How to detect whether a user is using USB tethering?

wrieedx asked:

Recently a user unplugged their company PC from the network and used USB tethering with their Android phone to bypass the company network entirely and access the internet. I don’t think I need to explain why this is bad. What would be the best way, from a zero-cost (i.e. open source, using scripting and group policy, etc.) and technical standpoint (i.e. HR has already been notified, I don’t think that this is a symptom of some sort of deeper underlying corporate culture problem, etc.), to detect and/or prevent something like this from happening again? It would be nice to have a system-wide solution (e.g. by using group policy), but if that is not possible then doing something specific to this person’s PC could also be an answer.

A few details:
The PC is Windows 7 joined to an Active Directory domain, the user has ordinary user privileges (not administrator), there is no wireless capabilities on the PC, disabling USB ports is not an option

NOTE: Thank you for the great comments. I added some additional details.

I think that there are a lot of reasons why one would want to disallow tethering, but for my particular environment I can think of the following: (1) Anti-virus updates. We have a local anti-virus server that delivers updates to network connected computers. If you are not connected to the network you cannot receive the updates.
(2) Software Updates. We have a WSUS server and review each update to approve/disallow. We also deliver updates to other commonly used software programs such as Adobe Reader and Flash via group policy. Computers cannot receive updates if they are not connected to the local network (updating from external update servers is not permitted).
(3) Internet filtering. We filter out malicious and, uh, naughty(?) sites. By using a tether you can bypass the filter and access these sites and possibly compromise the security of your computer.

More background information: HR was notified already. The person in question is a high level person so it is a little bit tricky. “Making an example” of this employee although tempting would not be a good idea. Our filtering is not severe, I’m guessing that the person may have been looking at naughty sites although there is no direct evidence (cache was cleared). He says he was just charging his his phone, but the PC was unplugged from the local network. I’m not looking to get this person in trouble, just possibly prevent something similar from happening again.

My answer:

You can use Group Policy to prevent the installation of new network devices.

You’ll find an option in Administrative Templates \ System \ Device Installation \ Device Installation Restrictions \ Prevent installation of devices using drivers that match these driver setup classes.

From its description:

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

Using policy settings here, you can either create a whitelist (which you seem to not want) or a blacklist, either of individual devices or entire classes of devices (such as network adapters). These take effect when a device is removed and reinserted, so it will not affect the NIC built into the machine, provided you don’t apply the setting to devices that are already installed.

You will need to reference the list of device setup classes to find the class for network adapters, which is {4d36e972-e325-11ce-bfc1-08002be10318}. Add this class to the blacklist, and soon afterward, nobody will be able to use USB network adapters.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.