USB mass-storage blocked by default
Demonstrate that USB mass-storage devices are blocked by default on all in-scope endpoints and that any exceptions are documented, approved, and technically enforced through centralized policy controls.
Description
What this control does
This control enforces the blocking of USB mass-storage devices (e.g., flash drives, external hard drives) by default across endpoints to prevent unauthorized data exfiltration and malware introduction. Implementation typically involves Group Policy Objects (GPO), endpoint detection and response (EDR) agents, or mobile device management (MDM) solutions that disable USB storage class drivers or enforce read-only access. Organizations may maintain an exception list for approved devices or users requiring business justification and management approval.
Control objective
What auditing this proves
Demonstrate that USB mass-storage devices are blocked by default on all in-scope endpoints and that any exceptions are documented, approved, and technically enforced through centralized policy controls.
Associated risks
Risks this control addresses
- Unauthorized exfiltration of sensitive data via USB flash drives by malicious insiders or compromised accounts
- Introduction of malware, ransomware, or advanced persistent threats through infected USB devices brought from external environments
- Accidental data loss or leakage when employees copy sensitive files to personal or unencrypted USB storage devices
- Circumvention of data loss prevention (DLP) controls through physical media that bypasses network monitoring
- Loss or theft of portable USB devices containing unencrypted organizational data leading to regulatory breach notification obligations
- Installation of unauthorized software or tools via USB storage that violates change management and software whitelisting policies
- Compromise of air-gapped or isolated systems through USB-based attack vectors such as BadUSB or HID emulation attacks
Testing procedure
How an auditor verifies this control
- Obtain and review the current USB mass-storage device control policy documents, including approved exception criteria and authorization workflows.
- Identify the technical enforcement mechanisms deployed (e.g., Active Directory GPO settings, Intune policies, endpoint agent configurations) across Windows, macOS, and Linux systems.
- Export and analyze Group Policy settings for USB storage restrictions, specifically reviewing the USBSTOR driver disable settings and removable storage access policies.
- Select a representative sample of endpoints stratified by operating system, department, and geographic location for physical testing.
- Physically connect an unapproved USB mass-storage device to sampled endpoints and verify that the operating system blocks access, generates alerts, or denies driver installation.
- Review logs from endpoint management consoles or SIEM platforms to confirm that USB connection attempts are logged with user, device, timestamp, and action taken.
- Audit the exception management process by reviewing the approved device whitelist, verifying business justifications, approval records, and periodic recertification activities.
- Validate that monitoring and alerting rules exist for policy violations or attempts to disable USB blocking controls through unauthorized configuration changes.
Where this control is tested