Force user to remove USB token
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
|
show 7 more comments
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
14
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
20 hours ago
21
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
19 hours ago
10
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
14 hours ago
2
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
12 hours ago
5
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
12 hours ago
|
show 7 more comments
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
multi-factor usb bitlocker
edited 12 hours ago
schroeder♦
77.4k30171206
77.4k30171206
asked 20 hours ago
IamNaNIamNaN
3831512
3831512
14
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
20 hours ago
21
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
19 hours ago
10
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
14 hours ago
2
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
12 hours ago
5
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
12 hours ago
|
show 7 more comments
14
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
20 hours ago
21
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
19 hours ago
10
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
14 hours ago
2
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
12 hours ago
5
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
12 hours ago
14
14
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
20 hours ago
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
20 hours ago
21
21
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
19 hours ago
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
19 hours ago
10
10
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
14 hours ago
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
14 hours ago
2
2
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
12 hours ago
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
12 hours ago
5
5
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
12 hours ago
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
12 hours ago
|
show 7 more comments
4 Answers
4
active
oldest
votes
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
1
This should do indeed as a last resort.
– Overmind
13 hours ago
6
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
3
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
12 hours ago
4
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
7 hours ago
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
add a comment |
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
add a comment |
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited 8 hours ago
Community♦
1
1
answered 15 hours ago
Serge BallestaSerge Ballesta
17.1k32762
17.1k32762
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
add a comment |
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
5
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
13 hours ago
1
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
5 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
1
This should do indeed as a last resort.
– Overmind
13 hours ago
6
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
3
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
12 hours ago
4
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
1
This should do indeed as a last resort.
– Overmind
13 hours ago
6
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
3
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
12 hours ago
4
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
edited 13 hours ago
answered 14 hours ago
A. HerseanA. Hersean
4,78531022
4,78531022
1
This should do indeed as a last resort.
– Overmind
13 hours ago
6
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
3
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
12 hours ago
4
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
add a comment |
1
This should do indeed as a last resort.
– Overmind
13 hours ago
6
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
3
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.
– Flater
12 hours ago
4
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
1
1
This should do indeed as a last resort.
– Overmind
13 hours ago
This should do indeed as a last resort.
– Overmind
13 hours ago
6
6
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
13 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
12 hours ago
3
3
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.– Flater
12 hours ago
Make the reprimands reflect badly on their paycheck
is illegal in most cultures I know of.– Flater
12 hours ago
4
4
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
10 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
7 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
7 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
edited 12 hours ago
answered 12 hours ago
schroeder♦schroeder
77.4k30171206
77.4k30171206
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
7 hours ago
add a comment |
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
schtasks
hasONSTART
to exec the script on startup. Could useONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
7 hours ago
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
12 hours ago
1
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
12 hours ago
schtasks
has ONSTART
to exec the script on startup. Could use ONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.– user2320464
7 hours ago
schtasks
has ONSTART
to exec the script on startup. Could use ONLOGON
to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.– user2320464
7 hours ago
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered 7 hours ago
StilezStilez
1,046410
1,046410
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
14
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
20 hours ago
21
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
19 hours ago
10
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
14 hours ago
2
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
12 hours ago
5
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
12 hours ago