Force user to remove USB token

Question

I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.

I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?

One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.

Is there a solution or standard approach for this that can actually force the removal of the device?

You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your *unannounced, spontaneous* audit walks - Worked like a charm for the (unattended) SmartCards in my old company :) — SeeYouInDisneyland, Mar 12 '19 at 07:12
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe. — forest, Mar 12 '19 at 07:27
I agree that some users will certainly do the lazy thing of unplugging it just enough but leaving it in the port. However, even if half the users do this and the other half salutes and unplugs like they are supposed to I'd think that's a lot better than nobody doing it. User education has a similar effect - some will apply what they are taught and some never will or only for a bit and then go the lazy route again... — IamNaN, Mar 12 '19 at 08:06
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options. — schroeder, Mar 12 '19 at 13:05
@schroeder - My scenario is mobile users that are not on premises, with laptops containing confidential data that needs to be protected. So once the device is removed they should keep it on their person - key chain, wallet etc.The setup will be accompanied by policy that states what to do with the device and how to handle it and why it is important they do so, I just don't want to solely relay on that. — IamNaN, Mar 12 '19 at 13:43
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;) — Baldrickk, Mar 12 '19 at 14:20
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem. — schroeder, Mar 12 '19 at 14:41
@IamNaN If part of your concern is also leaving the device part-way plugged in, then this is not a technical issue at all but a behavioural one. If you are willing to abandon your concern about half-plugged-in USBs, then technical options open up. — schroeder, Mar 12 '19 at 14:44
@IamNaN What attack vector does pre-boot pin/key prevent that's not circumvented by just taking the whole machine? — MooseBoys, Mar 13 '19 at 03:03
@MooseBoys [Memory remanence](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures#attack-countermeasures) (cold boot attacks) — IamNaN, Mar 13 '19 at 05:57
@schroeder at home? no problem - at a client site? having your ID on can't hurt. At the pub on public wifi? maybe not, we erm. don't encorage that at my work, but _if_ I did, I'd probably have it in my pocket instead of on. An alternative could be attached to your keys. — Baldrickk, Mar 13 '19 at 16:02
I keep my YubiKey on a lanyard attaching it to the wallet with keycards needed to get back into my office after stepping away -- lock yourself out of the building a few times and one gets into a habit of always grabbing it on stepping away. If you control facilities security, I could see comparable coupling (distributing building & host tokens together) being used as a policy enforcement measure. — Charles Duffy, Mar 13 '19 at 22:20
@IamNaN if there's a company policy like that anyway, just put the requirement to detach the device in that same company policy. And make sure it all makes sense, requiring non-sensical things in one part of a policy is a sure way to make people ignore the sensical bits as well. E.g. our company doesn't allow any documents to be left on desks, but doesn't provide locked cabinets to store them and many rooms don't have cabinets at all so people just put them in a plastic bag instead. Hardly secure but meets the policy... — jwenting, Mar 15 '19 at 07:05

score 77 · Accepted Answer · edited Mar 12 '19 at 18:37

77

You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.

Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.

The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...

edited Mar 12 '19 at 18:37

Community

1

answered Mar 12 '19 at 11:32

Serge Ballesta

25,636
4
42
84

8

Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution. – IamNaN Mar 12 '19 at 13:39
5

I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are [designed exactly for that](https://www.yubico.com/product/yubikey-5-nano/). It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design. – user71659 Mar 12 '19 at 21:47
It's the same reason that complicated password schemes can't stop you from taping a post-it note to your monitor. – corsiKa Mar 13 '19 at 19:15
@corsiKa, in fact, they encourage it. – prl Mar 14 '19 at 04:45
@IamNaN as long as the token and the laptop are in possession of the same person at any time, there's a risk that both fall into the wrong hands at the same time as well. To prevent the token and laptop both being compromised together, the only way is for the token to unlock each laptop to not ever be in the hands of the person using the laptop, which is clearly utterly impractical. – jwenting Mar 15 '19 at 07:07

schroeder · Answer 2 · 2019-03-12T14:57:00.507

16

It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.

A simple polling function could check for new USBs connected.

All this is possible in Powershell.

This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.

edited Mar 12 '19 at 14:57

answered Mar 12 '19 at 14:47

schroeder

123,438
55
284
319

Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education. – IamNaN Mar 12 '19 at 14:52
1

@IamNaN I have to agree with your assessment. Technology *supports* secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop). – schroeder Mar 12 '19 at 14:55
Use this graph to figure out where you need to focus your behaviour change efforts: https://www.behaviormodel.org/ – schroeder Mar 12 '19 at 14:56
`schtasks` has `ONSTART` to exec the script on startup. Could use `ONLOGON` to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb. – user2320464 Mar 12 '19 at 19:45

A. Hersean · Answer 3 · 2019-03-12T14:14:37.890

13

This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:

You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.

If enforced, you can be sure this policy will be very unpopular, but effective.

Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.

edited Mar 12 '19 at 14:14

answered Mar 12 '19 at 12:49

A. Hersean

10,046
3
28
42

1

This should do indeed as a last resort. – Overmind Mar 12 '19 at 13:38
10

At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop. – Matthieu M. Mar 12 '19 at 14:13
13

`Make the reprimands reflect badly on their paycheck` is illegal in most cultures I know of. – Flater Mar 12 '19 at 15:14
11

@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more. – A. Hersean Mar 12 '19 at 16:27
It can be made softer if first-time-offender's key is not removed, but just has a paper note attached to it. Second time = USB key removed + oral (non-official) reprimand; third time = official reprimand (but no paycheck decrease), then a nominal (e.g. $1) paycheck decrease and so on. – Vi. Mar 13 '19 at 18:12
@Flater Depends on how it is proposed/implemented. Imagine a variable bonus in the paycheck, when policy is not followed the bonus decreases. That would fit most countries laws because it would not be a penalty but "a variable bonus" – bradbury9 Mar 15 '19 at 09:36

score 1 · Answer 4 · answered Mar 12 '19 at 19:26

I'm not that technical, but this seems possible:

The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:

If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.

score 1 · Answer 5 · answered Mar 13 '19 at 08:07

Why do you think this USB token alone is securing the laptop?

This is a two-factor authorisation situation. For those who've not met the concept before, 2FA is described as "something you know, and something you have". The USB dongle is the "something you have", but the laptop is still protected by the "something you know", i.e. a password. 2FA is intended to add a layer which allows one factor to be redundant, so it doesn't make the system insecure if the attacker gets the security token, so long as the user doesn't also have the password written down. Of course it's better that they don't break one arm of the security, but the laptop should still be secure if they do.

For forcing the user to remove the key, that also has a major issue. Securing the laptop is an afterthought, to protect any local files the user might have hanging around, which is a small subset of your company data. The critically important part is securing the user's access to your network. Networks, especially VPNs, are only as good as their login security. So if you're concerned about security, your VPN should be checking that the Bitlocker token is present when the user logs into the VPN and that it never leaves the machine during that login session. Otherwise the user could have accidentally left themselves logged in when they closed the lid and thought the computer was shut down, or various similar scenarios. You can't make the assumption "they logged in OK at some point in the past, therefore that is still them using the machine".

In short, I think you're over-thinking one area and not considering the bigger picture of how it helps company data security.

The simplest answer for USB dongles of course is to insist that they live on the user's keyring with their house or car keys. More than one keyring? No problem - they can have as many dongles as they need. But this ensures the dongle is always removed from the laptop when the user leaves it, because they need the keyring to get home.

Thank you, but I never said that this was the only security measure and it most certainly isn't. I was simply exploring the possibility of adding another layer of security for the pre-boot authentication.If this was the sole measure to secure the laptops I'd wholeheartedly agree with what you say here. — IamNaN, Mar 13 '19 at 08:49
@graham I think you are missing the whole point of what controls are involved and what they protect. The control in question is endpoint encryption. This has nothing to do with account or network controls. — schroeder, Mar 13 '19 at 16:26

crasic · Answer 6 · 2019-03-15T07:01:30.027

I come from Manufacturing technology world and using little jigs to enforce a certain manual behavior for both quality and safety is a standard accepted method. I disagree with the perspective that one cannot engineer human behavior by placing certain impediments, this is done for human safety and is taken as seriously as network security. One common approach is to use a Poka-yoke, but one also sees interlocks, and dead man's switch when lives are on the line.

The challenge is how to adapt these concepts to security. While I agree it would be difficult to code your way out of this in a reliable way, if you broaden your perspective to include hardware development it is certainly achievable.

If it is important to you or your employer, a custom dongle can be designed that would force this behavior, spit-balling one approach would be a timed cutoff where the dongle disables itself after a certain amount of time under power. Requiring re-plugging.

If you have a degree of control over the laptop users and policy, but you do not wish to play police, any number of other impediments can be employed to encourage compliance with your security policy.

Of course, to an enterprising user this is by-passable, so if you are designing a security product sold to customers it would not be enough.

But I believe the analogy to poka-yoke is appropriate as bypassing the engineering control by a co-worker would go against policy/procedure and subject to reprimand or warning.

score 0 · Answer 7 · answered Mar 15 '19 at 13:17

You can make the USB multipurpose making it impossible to leave it on the PC. For example, they need to plug it in another device in order to begin their workday. You can say you want to know when they come to work and the start of their workday is marked by the USB connecting to this second device.

This is not applicable to every case, but I'm writing it with the hope that it might give a good idea to someone.

score -2 · Answer 8 · answered Mar 15 '19 at 07:14

OK, so now you've ensured somehow that the owner of the laptop does not leave their token plugged in.

However they now take that laptop and token with them when going home, and get mugged by an industrial spy on the parking lot. Result is both token and laptop are how in the hands of an unauthorised person and worse, the same unauthorised person.

Result of course is exactly the same as it would be were the token plugged into the laptop, as the bad guy can just plug in the token.

Congratulations, you've just shifted the security boundary a little bit for no real gain whatsoever.

What you could do is install some software on the laptops that blocks the screen or even shuts them down if the token is found installed on the laptop after the operating system is done booting. Say something that's started as part of the OS startup and checks for the token every few minutes. Would ensure that the token is removed after booting the machine, but wouldn't prevent both token and machine being stolen.

The only way to ensure that is a 4-eye principle, where the machine cannot be booted up without at least 2 people being present, one with the token and another with the password.

And that is a major PITA and, especially for remote workers, often impossible (as remote workers tend to be alone at a site).

This has already been hashed out in the comments to the question. As written, it is not an answer to the question but a tangent. Your software suggestion is already covered by other answers, and your 4-eye suggestion is not workable for the scenario in the question. — schroeder, Mar 15 '19 at 10:03

Force user to remove USB token

8 Answers8