How to detect whether a user is using USB tethering?

Solution 1:

You can use Group Policy to prevent the installation of new network devices.

You'll find an option in Administrative Templates \ System \ Device Installation \ Device Installation Restrictions \ Prevent installation of devices using drivers that match these driver setup classes.

From its description:

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

Using policy settings here, you can either create a whitelist (which you seem to not want) or a blacklist, either of individual devices or entire classes of devices (such as network adapters). These take effect when a device is removed and reinserted, so it will not affect the NIC built into the machine, provided you don't apply the setting to devices that are already installed.

You will need to reference the list of device setup classes to find the class for network adapters, which is {4d36e972-e325-11ce-bfc1-08002be10318}. Add this class to the blacklist, and soon afterward, nobody will be able to use USB network adapters.

Solution 2:

There's several options:

  • On windows 7 you can control which USB devices can be connected. See this article for example.

  • You can monitor that the PC is connected to the network, for example by monitoring the status of the switch port the machine is connected to. (modern computers keep the NIC connected even when the machine is off, so shutting down the computer should not trigger an alarm). This can be done at low cost using free open source solutions (anyway you should have a monitoring in your network !)

EDIT in response to comment:
If the user add a wireless adapter, the metric of this new interface will be higher than the metric of the wired interface, so Windows will continue to use the wired interface. Since the user doesn't have administrative privileges he cannot overcome this.

  • You could use a proxy to access the Internet and force the proxy settings trough GPO. So if the machine is disconnected from the network and cannot access the proxy, it cannot access anything. This solution could be easy in a small network, but very difficult to implement in large network.

As pointed out by @Hangin on in quiet desperation in comment, there's always a cost. Your time costs money to the company, and you have to consider the actual cost of putting in place security vs the potential cost of the bad behavior.

Solution 3:

What type of antivirus you are using? In Kaspersky antivirus you can define trusted and local networks. So, you can configure your local network as trusted and prohibit any other networks. This works if computer is only used in office.

I have KSC and i can manage centralized all computer. KSC rule

Solution 4:

I think an option is to create, on the target machine, a script to monitor the PC network settings (eg: IP address and gateway) and to alert you (eg: via email) when something change.