defender Security Center via advanced hunting and in the device timeline.

 

Here is an advanced hunting query example:

 

DeviceEvents

    | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"

    | where DeviceId == "<device ID>"

 

And that is how the above advanced hunting query looks like in the security center:

Tewang_Chen_4-1626453401628.png

 

Here is an example of Mac USB device control event in the device timeline page:

Tewang_Chen_5-1626453427502.png

 

 

How to deploy printer protection on Windows

To deploy printer protection on Windows, you can apply the policy for users or machines via GPO or Intune/OMA-URI.

 

Deploy policy via Intune OMA-URI

For Intune, currently printer protection supports Open Mobile Alliance Uniform Resource Identifier (OMA-URI) setting (Microsoft Endpoint Manager admin center: Devices -> Configuration profiles -> Create profile -> Platform: Windows 10 and later; Profile type: Templates -> Custom) only.

 

Block people from printing via any non-corporate printer

  • Apply policy over machine:
    • ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
  • Apply policy over user:
    • ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser

The CSP support string Data type with Value: 

Tewang_Chen_6-1626453462676.png

 

 

Allow specific approved USB printers

  • Apply policy over machine:
    • ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
  • Apply policy over user:
    • ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser

The CSP support string Data type with approved USB printer VID/PID via ‘ApprovedUsbPrintDevices’ property and the property supports multiple VID/PIDs via comma. Currently does not support wildcard.

 

The following is a policy allowing printing if the USB printer VID/PID is either 03F0/0853 or 0351/0872 - <enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>:

Tewang_Chen_7-1626453565826.png

 

 

Deploy policy via Group Policy

Block people from printing via any non-corporate printer

  • Apply policy over machine:
    • Computer Configuration > Administrative Templates > Printer: Enable Device control Printing Restrictions
  • Apply policy over user:
    • User Configuration > Administrative Templates > Control Panel > Printers: Enable Device control Printing Restrictions

Following is an example of configuring the policy in Group Policy:

Tewang_Chen_8-1626453596023.png

 

 

Allow specific approved USB printers

  • Apply policy over machine:
    • Computer Configuration > Administrative Templates > Printer: List of Approved USB-connected print devices
  • Apply policy over user:
    • User Configuration > Administrative Templates > Control Panel > Printers: List of Approved USB-connected print devices

Following is an example allowing printing if the USB printer VID/PID is either 03F0/0853 or 0351/0872:

Tewang_Chen_9-1626453625977.png

 

 

View device control data in Microsoft Defender for Endpoint

The policy events can be viewed in Microsoft 365 Defender and the Microsoft Defender Security Center via advanced hunting.

Here is an advanced hunting query example:

Tewang_Chen_10-1626453655550.png

 

 

For more information, see our documentation: Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs

 

 

We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.  

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today. 

 

Microsoft Defender for Endpoint team

36 Comments
Version history
Last update:
‎Aug 26 2021 09:10 AM
Updated by: