locked
Prevent MTP & USB tethering RRS feed

  • Question

  • The security team of a customer is in the midst of testing Windows 7 security features and came up with the following queries.

    While conducting some tests on desktops using Windows 7, our internal audit department observed that it is possible to transfer data from a Windows 7 desktop to an android device using Media Transfer Protocol even if the USB port is blocked through AD Group policies. Similarly it is also possible to perform this operation on windows XP desktops if media player v 10 is installed on them. They also observed that if a phone is connected to a Windows 7 desktop, USB tethering allows the user to bypass the proxy and access internet unrestricted.

    I wanted to check with you if these are known issues on OS 7 and whether there are any solutions available to prevent them through AD policies on Windows 7 OS?

    Would appreciate any help in this regards.

    Wednesday, August 8, 2012 6:51 AM

Answers

  • Hi,


    Please check whether other UBS device could work after you applied the policy.


    In addition, please try to enable it again and run “gpupdate /force” in command prompt to ensure it has been applied.


    Regards,


    Vincent Wang

    TechNet Community Support

    • Marked as answer by Leo Huang Wednesday, August 15, 2012 6:58 AM
    Thursday, August 9, 2012 8:53 AM

All replies

  • Hi,


    Please check whether other UBS device could work after you applied the policy.


    In addition, please try to enable it again and run “gpupdate /force” in command prompt to ensure it has been applied.


    Regards,


    Vincent Wang

    TechNet Community Support

    • Marked as answer by Leo Huang Wednesday, August 15, 2012 6:58 AM
    Thursday, August 9, 2012 8:53 AM
  • Hello there,

    this security issue also got to our attention.

    2008 AD, USB blocked via GPO, working fine for Mass Storage and so on.

    If you have a regular user without local admin rights an he connects his Samsung S2 / S3 / Ace whatever nothing happens.

    But when he activates USB Tethering in Settings on his Phone, the Windows Client creates a new NDIS based Internet Sharing Device.

    After some Secondes he can bypass the Proxy (pac/squid) with the Internet Explorer, former blocked sites like facebook now work fine...

    He can also access Documents from his network shares ... 

    If there is no iTunes on the Client USB Tethering will not Work with iPhones because they use ODI instead of NDIS.

    As far as i can see the NDIS internet sharing device has no extra class id wich i could block via GPO.

    I ve overwatched the process some times on different Clients with Mark Russonovichs Sysinternals Tools.

    You can see new Sockets and connections to 1.1.1.1- 1.1.1.5 UMTS Provider and WUDFHOST.exe pops up.

    We are using PKI-Card Readers, Scanners and some local Printers. Also there are some special users who are not in the restricted USB group to move large CAD Files from CAD-Client to CAD Client.

    Even 3rd Party Software couldnt block the USB Tethering...

    Do you have a solution via GPO to block USB Tethering / the driver initialisation / a Class ID ?

    • Proposed as answer by saratkalepu Friday, September 8, 2017 11:21 AM
    Tuesday, January 15, 2013 10:34 AM
  • Hello there,

    this security issue also got to our attention.

    2008 AD, USB blocked via GPO, working fine for Mass Storage and so on.

    If you have a regular user without local admin rights an he connects his Samsung S2 / S3 / Ace whatever nothing happens.

    But when he activates USB Tethering in Settings on his Phone, the Windows Client creates a new NDIS based Internet Sharing Device.

    After some Secondes he can bypass the Proxy (pac/squid) with the Internet Explorer, former blocked sites like facebook now work fine...

    He can also access Documents from his network shares ... 

    If there is no iTunes on the Client USB Tethering will not Work with iPhones because they use ODI instead of NDIS.

    As far as i can see the NDIS internet sharing device has no extra class id wich i could block via GPO.

    I ve overwatched the process some times on different Clients with Mark Russonovichs Sysinternals Tools.

    You can see new Sockets and connections to 1.1.1.1- 1.1.1.5 UMTS Provider and WUDFHOST.exe pops up.

    We are using PKI-Card Readers, Scanners and some local Printers. Also there are some special users who are not in the restricted USB group to move large CAD Files from CAD-Client to CAD Client.

    Even 3rd Party Software couldnt block the USB Tethering...

    Do you have a solution via GPO to block USB Tethering / the driver initialisation / a Class ID ?


    Thursday, March 20, 2014 8:39 AM
  • We've also run into this issue whilst preparing for payment card industry compliance.

    Testing with a Samsung S4 the storage access can be disabled by enabling the "WPD Devices:Deny" options in the GPO.

    Tethering however is a problem.

    I'd be interested in a solution.

    Friday, April 11, 2014 4:16 PM
  • We have a big issue

    We really need to stop tethering, but also allow Version Air cards

    Even if you have an Air card installed and than plug in a Tethered phone that will take priority.

    We also need the USB ports active

    We would also need to limit any of the carriers phones not to worked when tethered, but also allow Air card.

    Thoughts

    Friday, October 23, 2015 10:20 AM
  • I have same problem. i need USB port but tethering is a serious security problem for us.  We need some mini app to disable exactly tethering mode i guess. 

    Sunday, August 7, 2016 7:42 AM
  • For USB tethering

    you must disable Device ID "USB\class_e0"

    This can be done via GPO on device section :

    System/Device Installation/Device
    Installation Restrictions >
    Prevent installation of devices that match any of these device IDs

    Don't forget to checked "Also apply to matching devices that are already installed."



    • Edited by Ylogaf Wednesday, February 21, 2018 3:59 PM
    Friday, December 15, 2017 11:02 AM
  • it works !  =  "USB\class_e0"

    Thanks

    Friday, July 26, 2019 2:07 PM