The fine balance between Device Control Policy & removable storage

-
Microsoft Defender for Endpoint Device Control protects against data loss by monitoring and controlling media use of removable storage devices and USB drives. It is part of the Attack Surface Reduction profiles which enables auditing, read, write or execute access to removable storage.

Once you enable Device Control policy, you can find the device control report in the Microsoft 365 security center.


However, please note that the device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list.

I recently came across a situation where there was a requirement for allowing the use of USB screen sharing solutions like Barco Clickshare. They are normally used in VC Meeting rooms and the process for activation requires plugging them into a laptop and running the application executable.

To ensure the use of such devices, you either disable the Device Control policy or simply create a whitelist. Creating a whitelist is obviously the desirable and recommended option.

You can whitelist using Device identifiers, device instance identifiers or setup class. Depending on the method of your deployment of the Device Control policy, these device identifiers or classes will need to be added accordingly. If you are using the GPO method, then you will need to create an XML for the policy rule. I am using Intune to configure the Device control policy so I am going to cover the process for the same.

We first need to identify the relevant device identifier, instance identifier or class for the device in question. There is no one solution that fits all and a lot will depend on which all devices your organization want to allow or block access to.

In my case, since I was dealing with multiple device ids, I decided to whitelist the setup class. There are multiple ways to extract the details. If your Defender policy is already enforced, then the easiest way I have found is by analyzing the events in the Microsoft 365 security center.

Head down to Reports->Device Control and click on View Details. Then click on filter and use the fields in the fly out screen to search for the events for the relevant device. In my case, I already know which device I intend to address so I am using the Device id field to filter for the events.



Class GUID 4d36e967-e325-11ce-bfc1-08002be10318 corresponds to DiskDrive. Adding this will allow whitelisting all devices falling under this category. Again, if this is something your organization is not ready to do, then I'll suggest to use individual device id identifiers instead.

If you are yet to enable the Device Control policy, then you can also manually pull the details. One way is to directly check in Device Manager, as shown below.


Another way is to run a PS script to pull the information.

Get-WmiObject Win32_PNPEntity | select name,classguid | sort-object classguid


Next step is to add the extracted class GUID in the Intune policy. See below.


Now we configure the use of removable storage itself. I am allowing reading of the content from the removable storage (by leaving it Not Configured in other words), but blocking the Write function to protect corporate data from being copied over to the removable storage.


Conclusion

Most organizations tighten the security on end user devices by prohibiting the use of removable storage. However, with the advancement in technology, VC meeting rooms for example where third party screen sharing solutions are being implemented, organizations will feel the need to fine tune their security policies to allow the use of certain devices. Luckily, there are options available within Device Control policy which allows flexibility in addressing such requirements. 

Until next time..

References


Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more