Force user to remove USB tokenCan a Bitlocker To Go user pin be brute forced?Why doesn't Bitlocker mix the password with stored key?Is there a technical survey report related to BitLocker and TPM?Disable USB keyboard pluggability on MacBookWhole disk encryption on a tablet (that has no pre-boot keyboard)How secure is BitLocker with a USB key on the motherboardHow to configure TPM lockout in Bitlocker when using a PINIs it possible to extract secrets from a TPM without knowing the PIN?How does Bitlocker + TPM prevent me seeing the HDD contents with another OS?Risk of removing the PIN from Bitlocker
Why does the negative sign arise in this thermodynamic relation?
Do items de-spawn in Diablo?
What are some noteworthy "mic-drop" moments in math?
Why is there a voltage between the mains ground and my radiator?
Unreachable code, but reachable with exception
Does splitting a potentially monolithic application into several smaller ones help prevent bugs?
infinitive telling the purpose
Can someone explain what is being said here in color publishing in the American Mathematical Monthly?
What to do when during a meeting client people start to fight (even physically) with each others?
Low budget alien movie about the Earth being cooked
Am I not good enough for you?
Why doesn't this Google Translate ad use the word "Translation" instead of "Translate"?
Who deserves to be first and second author? PhD student who collected data, research associate who wrote the paper or supervisor?
They call me Inspector Morse
Word for a person who has no opinion about whether god exists
How much attack damage does the AC boost from a shield prevent on average?
Good for you! in Russian
Peter's Strange Word
How strictly should I take "Candidates must be local"?
Good allowance savings plan?
Is there a window switcher for GNOME that shows the actual window?
Is there an equal sign with wider gap?
Algorithm to convert a fixed-length string to the smallest possible collision-free representation?
BitNot does not flip bits in the way I expected
Force user to remove USB token
Can a Bitlocker To Go user pin be brute forced?Why doesn't Bitlocker mix the password with stored key?Is there a technical survey report related to BitLocker and TPM?Disable USB keyboard pluggability on MacBookWhole disk encryption on a tablet (that has no pre-boot keyboard)How secure is BitLocker with a USB key on the motherboardHow to configure TPM lockout in Bitlocker when using a PINIs it possible to extract secrets from a TPM without knowing the PIN?How does Bitlocker + TPM prevent me seeing the HDD contents with another OS?Risk of removing the PIN from Bitlocker
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
edited 10 hours ago
schroeder♦
77.4k30171206
asked 18 hours ago
IamNaNIamNaN
3731512
|
show 6 more comments
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
edited 10 hours ago
schroeder♦
77.4k30171206
asked 18 hours ago
IamNaNIamNaN
3731512
12
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
18 hours ago
18
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
17 hours ago
8
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
12 hours ago
1
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
10 hours ago
3
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
10 hours ago
|
show 6 more comments
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
edited 10 hours ago
schroeder♦
77.4k30171206
asked 18 hours ago
IamNaNIamNaN
3731512
I'm looking at setting up secure laptops using BitLocker with pre-boot PIN and startup key.
I'm wondering if there is a way to force the user, who is remote, to remove the USB with the startup key before they can log on or use Windows. Otherwise, what's to keep the user from just leaving the USB connected all the time, which would pretty much negate its value?
One way, of course, is to make it impractical for the user to leave the USB connected, like permanently attaching it to a large object. But that's also generally impractical and not a great solution.
Is there a solution or standard approach for this that can actually force the removal of the device?
multi-factor usb bitlocker
multi-factor usb bitlocker
edited 10 hours ago
schroeder♦
77.4k30171206
asked 18 hours ago
IamNaNIamNaN
3731512
edited 10 hours ago
schroeder♦
77.4k30171206
asked 18 hours ago
IamNaNIamNaN
3731512
edited 10 hours ago
schroeder♦
77.4k30171206
edited 10 hours ago
schroeder♦
77.4k30171206
edited 10 hours ago
schroeder♦
77.4k30171206
77.4k30171206
asked 18 hours ago
IamNaNIamNaN
3731512
asked 18 hours ago
IamNaNIamNaN
3731512
asked 18 hours ago
IamNaNIamNaN
3731512
3731512
12
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
18 hours ago
18
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
17 hours ago
8
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
12 hours ago
1
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
10 hours ago
3
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
10 hours ago
|
show 6 more comments
12
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
18 hours ago
18
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
17 hours ago
8
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
12 hours ago
1
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
10 hours ago
3
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
10 hours ago
12
12
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
18 hours ago
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
18 hours ago
18
18
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
17 hours ago
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
17 hours ago
8
8
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
12 hours ago
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
12 hours ago
1
1
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
10 hours ago
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
10 hours ago
3
3
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
10 hours ago
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
10 hours ago
|
show 6 more comments
4 Answers
4
active
oldest
votes
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited 6 hours ago
Community♦
1
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
1
This should do indeed as a last resort.
– Overmind
11 hours ago
5
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
3
Make the reprimands reflect badly on their paycheckis illegal in most cultures I know of.
– Flater
10 hours ago
3
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
schtaskshasONSTARTto exec the script on startup. Could useONLOGONto exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
5 hours ago
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered 5 hours ago
StilezStilez
1,046410
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited 6 hours ago
Community♦
1
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
add a comment |
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited 6 hours ago
Community♦
1
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
add a comment |
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited 6 hours ago
Community♦
1
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
edited 6 hours ago
Community♦
1
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
edited 6 hours ago
Community♦
1
edited 6 hours ago
Community♦
1
edited 6 hours ago
Community♦
1
1
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
answered 13 hours ago
Serge BallestaSerge Ballesta
17k32762
17k32762
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
add a comment |
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
5
5
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
Thank you and I agree with the fact that education is important, critical and the most important aspect. However, I also think that an additional factor to enforce this behavior, if possible, is appropriate. If a laptop with confidential data on it ends up in the wrong hands my biggest problem is that the data is now in the wrong hands, not whose fault it is that the data ended up there. So if in addition to education I can add another factor to reduce this risk I want to implement that. It's not supposed to be the end all and only solution.
– IamNaN
11 hours ago
1
1
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
I don't think its a social problem. FIDO tokens have solved this technically by having a "user presence" pushbutton. You can leave the FIDO token plugged in continuously, and some are designed exactly for that. It is good as unplugged until somebody presses the button. The problem is that Bitlocker is using a mass storage device for authentication, something beyond its original design.
– user71659
3 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
1
This should do indeed as a last resort.
– Overmind
11 hours ago
5
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
3
Make the reprimands reflect badly on their paycheckis illegal in most cultures I know of.
– Flater
10 hours ago
3
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
1
This should do indeed as a last resort.
– Overmind
11 hours ago
5
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
3
Make the reprimands reflect badly on their paycheckis illegal in most cultures I know of.
– Flater
10 hours ago
3
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
add a comment |
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
edited 11 hours ago
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
answered 12 hours ago
A. HerseanA. Hersean
4,77531022
4,77531022
1
This should do indeed as a last resort.
– Overmind
11 hours ago
5
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
3
Make the reprimands reflect badly on their paycheckis illegal in most cultures I know of.
– Flater
10 hours ago
3
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
add a comment |
1
This should do indeed as a last resort.
– Overmind
11 hours ago
5
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
3
Make the reprimands reflect badly on their paycheckis illegal in most cultures I know of.
– Flater
10 hours ago
3
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
1
1
This should do indeed as a last resort.
– Overmind
11 hours ago
This should do indeed as a last resort.
– Overmind
11 hours ago
5
5
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
At the previous company I was working on, after some thefts, laptops had to be locked down to their pad. At night, the security guards would collect any unlocked laptop, or any laptop with the key on the lock, and you had to go and fetch it at the security post. People grumbled, but after a month or two, it was pretty rare to see anyone forgetting to lock their laptop.
– Matthieu M.
11 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
It appears that the scenario is for remote users. So no access to local staff.
– schroeder♦
10 hours ago
3
3
Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.– Flater
10 hours ago
Make the reprimands reflect badly on their paycheck is illegal in most cultures I know of.– Flater
10 hours ago
3
3
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
@Flater It depends on how it's done. It can be a reduced bonus, or a reduced yearly pay raise. Most likely, the risks associated with security incidents will need to be written in the contract, but I'm not a lawyer. I just know that such sanctions can be applied legally at least in one country, as I'm sure a huge team of lawyers reviewed the policy I've seen. An NDA prevents me to disclose more.
– A. Hersean
8 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
schtaskshasONSTARTto exec the script on startup. Could useONLOGONto exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
5 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
schtaskshasONSTARTto exec the script on startup. Could useONLOGONto exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
5 hours ago
add a comment |
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
edited 10 hours ago
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
answered 10 hours ago
schroeder♦schroeder
77.4k30171206
77.4k30171206
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
schtaskshasONSTARTto exec the script on startup. Could useONLOGONto exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
5 hours ago
add a comment |
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
schtaskshasONSTARTto exec the script on startup. Could useONLOGONto exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.
– user2320464
5 hours ago
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
Thank you. You definitely have a point there! Also taking your "the location of the USB is the problem" comment into consideration. Taking all the answers and comments received so far there seems little sense in pursuing this as an added security measure and it seems better to focus on setting proper policy for use and behavior plus training and education.
– IamNaN
10 hours ago
1
1
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
@IamNaN I have to agree with your assessment. Technology supports secure behaviours but it is not good at forcing secure behaviours. Training, explanations, and clear prompts will be better. Use a start up pop up to remind users to put the USB in their pockets (not with the laptop).
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
Use this graph to figure out where you need to focus your behaviour change efforts: behaviormodel.org
– schroeder♦
10 hours ago
schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.– user2320464
5 hours ago
schtasks has ONSTART to exec the script on startup. Could use ONLOGON to exec the script and prompt the user. Then wire up script to EventId when a usb is connected and check if it's the bitlocker usb.– user2320464
5 hours ago
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered 5 hours ago
StilezStilez
1,046410
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered 5 hours ago
StilezStilez
1,046410
add a comment |
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered 5 hours ago
StilezStilez
1,046410
I'm not that technical, but this seems possible:
The USB key must be doing certain things, such as responding to enumeration, or to requests via API to validate the key. So the first question is whether those can be used. You might need to check technical docs for that possibility:
If the devices are company owned but mobile, you could install a script that tests this, and if a device remains enumerated or responsive for more than 2 mins after initial validation was accepted, the validation/access is terminated. That should ensure users develop an automatic habit of removing their keys - the device just won't let them work if they don't.
If some devices are BYO (bring your own) then it's harder. Perhaps the access method or key itself, allows some kind of ongoing validation, which could be repurposed (if there is ongoing access beyond a few minutes, terminate). If needed, buy a type of key that allows this.
If a server-side or unilaterally operated check is not possible, so that you can't do something server-side to check USB key status, then you are forced to fall back on client side software/script. If a person wants to bring their own device, there are often policies about this, and at times and in some companies, the user has to run or install a company-provided script/software/VPN/cert/whatever if they want to use their own device on the company's network, so perhaps this is an acceptable option.
answered 5 hours ago
StilezStilez
1,046410
answered 5 hours ago
StilezStilez
1,046410
answered 5 hours ago
StilezStilez
1,046410
answered 5 hours ago
StilezStilez
1,046410
1,046410
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205200%2fforce-user-to-remove-usb-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
12
You could put it in your clean desk policy that no USB tokens may be left plugged in after startup and take away every token you find on your unannounced, spontaneous audit walks - Worked like a charm for the (unattended) SmartCards in my old company :)
– SeeYouInDisneyland
18 hours ago
18
Sadly, even when computers make this a requirement, a lot of lazy people will just partially unplug the token just enough to break the electrical connection, but not enough to remove it and put it somewhere safe.
– forest
17 hours ago
8
What's the desired behaviour here? You want them to remove it and then do what with it? Keep it in the laptop bag? Keep it in a pocket? Keep it in a locked drawer? Attach it to another device that enumerates which keys have been returned? If you are clear on that point, then you might find some more useful options.
– schroeder♦
12 hours ago
1
You could recommend or require that the key is attached to their lanyards (that they are required to wear). Hard to leave it plugged in when it's attached to your neck ;)
– Baldrickk
10 hours ago
3
@IamNaN so your actual problem is not that it is plugged in, it is that the USB is not in an approved place (keeping in the laptop bag is equally a problem). Ejecting the device is not actually your problem.
– schroeder♦
10 hours ago