Introduction
USB devices and external media continues to pose a very real and immediate threat to businesses around the world, introducing a potential attack vector for malicious files from keyloggers to ransomware. Whilst it’s easy to say to disable USB media entirely, sometimes it is not possible to do so - particularly where external media is used by your suppliers or vendors to share media in an encrypted format.
With this in mind, we can instead leverage tools such as InTune and Azure Automation to lock down external media with a temporary override instead. In this post, I will detail how you can lock down USB access in your organization, whilst allowing a temporary override group, and automatically clear down the override on an Azure Automation schedule.
Creating the lock-down policy
First, we need to create our default deny policy which will be used to deny all access to external media. This will become the standard policy, and we will override this with our temporary group.
To do this, in https://intune.microsoft.com/ we will go to Endpoint Security > Attack Surface Reduction. Create a new policy, in my lab I will name this PROD | DEFAULT Block USB Drives since this is the default state for my use case.
Under the configuration settings, select Device Control > Block Removable Storage (set to YES). This will be assigned to All Users - It is important here that we exclude a temporary allow group (In my case, this is called SEC-USBTempAllow) as these users should be allowed to access USBs.
With the exclusion group in place, we need a second policy which will cover these users. Therefore, create another policy called USB Temp Allow. In this one, we configure the settings as follows:
Administrative Templates
- System > Removable Storage Access
- WPD Devices: Deny read access | Disabled
- WPD Devices: Deny read access (User) | Disabled
- WPD Devices: Deny write access | Disabled
- WPD Devices: Deny write access (User) | Disabled
This will be assigned to our Temp Allow group - I have named mine SEC-USBTempAllow.
Force Bitlocker for the temporarily accessed USB storage
Finally, under Devices > Windows > Configuration Profiles we will create a policy to force Bitlocker on all removable media that our users write to. To do this, create a new profile - I have called mine Bitlocker Go Encryption.
The configuration settings will be Windows Encryption
- Write access to removable data-drive not protected by BitLocker : Block
- Write access to devices configured in another organization : Block
The assignment for this policy will be SEC-USBTempAllow, meaning that when a user is allowed access to USBs it will also force Bitlocker requirement.
Then, we need to create our group that is always allowed access to USBs. This may be because these users are often creating media or reviewing media that comes in from a third party. In our case, we have named this group SEC-USB-MediaOperators and I have assigned an access review to this group as follows:
Access Review
Name: USB Media Operators | Monthly Review
Resource: CSG-USB-MediaOperators
Recurrence: Monthly
This group is then nested into CSG-USB-TempAllow so that they pick up the policies for USB allowance and for Bitlocker enforcement.
I can provide further assistance with setting up your access review as required, over on our forums at: https://sysadmins.zone/
Azure Automation
Finally, we make all of this possible by leveraging an Azure Automation which automatically clears down the SEC-USBTempAllow group. To do this, navigate to https://portal.azure.com/ and search for Automation Accounts. Our firm’s automation accounts follow a specific naming sequence, but you can name yours as you wish.
We will create a new Runbook under this account (again, named as you see fit) and enter the below code:
# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process
# Connect to Azure with system-assigned managed identity
$AzureContext = (Connect-AzAccount -Identity).context
#write-output "set and store azure-context"
$GroupID = "Your USB Temp Allow Group ObjectID goes here"
$GroupToClean = (Get-AzADGroupMember -GroupObjectId $GroupID)
ForEach($Member in $GroupToClean)
{
$Member_ID = $Member.Id
if ($Member_ID -ne "Your USB Media Operators Group ObjectID goes here") {
Remove-AzADGroupMember -MemberObjectId $Member_ID -GroupObjectId $GroupID
write-output "User: $($Member.displayName) removed from group"
}
#Nobody to remove
Exit 1
}You can schedule this as you like. We run ours every Friday to ensure that the group is cleared down weekly.
And that’s it! You have created a USB lockdown policy with enforced Bitlocker and an automated script which will clear out your temporary group as per your Automation schedule.
If you have any queries or feedback, please join our discussion on the forums!
