Guide to controlling device security built-in in Windows (Part 1)

In this two-part article we will show you how to protect Windows XP, Windows Server 2003 or Windows Vista from unwanted or pre-installed devices such as USB flash drives. , iPod, CD-ROM, DVD, wireless interface . using the features available in Windows. Let's go through the options available in Windows versions and see what they have in common and what's limited from a security standpoint.

An extended drive (or any other type) can be a blessing, but it can also be a nightmare to administer to a certain extent. With the ability to obtain a large amount of data stored on a small removable disk, it makes it an ideal tool for both users and administrators in their daily work. . However, it also causes some difficulties for the company's security policies, some people try to protect their intellectual resources or isolate them from malicious code software. The difficulty here is also caused by wireless communication, the wireless system can give you a large number of features as its 'mobility' but its weaknesses are parts. Dangerous soft code or unauthorized users can easily penetrate into your infrastructure.

With Windows XP and Windows Server 2003, in these two versions you won't get many options for pre-installed device control. However, there are still some features that can be implemented. The options available are:

Registry settings

When Windows XP SP2 was released, it had an option to make USB storage drives work only as read-only devices. By entering the Windows Registry database and navigating to HKLMSystemCurrentControlSetControl , you create a new key named StorageDevicePolicies . Inside this key, you create the REG_DWORD value named WriteProtect and give it a value of 1 . Done restarting the computer.

This feature does not really solve the problem raised in the article. It is only a viable solution, if you want to protect the company's intellectual resources and make it difficult for people with modest technical knowledge to copy data to a USB device. extend. However, your infrastructure still has a vulnerability in the form of being infected by malicious software stored on the primary key or maybe someone installed unauthorized software. Besides, it also only works with Microsoft own USB drives.

Group policies (Group Policies)

With external features, you only have a limited number of GPO settings that can allow you to control devices like Figure 1.

Guide to controlling device security built-in in Windows (Part 1) Picture 1
Figure 1

However, by adjusting these GPO settings you can change them to be beneficial. You can create an administrative template to disable extended storage devices introduced in the article Disabling USB drives, CD-ROM, Floppy Disk and LS-120 using Group Policy .

Guide to controlling device security built-in in Windows (Part 1) Picture 2
Figure 2

The secret behind this pattern is that different storage drives are disabled during the boot process. If you like, you can extend the administrator template to control other devices such as pre-installed Bluetooth drives in Windows XP SP2 and later versions.

This GPO method also has some limitations. The first is a computer-based GPO. Secondly, it is quite easy to configure as long as it is based on drives. However, it is easy to damage the administrator if you want to control specific home appliance's performance. There is a solution to this problem by making the user execute as non-administrator, the specific problem we will discuss later in this article. The third limitation is that this method can be tricked by a user to execute as an administrator. The gpdisable.exe tool from sysinternals.com (now part of Microsoft) can be used to disable this exception GPO with other GPOs, even if Software Restriction Policies are used. You can read more about this tool at: http://www.sysinternals.com/blog/2005/12/circumventing-group-policyas-limited.html

Allow users

If you are building a new base client from scratch, you need to have the option to control access to different storage disks based on a number of user groups. How to disable USB drives also introduces this issue in detail, but with the idea of ​​changing permissions and denying access to one or more security groups to NPE and INF files is linked to the drive you want to control.

However, there is another way to control this is to make the user execute as if there were no administrative rights.

When a user tries to install a new hardware for the first time, he will be denied unless there are rights as shown in Figure 3.

Guide to controlling device security built-in in Windows (Part 1) Picture 3
Figure 3

Disable PnP service (PnP Service)

Some administrators will perform measurements to make a decision to disable PnP Service. Normally, the PnP Service is automatically launched in Windows XP, Windows Server 2003 and also controls this service from a GPO. The advantage of this method is that it will make the computer start faster and solve the problem of device control, here it is assumed that the device is not added to the computer before this setting is possible. activated. However, it requires your deployment method to rely on a very tight deployment strategy, so this process makes it difficult to administer. The second weakness is that techniques such as evaluating two coefficients in the form of smart cards or USB cards will not work, these techniques and their tools depend on the PnP Service that started earlier.

Conclude

As you can see, there are some challenges in device control in Windows XP and Windows Server 2003, and there is no truly perfect solution for device control. So one question to answer here is what should you do?

  1. Wherever you must ensure that your users do not have local administrative rights.
  2. If you want to control real equipment, the best solution is a third-party solution for companies like SecureWave, GFI or ControlGuard, etc.
  3. Make sure that device control is based on whitelists (including authorized devices) in place of blacklists (including unauthorized devices). This will reduce complexity, administrative burden and increase overall security.

In the next article we will look more closely at the above principles and will tell you why and how Windows Vista can handle device control, which compares with Windows XP and Windows Server 2003.

4 ★ | 1 Vote

May be interested

  • Built-in device control security guide (Last part)Photo of Built-in device control security guide (Last part)
    in the previous article, we listed you some general options that we can use to protect devices in previous versions of windows vista. with windows vista we will have new tools for p
  • Wireless security: Say NO to WEP and YES to WPAPhoto of Wireless security: Say NO to WEP and YES to WPA
    if the reports and studies are accurate, a large number of wireless local area networks (wlans), especially those used in homes, are using outdated and less secure wep technology. ghost
  • How to hide the entire file systemPhoto of How to hide the entire file system
    simple file encryption has its own benefits, but it is sometimes useful to encrypt the entire file system or encrypt the entire drive. as in the case you need to protect a large set of files, or sometimes it is
  • Default denies all applications (part 1)Photo of Default denies all applications (part 1)
    software restriction policy (srp) - a software policy restriction utility - was first introduced in october 2001 with the introduction of microsoft windows xp professional. since then, this utility has a rather quiet, quiet life than any other
  • Data encryption with Windows XP ProfessionalPhoto of Data encryption with Windows XP Professional
    you are a business advisor and must constantly move. you bring your laptop everywhere wherever you are - on business trips, customer partners or even public holidays. the maintenance of confidential data confidential c
  • Secure ASP.NETPhoto of Secure ASP.NET
    security is an extremely complex topic and security in asp.net is no exception. .net developers must also be familiar with the difficulties encountered when searching vietnamese documents in this area. today, tipsmake.com would like to introduce the content of chapter 9, chapter about asp.net security in the book 'asp.net in a nutshell'