Get-WmiObject -Class Win32_USBHub | Select-Object Name, DeviceID Get-PnpDevice -Class USB | Where-Object $_.Status -eq 'OK'
Only 20% of servers log USB insertion events, making forensic analysis difficult. 5. Recommended Controls & Implementation 5.1 Group Policy (Best for Domain-Joined Servers) Configure the following policies via gpmc.msc : windows server usb
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable | Event ID | Source | Description | | :--- | :--- | :--- | | 2003 | Microsoft-Windows-USB-USBHUB3 | Device connected (Win10/Server 2019+) | | 225 | Kernel-PnP | Device installed (legacy) | | 4663 | Security | Attempted access to removable storage object | | SysAdmin | 1 week | | High
| Device Type | Default Behavior (Standard User) | Default Behavior (Administrator) | | :--- | :--- | :--- | | (Flash drives, HDDs) | Blocked (Read/Write disabled) | Allowed (Mounted automatically) | | USB HID (Keyboard, Mouse) | Allowed (Required for local mgmt) | Allowed | | USB Printers / Scanners | Blocked (Requires policy change) | Allowed | | USB Network Adapters | Blocked (Security risk) | Allowed with driver install | Get-WmiObject -Class Win32_USBHub | Select-Object Name
Configure a scheduled task to trigger an email alert when Event ID 2003 appears on a production DC. 7. Compliance Mapping | Standard | Requirement | Our Status | | :--- | :--- | :--- | | ISO 27001:2022 (Annex A.8.3) | Media handling & disposal | Partially compliant | | PCI DSS v4.0 (Req 3.2.2) | Restrict access to cardholder data on removable media | Non-compliant without GPO | | NIST SP 800-171 (3.1.21) | Limit use of portable storage devices | Compliant with policy | 8. Recommended Action Plan | Priority | Action | Owner | Deadline | | :--- | :--- | :--- | :--- | | High | Deploy "Deny all USB storage" GPO to all Server OUs. | SysAdmin | 1 week | | High | Disable USB boot in BIOS of all physical servers. | Datacenter Ops | 2 weeks | | Medium | Enable auditing (Event ID 2003) and forward logs to SIEM. | Security Team | 1 month | | Low | Create an exception process for legitimate USB dongles (e.g., hardware licensing). | Change Mgt | 2 months | 9. Conclusion Windows Server provides robust native controls to block USB storage, but these are often underutilized or bypassed by local administrators. The recommended immediate action is to enforce the Deny all access Group Policy on all Domain Controllers and critical file servers. For 100% security in high-risk environments (finance, defense), combine Group Policy with physical port disabling and USB device control software (e.g., Sophos, McAfee DLP). Appendix A: PowerShell script to audit currently connected USB devices
Get-WmiObject -Class Win32_USBHub | Select-Object Name, DeviceID Get-PnpDevice -Class USB | Where-Object $_.Status -eq 'OK'
Only 20% of servers log USB insertion events, making forensic analysis difficult. 5. Recommended Controls & Implementation 5.1 Group Policy (Best for Domain-Joined Servers) Configure the following policies via gpmc.msc :
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable | Event ID | Source | Description | | :--- | :--- | :--- | | 2003 | Microsoft-Windows-USB-USBHUB3 | Device connected (Win10/Server 2019+) | | 225 | Kernel-PnP | Device installed (legacy) | | 4663 | Security | Attempted access to removable storage object |
| Device Type | Default Behavior (Standard User) | Default Behavior (Administrator) | | :--- | :--- | :--- | | (Flash drives, HDDs) | Blocked (Read/Write disabled) | Allowed (Mounted automatically) | | USB HID (Keyboard, Mouse) | Allowed (Required for local mgmt) | Allowed | | USB Printers / Scanners | Blocked (Requires policy change) | Allowed | | USB Network Adapters | Blocked (Security risk) | Allowed with driver install |
Configure a scheduled task to trigger an email alert when Event ID 2003 appears on a production DC. 7. Compliance Mapping | Standard | Requirement | Our Status | | :--- | :--- | :--- | | ISO 27001:2022 (Annex A.8.3) | Media handling & disposal | Partially compliant | | PCI DSS v4.0 (Req 3.2.2) | Restrict access to cardholder data on removable media | Non-compliant without GPO | | NIST SP 800-171 (3.1.21) | Limit use of portable storage devices | Compliant with policy | 8. Recommended Action Plan | Priority | Action | Owner | Deadline | | :--- | :--- | :--- | :--- | | High | Deploy "Deny all USB storage" GPO to all Server OUs. | SysAdmin | 1 week | | High | Disable USB boot in BIOS of all physical servers. | Datacenter Ops | 2 weeks | | Medium | Enable auditing (Event ID 2003) and forward logs to SIEM. | Security Team | 1 month | | Low | Create an exception process for legitimate USB dongles (e.g., hardware licensing). | Change Mgt | 2 months | 9. Conclusion Windows Server provides robust native controls to block USB storage, but these are often underutilized or bypassed by local administrators. The recommended immediate action is to enforce the Deny all access Group Policy on all Domain Controllers and critical file servers. For 100% security in high-risk environments (finance, defense), combine Group Policy with physical port disabling and USB device control software (e.g., Sophos, McAfee DLP). Appendix A: PowerShell script to audit currently connected USB devices
Boleto
Carregando ...
Reportar erro!
Comunique-nos sobre qualquer erro de digitação, língua portuguesa, ou de uma informação equivocada que você possa ter encontrado nesta página:
Carregando ...