38

Recently a user unplugged their company PC from the network and used USB tethering with their Android phone to bypass the company network entirely and access the internet. I don't think I need to explain why this is bad. What would be the best way, from a zero-cost (i.e. open source, using scripting and group policy, etc.) and technical standpoint (i.e. HR has already been notified, I don't think that this is a symptom of some sort of deeper underlying corporate culture problem, etc.), to detect and/or prevent something like this from happening again? It would be nice to have a system-wide solution (e.g. by using group policy), but if that is not possible then doing something specific to this person's PC could also be an answer.

A few details: The PC is Windows 7 joined to an Active Directory domain, the user has ordinary user privileges (not administrator), there is no wireless capabilities on the PC, disabling USB ports is not an option

NOTE: Thank you for the great comments. I added some additional details.

I think that there are a lot of reasons why one would want to disallow tethering, but for my particular environment I can think of the following: (1) Anti-virus updates. We have a local anti-virus server that delivers updates to network connected computers. If you are not connected to the network you cannot receive the updates. (2) Software Updates. We have a WSUS server and review each update to approve/disallow. We also deliver updates to other commonly used software programs such as Adobe Reader and Flash via group policy. Computers cannot receive updates if they are not connected to the local network (updating from external update servers is not permitted). (3) Internet filtering. We filter out malicious and, uh, naughty(?) sites. By using a tether you can bypass the filter and access these sites and possibly compromise the security of your computer.

More background information: HR was notified already. The person in question is a high level person so it is a little bit tricky. "Making an example" of this employee although tempting would not be a good idea. Our filtering is not severe, I'm guessing that the person may have been looking at naughty sites although there is no direct evidence (cache was cleared). He says he was just charging his his phone, but the PC was unplugged from the local network. I'm not looking to get this person in trouble, just possibly prevent something similar from happening again.

wrieedx
  • 700
  • 3
  • 11
  • 22
  • 22
    It cannot be done at zero cost. Your time is cost. – user9517 Oct 05 '16 at 06:05
  • @Hanginoninquietdesperation He may be paid for being present in case of problems, so doing some additional low-priority work would not cost anything more than doing nothing. Of course, we don't know which is the case. – user121391 Oct 05 '16 at 06:56
  • @Hanginoninquietdesperation good point. I meant to say that I can't spend any money on some sort of a solution, so something open source, scripted, etc. would be fine. I don't mind using my own time to implement something so as it doesn't take an unreasonable amount of time and is, well, "interesting." And this is kind of an interesting problem, to me at least. – wrieedx Oct 05 '16 at 08:12
  • 32
    If it is not a fully locked down system then this is not a technical problem. Ban tethering by policy and trust your employees to follow the policy. Spend your time understanding/fixing why they needed to avoid the company network in order to get their work done, so that they don't need to tether in future. – JamesRyan Oct 05 '16 at 10:42
  • 1
    I'm guessing the case to HR that this person deliberately and possibly maliciously connected company equipment to the internet directly isn't zero cost? – djsmiley2kStaysInside Oct 05 '16 at 11:17
  • 16
    _I don't think I need to explain why this is bad._ Actually, please explain it. I can't think of a reason why this is a problem. – jobukkit Oct 05 '16 at 16:12
  • 9
    @JopV. IT departments (especially for large companies) generally work around the lowest computing ability and try to ensure that they can't accidentally break the network by doing something stupid on the internet. Result is that if you're in the tech half of said company, you generally have a running battle with IT to be able to do something useful in your job. Yes, I am bitter from several of these battles :-) – Kevin Shea Oct 05 '16 at 16:32
  • 1
    @JopV maybe the machine was in a high-security environment and network access was heavily restricted to prevent confidential data leakage and/or malicious software from communicating. – André Borie Oct 05 '16 at 16:53
  • 2
    Without telling us what specifically you're trying to prevent (*why* this was bad), I'm not sure this question is answerable. Also, you seem to be asking for an ironclad solution. However, there is no ironclad solution -- you can never absolutely prevent someone from establishing a communication channel to the outside world. (Think Bluetooth, QR channels projected on the screen, etc.) Without knowing the threat model, the context, what you're trying to prevent, etc., this question is difficult or impossible to answer, because it's not clear what tradeoff you want. – D.W. Oct 05 '16 at 18:31
  • 2
    @JopV. - if the ordinary internet access is proxied through a category block to block dodgy sites, the machine going on the open internet is an increased risk of getting malware / ransomware onto the company network. – TessellatingHeckler Oct 05 '16 at 18:54
  • 3
    Make an example out of this employee and get them disciplined. It sounds like circumventing/disobeying established practices is accepted in their mind so what is to stop this person from circumventing you again? – MonkeyZeus Oct 05 '16 at 19:23
  • 8
    @AndréBorie the user was able to plug a USB device. If tethering is allowed, USB mass storage is probably authorized as well. In those conditions, I think it is safe to say the machine was not in a high-security environment. – njzk2 Oct 05 '16 at 19:32
  • 3
    This read to me like "porn at work" rather than "data exfiltration". The OP specifically discounted the idea of locking this down for the purpose of preventing exfiltration. – Michael Hampton Oct 05 '16 at 20:03
  • 2
    I do _that_ all the time because the company network is horribly slow, and even translation of a single word is blocked. I get faster websites through LTE than through the LAN, so whenever I work with external websites, it's useful. – Aganju Oct 06 '16 at 02:57
  • Have you considered *why* said person felt it necessary to use his own personal and probably limited data in the normal course of their work? Perhaps you should consider fixing the problem, rather than the symptoms. – Kevin Oct 06 '16 at 20:06

6 Answers6

56

You can use Group Policy to prevent the installation of new network devices.

You'll find an option in Administrative Templates \ System \ Device Installation \ Device Installation Restrictions \ Prevent installation of devices using drivers that match these driver setup classes.

From its description:

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

Using policy settings here, you can either create a whitelist (which you seem to not want) or a blacklist, either of individual devices or entire classes of devices (such as network adapters). These take effect when a device is removed and reinserted, so it will not affect the NIC built into the machine, provided you don't apply the setting to devices that are already installed.

You will need to reference the list of device setup classes to find the class for network adapters, which is {4d36e972-e325-11ce-bfc1-08002be10318}. Add this class to the blacklist, and soon afterward, nobody will be able to use USB network adapters.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 7
    Of course this doesn't prevent just unplugging the ethernet cable and plugging it into a bridge device using the phone's tethering. – R.. GitHub STOP HELPING ICE Oct 06 '16 at 01:57
  • 2
    @R.. True, it's not _perfect_. But you're proposing someone with above average technical knowledge, and that doesn't seem to be what the OP is dealing with. – Michael Hampton Oct 06 '16 at 01:59
  • 4
    Well an even simpler option that would also prevent a lot of other security problems is just filling all the USB ports with epoxy. – R.. GitHub STOP HELPING ICE Oct 06 '16 at 02:00
  • 1
    @R.. Please go back and read the original post. The user explicitly stated that he was not willing to do that. – Michael Hampton Oct 06 '16 at 02:09
  • Ah yes - sorry. – R.. GitHub STOP HELPING ICE Oct 06 '16 at 02:15
  • 5
    While it doesn't prevent bridging, it raises the technical AND physical bars to phone tethering. For example, I have the technical knowledge to set up bridging and could do it in my sleep -- but I don't have a spare bridge just laying around. At a minimum I'd need to invest $15-20 in a cheap router and put OpenWRT or the like on it (then use WiFi tethering). Also, it's a lot easier to explain your phone being plugged into your computer's USB port than a strange blinky box dangling off the back of it. – Doktor J Oct 06 '16 at 17:22
17

There's several options:

  • On windows 7 you can control which USB devices can be connected. See this article for example.

  • You can monitor that the PC is connected to the network, for example by monitoring the status of the switch port the machine is connected to. (modern computers keep the NIC connected even when the machine is off, so shutting down the computer should not trigger an alarm). This can be done at low cost using free open source solutions (anyway you should have a monitoring in your network !)

EDIT in response to comment:
If the user add a wireless adapter, the metric of this new interface will be higher than the metric of the wired interface, so Windows will continue to use the wired interface. Since the user doesn't have administrative privileges he cannot overcome this.

  • You could use a proxy to access the Internet and force the proxy settings trough GPO. So if the machine is disconnected from the network and cannot access the proxy, it cannot access anything. This solution could be easy in a small network, but very difficult to implement in large network.

As pointed out by @Hangin on in quiet desperation in comment, there's always a cost. Your time costs money to the company, and you have to consider the actual cost of putting in place security vs the potential cost of the bad behavior.

Community
  • 1
JFL
  • 2,006
  • 1
  • 11
  • 16
  • For the second solution, the user could still *add* a new NIC/SIM instead of replacing the normal connection. If you then monitor the OS, he could do it in a VM. The third solution would achieve nothing, as the user could still connect to the internet (just not to company resources, which he presumably does not care anyway. – user121391 Oct 05 '16 at 06:55
  • 2
    For the second solution, see my edit in my answer. For the proxy solution, no the configuration should be done so Internet access pass trough the proxy and proxy not available means no Internet. This is a common enterprise setup. – JFL Oct 05 '16 at 07:07
  • Actually, we have a proxy server, but for whatever reason have not fully deployed it yet. As JFL says, if we fully deploy the proxy using group policy the users will not be able to connect to the internet outside of the corporate network because they do not have the permissions necessary to change the proxy settings. Essentially all our PC's are workstations so they cannot easily be moved and connected to external networks. – wrieedx Oct 06 '16 at 00:45
  • 1
    Proxy server, unless verified through a certificate, can be easily be mimic even on a phone; with the right app, I think you don't even have to be root. Forcing proxy validation also solve the problem of using a ETH bridge. Finally pinging all the users machine periodically would give an alert system to find people playing around with cables – Lesto Oct 06 '16 at 15:15
  • There isn't really a 100% "correct" answer for this question, and a lot of really fantastic answers have been posted. However, I'm marking this answer as the correct one because the proxy server suggestion will work with minimal effort given my current environment (we have a proxy server but it has not yet been fully deployed). For other people facing a similar problem other solutions may work better. – wrieedx Oct 10 '16 at 23:55
9

What type of antivirus you are using? In Kaspersky antivirus you can define trusted and local networks. So, you can configure your local network as trusted and prohibit any other networks. This works if computer is only used in office.

I have KSC and i can manage centralized all computer. KSC rule

Guntis
  • 673
  • 1
  • 10
  • 20
  • This is really nice to know. We are using TrendMicro, and I _think_ that the particular version that we are using doesn't allow us to do this. – wrieedx Oct 07 '16 at 00:11
4

I think an option is to create, on the target machine, a script to monitor the PC network settings (eg: IP address and gateway) and to alert you (eg: via email) when something change.

Freiheit
  • 201
  • 1
  • 2
  • 15
shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • To make this work, how would one monitor the PC network settings? Is there some sort of a trigger option available somewhere that can initiate a script when network settings change? – wrieedx Oct 06 '16 at 00:48
  • 1
    @wrieedx Perhaps a scheduled task with an event-based trigger for the `Hardware Events`, `Microsoft-Windows-Network*`, or `System` logs could work. If you have a USB tethering device to test with you can see what events appear in Event Viewer when it's connected/configured and try to create a trigger based on those. Of course, whatever process/script gets launched to alert you of this event would need to handle the case where the machine is (at that moment, at least) disconnected from your internal network. – Lance U. Matthews Oct 06 '16 at 06:00
  • Alerting user PC is just partially effective, user phone could filter traffic, or use some proxy. As the routing rules could be set up to send all to ETH no matter what, best would be to ping all the user machines every tot and check if someone unplug it. Still, possible to use a ETH bridge. – Lesto Oct 06 '16 at 15:18
1

Never forget that the user can check porn directly on the user's cellphone via the LTE network, so no one will never know it (and a new cell phone has got a big screen...) Why the user used the bridge on the computer intrigues me.

That bring about another important question... do you manage the cellphone with an enterprise rule?

An example from the BES administrator book:

Selecting this rule prevents the device from pairing with any computer other than the Apple Configurator host. This rule applies only to devices that are supervised using Apple Configurator.

or

Selecting this rule prevents users from using AirDrop to share data with other devices. This rule applies only to devices that are supervised using Apple Configurator.

And yes, controlling the USB is good, but that device can have important enterprise documents/emails on it and not controlling it is a security risk.

After that if you control all cellphones, you can ask that no personal cell to be present at the employee desk/computer.

For any other case, I will tell like user DoktorJ, that if they try to bring a big setup to bypass your security, they will be at risk to be fired directly.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
yagmoth555
  • 16,300
  • 4
  • 26
  • 48
0

For tethering

You can set windows unable to find the RNDIS drivers file c:\windows\inf\wceisvista.inf file.

For your test just rename extension to ".inf_disable", your OS will not be able to find an appropriate drivers for tethering.

Ylogaf
  • 1