Force user to remove USB token












27















I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?










share|improve this question




















  • 14





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    20 hours ago






  • 21





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    19 hours ago








  • 10





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    14 hours ago








  • 2





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    12 hours ago






  • 5





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    12 hours ago
















27















I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?










share|improve this question




















  • 14





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    20 hours ago






  • 21





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    19 hours ago








  • 10





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    14 hours ago








  • 2





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    12 hours ago






  • 5





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    12 hours ago














27












27








27








I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?










share|improve this question
















I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.



I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?



One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.



Is there a solution or standard approach for this that can actually force the removal of the device?







multi-factor usb bitlocker






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 12 hours ago









schroeder

77.4k30171206




77.4k30171206










asked 20 hours ago









IamNaNIamNaN

3831512




3831512








  • 14





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    20 hours ago






  • 21





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    19 hours ago








  • 10





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    14 hours ago








  • 2





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    12 hours ago






  • 5





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    12 hours ago














  • 14





    You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

    – SeeYouInDisneyland
    20 hours ago






  • 21





    Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

    – forest
    19 hours ago








  • 10





    What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

    – schroeder
    14 hours ago








  • 2





    You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

    – Baldrickk
    12 hours ago






  • 5





    @IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

    – schroeder
    12 hours ago








14




14





You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

– SeeYouInDisneyland
20 hours ago





You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)

– SeeYouInDisneyland
20 hours ago




21




21





Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

– forest
19 hours ago







Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.

– forest
19 hours ago






10




10





What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

– schroeder
14 hours ago







What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.

– schroeder
14 hours ago






2




2





You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

– Baldrickk
12 hours ago





You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)

– Baldrickk
12 hours ago




5




5





@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

– schroeder
12 hours ago





@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.

– schroeder
12 hours ago










4 Answers
4






active

oldest

votes


















38














You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






share|improve this answer





















  • 5





    Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

    – IamNaN
    13 hours ago






  • 1





    I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

    – user71659
    5 hours ago





















12














This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



If enforced, you can be sure this policy will be very unpopular, but effective.



Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






share|improve this answer





















  • 1





    This should do indeed as a last resort.

    – Overmind
    13 hours ago






  • 6





    At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

    – Matthieu M.
    13 hours ago











  • It appears that the scenario is for remote users. So no access to local staff.

    – schroeder
    12 hours ago






  • 3





    Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

    – Flater
    12 hours ago






  • 4





    @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

    – A. Hersean
    10 hours ago



















7














It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



A simple polling function could check for new USBs connected.



All this is possible in Powershell.



This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






share|improve this answer


























  • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

    – IamNaN
    12 hours ago






  • 1





    @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

    – schroeder
    12 hours ago











  • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

    – schroeder
    12 hours ago











  • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

    – user2320464
    7 hours ago



















0














I'm not that technical, but this seems possible:



The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:




  • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


  • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


  • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.







share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    4 Answers
    4






    active

    oldest

    votes








    4 Answers
    4






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    38














    You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



    Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



    The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






    share|improve this answer





















    • 5





      Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

      – IamNaN
      13 hours ago






    • 1





      I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

      – user71659
      5 hours ago


















    38














    You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



    Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



    The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






    share|improve this answer





















    • 5





      Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

      – IamNaN
      13 hours ago






    • 1





      I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

      – user71659
      5 hours ago
















    38












    38








    38







    You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



    Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



    The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...






    share|improve this answer















    You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.



    Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.



    The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 8 hours ago









    Community

    1




    1










    answered 15 hours ago









    Serge BallestaSerge Ballesta

    17.1k32762




    17.1k32762








    • 5





      Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

      – IamNaN
      13 hours ago






    • 1





      I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

      – user71659
      5 hours ago
















    • 5





      Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

      – IamNaN
      13 hours ago






    • 1





      I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

      – user71659
      5 hours ago










    5




    5





    Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

    – IamNaN
    13 hours ago





    Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.

    – IamNaN
    13 hours ago




    1




    1





    I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

    – user71659
    5 hours ago







    I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.

    – user71659
    5 hours ago















    12














    This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



    You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



    If enforced, you can be sure this policy will be very unpopular, but effective.



    Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






    share|improve this answer





















    • 1





      This should do indeed as a last resort.

      – Overmind
      13 hours ago






    • 6





      At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

      – Matthieu M.
      13 hours ago











    • It appears that the scenario is for remote users. So no access to local staff.

      – schroeder
      12 hours ago






    • 3





      Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

      – Flater
      12 hours ago






    • 4





      @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

      – A. Hersean
      10 hours ago
















    12














    This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



    You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



    If enforced, you can be sure this policy will be very unpopular, but effective.



    Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






    share|improve this answer





















    • 1





      This should do indeed as a last resort.

      – Overmind
      13 hours ago






    • 6





      At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

      – Matthieu M.
      13 hours ago











    • It appears that the scenario is for remote users. So no access to local staff.

      – schroeder
      12 hours ago






    • 3





      Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

      – Flater
      12 hours ago






    • 4





      @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

      – A. Hersean
      10 hours ago














    12












    12








    12







    This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



    You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



    If enforced, you can be sure this policy will be very unpopular, but effective.



    Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.






    share|improve this answer















    This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:



    You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.



    If enforced, you can be sure this policy will be very unpopular, but effective.



    Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 13 hours ago

























    answered 14 hours ago









    A. HerseanA. Hersean

    4,78531022




    4,78531022








    • 1





      This should do indeed as a last resort.

      – Overmind
      13 hours ago






    • 6





      At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

      – Matthieu M.
      13 hours ago











    • It appears that the scenario is for remote users. So no access to local staff.

      – schroeder
      12 hours ago






    • 3





      Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

      – Flater
      12 hours ago






    • 4





      @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

      – A. Hersean
      10 hours ago














    • 1





      This should do indeed as a last resort.

      – Overmind
      13 hours ago






    • 6





      At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

      – Matthieu M.
      13 hours ago











    • It appears that the scenario is for remote users. So no access to local staff.

      – schroeder
      12 hours ago






    • 3





      Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

      – Flater
      12 hours ago






    • 4





      @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

      – A. Hersean
      10 hours ago








    1




    1





    This should do indeed as a last resort.

    – Overmind
    13 hours ago





    This should do indeed as a last resort.

    – Overmind
    13 hours ago




    6




    6





    At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

    – Matthieu M.
    13 hours ago





    At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.

    – Matthieu M.
    13 hours ago













    It appears that the scenario is for remote users. So no access to local staff.

    – schroeder
    12 hours ago





    It appears that the scenario is for remote users. So no access to local staff.

    – schroeder
    12 hours ago




    3




    3





    Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

    – Flater
    12 hours ago





    Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.

    – Flater
    12 hours ago




    4




    4





    @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

    – A. Hersean
    10 hours ago





    @Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.

    – A. Hersean
    10 hours ago











    7














    It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



    A simple polling function could check for new USBs connected.



    All this is possible in Powershell.



    This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






    share|improve this answer


























    • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

      – IamNaN
      12 hours ago






    • 1





      @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

      – schroeder
      12 hours ago











    • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

      – schroeder
      12 hours ago











    • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

      – user2320464
      7 hours ago
















    7














    It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



    A simple polling function could check for new USBs connected.



    All this is possible in Powershell.



    This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






    share|improve this answer


























    • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

      – IamNaN
      12 hours ago






    • 1





      @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

      – schroeder
      12 hours ago











    • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

      – schroeder
      12 hours ago











    • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

      – user2320464
      7 hours ago














    7












    7








    7







    It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



    A simple polling function could check for new USBs connected.



    All this is possible in Powershell.



    This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.






    share|improve this answer















    It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.



    A simple polling function could check for new USBs connected.



    All this is possible in Powershell.



    This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 12 hours ago

























    answered 12 hours ago









    schroederschroeder

    77.4k30171206




    77.4k30171206













    • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

      – IamNaN
      12 hours ago






    • 1





      @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

      – schroeder
      12 hours ago











    • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

      – schroeder
      12 hours ago











    • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

      – user2320464
      7 hours ago



















    • Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

      – IamNaN
      12 hours ago






    • 1





      @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

      – schroeder
      12 hours ago











    • Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

      – schroeder
      12 hours ago











    • schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

      – user2320464
      7 hours ago

















    Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

    – IamNaN
    12 hours ago





    Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.

    – IamNaN
    12 hours ago




    1




    1





    @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

    – schroeder
    12 hours ago





    @IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).

    – schroeder
    12 hours ago













    Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

    – schroeder
    12 hours ago





    Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org

    – schroeder
    12 hours ago













    schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

    – user2320464
    7 hours ago





    schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.

    – user2320464
    7 hours ago











    0














    I'm not that technical, but this seems possible:



    The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:




    • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


    • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


    • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.







    share|improve this answer




























      0














      I'm not that technical, but this seems possible:



      The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:




      • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


      • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


      • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.







      share|improve this answer


























        0












        0








        0







        I'm not that technical, but this seems possible:



        The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:




        • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


        • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


        • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.







        share|improve this answer













        I'm not that technical, but this seems possible:



        The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:




        • If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.


        • If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.


        • If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.








        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 7 hours ago









        StilezStilez

        1,046410




        1,046410






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa