S 4.200 Handling of USB storage media

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

A number of utility devices can be connected to a PC using the USB interface. Examples of such devices include hard disks, CD/DVD burners, and memory sticks. USB memory sticks consist of a USB connector and a memory chip. Despite their large storage capacity, they are so small that they are manufactured in the form of key rings, for example, and can fit in any trouser pocket. Their price has fallen so sharply that USB sticks also render diskettes obsolete in private use. The drivers for USB mass storage devices are already integrated in modern operating systems, therefore it is no longer necessary to install any additional software to use them. In general, this safeguard not only applies to USB storage media, but also to all other types of USB devices that can store data. USB printers and USB cameras, among other devices, can also be "misused" to store data. This applies in particular to "intelligent" USB devices such as PDAs, which can assume any USB identity if they are equipped with special software.

As in the case of diskettes, USB storage media allow information and programs to be read in or out in an uncontrolled manner. For this reason, USB storage media generally should be handled just like conventional storage media. It is relatively easy to prevent access to disk drives (see S 4.4 Correct handling of drives for removable media and external data storage). In contrast, it is very difficult to prevent the operation of USB storage media if the USB interface is used for other devices. For example, with some notebooks the mouse can only be connected to a USB interface. This makes it generally impractical to use a USB lock or to disable the interface using some other mechanical safeguard. The use of interfaces should therefore be controlled by granting the appropriate permissions at the operating system level or with additional utility programs. Alternatively, it is possible to monitor the adding of devices. When data storage devices are connected to external interfaces, drivers or kernel modules are often loaded by the operating system or entries are created in configuration files (e.g. in the Windows registry) that can be detected. When the changes are then detected, a log file can be created or an administrator can be notified, for example. However, this can only be accomplished using additional software, which must be developed in-house or purchased from a third-party vendor.

The technical details for Windows 2000 and XP are described in the following.

Disabling device drivers

• Windows 2000
  
  In Windows 2000, it is possible to disable the start-up of the device driver for USB storage media. This option completely prevents a standard user from adding a USB mass storage device since the user cannot change the start mode of the device driver. This also makes it more difficult for a standard user who has obtained an administrator password without authorisation to steal any data.
  
  In Windows 2000, USB sticks are registered as USB mass storage devices. The device driver is started as a service to operate the device.
  
  In the registry, it is possible to specify how the service will be started (manually, automatically or disabled). The registry entry HKLM/System/CurrentControlSet/Services for the USBStor service is provided as the device driver for the USB mass storage devices. The different start modes can be set using the Start subkey. If the USBStor device driver is disabled (0x00000004), mass storage devices cannot be installed or added to the system.
• Windows XP
  
  Windows XP differs from Windows 2000. If a mass storage device that is known to the computer is added, the driver is loaded, but use of the mass storage device is prevented if the start mode is set to disabled in the registry. However, as soon as an unknown USB mass storage device is added to the computer, new drivers are installed and the settings for the USBStor service in the registry are overwritten. The start mode is also reset in this case, meaning the use of USB mass storage devices cannot be prevented globally in Windows XP.
  
  With Service Pack 2, Windows XP at least offers the ability to prevent write access to USB block storage devices. This means the USB interfaces are handled like CD-ROM drives, i.e. data can only be read from such a medium. Write access is disabled by creating the registry keyHKLM\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect and setting its value to 1.

Monitoring the computer

• Windows 2000/XP
  
  Under both operating systems the possibility of monitoring the registry, and hence of responding only when new hardware is added, is very promising. Any misuse would be detected immediately.
  
  When the addition of new devices is monitored, a response can be initiated. Every new USB device is listed in the registry under HKLM\System\CurrentControlSet\Enum\USB. With the help of a script or program, this key could be monitored to see if a device is added without permission. A positive list containing the devices that are allowed to be added can be incorporated into the program so that there is no response to any devices that might be needed. If the unauthorised addition of a device is detected, a corresponding response (shutting down the system or notifying the administrator via net send or e-mail) can be initiated. Special software, which can be purchased from a third-party vendor or developed in-house, is necessary to monitor the registry.

Review questions:

• Is the connection of USB devices logged and are the logs evaluated regularly?