How to block Unwanted memory Cards
In many organizations using USB Stick is allowed as it is their business requirement. However by allowing USB Disk Storage you are allowing lot of Unwanted things too for example users connecting their mobile phones, Cameras, IPods and other Music Player devices to their production environment.
This can be a worry in regards to Data leakage or since these memory card are not protected so Threats and Malwares entering using this route is also very common.
So our target should be to allow USB Sticks but block these memory cards.
This can be achieved in two steps:
1. Log these devices using Application Control of SEP; analyze the ones which are not required.
2. Block the Unwanted memory Cards using Device Control of SEP.
1. i.) Monitor all the Device IDs for USB DISKs centrally from SEPM
Create a new rule set called Registry Disk Drive Monitor
Create a Registry Access Attempt rule for the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\DISK\*
For each of these key set the following actions:
Read Attempt- Continue Processing other Rule, Enable Logging and No Notification
Write, Create and Delete Attempt- Continue Processing other Rule, Enable Logging and No Notification
ii) Once the rule is enabled, then daily or weekly review the log files.
Go to SEPM- Monitors – Logs
Log Type: Application and Device Control
Log Content: Application Control
When reviewing the Logs we need to keep this Image as reference to identify what the Device ID is used for:
Eg: USBSTORUSBSTOR&DISK&VEN_SONYERIC&PROD__MOBILE_STORAGE&REV1.0….
USBSTORUSBSTOR&DISK&VEN_HTC&PROD_ANDROID_PHONE&REV….
USBSTOR/DISK&VEN_RIM&PROD_BLACKBERRY&REV….
2. Once you have reviewed the devices removed USB and Allowed Devices and are ready with devices to block
Then go to SEPM –Policies- Policy Components- Hardware Devices and ADD the devices you want to block.
Then Edit the Device Control Policy and block the Device ID you have added to hardware devices List.