USB Lockdown Policy with temporary override
-
Locking down USB access with a temporary over-ride.
In this post, I will detail how you can lock down USB access in your organization, whilst allowing a temporary override group, and automatically clear down the override on an Azure Automation schedule. We use this exact configuration in our environment to significantly reduce our USB attack vector whilst also ensuring that those users with a legitimate business need have the ability to action the external media.
Creating the lockdown policy.
First things first, we need to create a policy to deny access to the external media. To do this, in https://intune.microsoft.com/ we will go to
Endpoint Security > Attack Surface Reduction
. Create a new policy, in my example I have named thisPROD | DEFAULT Block USB Drives
since this is the default production state in my environment.Under the configuration settings, select
Device Control > Block Removable Storage
(set to YES). This will be assigned to All Users - It is important here that we exclude a temporary allow group (In my case, this is called CSG-USB-TempAllow) as these users should be allowed to access USBs.Next, create another policy called USB Temp Allow. In this one, we configure the settings as follows:
Administrative Templates
- System > Removable Storage Access
- WPD Devices: Deny read access | Disabled
- WPD Devices: Deny read access (User) | Disabled
- WPD Devices: Deny write access | Disabled
- WPD Devices: Deny write access (User) | Disabled
This will be assigned to our
Temp Allow group
- I have named mine CSG-USB-TempAllow as this follows our firm’s naming structure (CSG being Cloud Security Group).Finally, under
Devices > Windows > Configuration Profiles
we will create a policy to force Bitlocker on all removable media that our users write to. To do this, create a new profile - I have called mine Bitlocker Go Encryption.The configuration settings will be Windows Encryption
- Write access to removable data-drive not protected by BitLocker : Block
- Write access to devices configured in another organization : Block
The assignment for this policy will be
CSG-USB-TempAllow
, meaning that when a user is allowed access to USBs it will also force Bitlocker requirement.Then, we need to create our group that is always allowed access to USBs. This may be because these users are often creating media or reviewing media that comes in from a third party. In our case, we have named this group CSG-USB-MediaOperators and I have assigned an access review to this group as follows:
- Name: USB Media Operators | Monthly Review
- Resource: CSG-USB-MediaOperators
- Recurrence: Monthly
I can provide further assistance with setting up your access review as required.
This group is then nested into
CSG-USB-TempAllow
so that they pick up the policies for USB allowance and for Bitlocker enforcement.Finally, we make all of this possible by leveraging an Azure Automation which automatically clears down the CSG-USB-TempAllow group. To do this, navigate to https://portal.azure.com/ and search for Automation Accounts. Our firm’s automation accounts follow a specific naming sequence, but you can name yours as you wish.
We will create a new Runbook under this account (again, named as you see fit) and enter the below code:
# Ensures you do not inherit an AzContext in your runbook Disable-AzContextAutosave -Scope Process # Connect to Azure with system-assigned managed identity $AzureContext = (Connect-AzAccount -Identity).context #write-output "set and store azure-context" $GroupID = "Your USB Temp Allow Group ObjectID goes here" $GroupToClean = (Get-AzADGroupMember -GroupObjectId $GroupID) ForEach($Member in $GroupToClean) { $Member_ID = $Member.Id if ($Member_ID -ne "Your USB Media Operators Group ObjectID goes here") { Remove-AzADGroupMember -MemberObjectId $Member_ID -GroupObjectId $GroupID write-output "User: $($Member.displayName) removed from group" } #Nobody to remove Exit 1 }
You can schedule this as you like. We run ours every Friday to ensure that the group is cleared down weekly.
And that’s it! You have created a USB lockdown policy with enforced Bitlocker and an automated script which will clear out your temporary group as per your Automation schedule.
If you have any queries or feedback, please let me know in the comments below!