Removable media presents a serious potential threat vector for malware to exploit in any manufacturing facility. As a result, it is essential to utilize methods that protect against these threats. The next several blog posts in this series will provide different methods to reduce the risk of a cyberattack using removable media as the launch method. While each solution is beneficial, a defense in depth solution is always recommended.
Beginning in Windows 7, Microsoft started including an application called Group Policy Editor as a standard part of Windows. This application allows the user to define policies on the device, such as for Removable Media.
To open the Windows Group Policy Editor (gpedit.msc), open the Search Menu (Win 7 and newer) or the Run application (pre-Win 7). Search for gpedit or run gpedit.msc.
Under Computer Configuration, expand Administrative Templates. Then expand System and select Removable Storage Access.
On each of the following policies, click on them, select Edit, change to Enabled, and click Apply, then OK.
For CD and DVD:
- CD and DVD: Deny execute access
- CD and DVD: Deny read access
- CD and DVD: Deny write access
For Floppy drives:
- Floppy Drives: Deny execute access
- Floppy Drives: Deny read access
- Floppy Drives: Deny write access
For USB Devices:
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
- All Removable Storage classes: Deny all access
Mobile phones while classified as a type of USB device, do not function quite the same as a flash drive or external hard drive. There is an additional step to prevent the use of mobile phones with the PC.
To secure the device from mobile phones, navigate to the same location under User Configuration and make the same updates as before. This will ensure that mobile phones cannot be connected to the device.