How to detect whether a user is using USB tethering?

wrieedx asked:

Recently a user unplugged their company PC from the network and used USB tethering with their Android phone to bypass the company network entirely and access the internet. I don’t think I need to explain why this is bad. What would be the best way, from a zero-cost and technical standpoint, to detect and/or prevent something like this from happening again? It would be nice to have a system-wide solution (e.g. by using group policy), but if that is not possible then doing something specific to this person’s PC could also be an answer.

A few details:
The PC is Windows 7 joined to an Active Directory domain, the user has ordinary user privileges (not administrator), there is no wireless capabilities on the PC, disabling USB ports is not an option

My answer:

You can use Group Policy to prevent the installation of new network devices.

You’ll find an option in Administrative Templates System Device Installation Device Installation Restrictions Prevent installation of devices using drivers that match these driver setup classes.

From its description:

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

Using policy settings here, you can either create a whitelist (which you seem to not want) or a blacklist, either of individual devices or entire classes of devices (such as network adapters). These take effect when a device is removed and reinserted, so it will not affect the NIC built into the machine, provided you don’t apply the setting to devices that are already installed.

You will need to reference the list of device setup classes to find the class for network adapters, which is {4d36e972-e325-11ce-bfc1-08002be10318}. Add this class to the blacklist, and soon afterward, nobody will be able to use USB network adapters.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.