USB: Universal Security Breach or Uniquely Secured Bus? Assessing the Effectiveness of Windows 11 Group Policy at Controlling USB Device Installation for Budget-Constrained Security Teams
USB-based attacks have escalated dramatically, with 51% of malware attacks now targeting USB devices, nearly a six-fold increase since 2019 (Honeywell, 2024). Budget-constrained organizations often cannot afford commercial USB security solutions, leaving them dependent on native operating system controls whose effectiveness against modern attack vectors has remained largely unexamined.
This study evaluates three progressively granular Windows 11 Group Policy (GPO) configurations—class-based blocking, VID/PID allowlisting, and Device Instance ID allowlisting—against legitimate business peripherals and a Hak5 USB Rubber Ducky configured as a composite BadUSB device, using the Windows 11 v25H2 Security Baseline as the unmodified reference state.
Results show that each successive control tier closes gaps left by the previous one, with Device Instance ID allowlisting successfully blocking all Rubber Ducky spoofing attempts through structural properties of Windows device identifier construction that a spoofing device cannot replicate without prior knowledge of the target system’s hub and port topology.
This study contributes a tiered decision framework for selecting a minimum viable GPO configuration and the novel finding that Windows applies ASCII hexadecimal encoding to certain storage device serial numbers when constructing Device Instance IDs—a behavior with direct implications for allowlist design. Budget-constrained security teams can implement all three tiers using tools already present in Windows 11 Enterprise, without additional licensing costs or specialized hardware.
SANS-USB-Universal-Security-Breach-Uniquely-Secured-Bus-Assessing-Effectiveness-Windows-11-Group-Policy-Controlling-USB-Device-Installation-Budget-Constrained Security Teams-062226 (PDF, 1.27MB)
22 Jun 2026Related Content
Investigating Operating System Variations in IPv6 Implementations
Research PaperThis research tested the four most common operating system families, Windows, Linux, macOS, and BSD, for RFC compliance and behavioral differences across a controlled set of IPv6 test cases. Because RFC specifications leave many implementation details to the developer, behavior was expected to diverge, and the testing confirmed that it did.
- 22 Jun 2026
- Donovan Rodriguez
macOS Infostealer Exfiltration Techniques via Native Tooling: Behavioral Analysis and Defenses
Research PaperThis paper analyzes macOS infostealers and their reliance on native system utilities. The use of specific command-line options and arguments should be predictable and detectable with proper analysis.
- 22 Jun 2026
- Cory Findley
Risk-Adaptive Data Loss Prevention: Behavioral Intelligence with DLP
Research PaperRisk-Adaptive Data Loss Prevention: Behavioral Intelligence with DLP
- 4 Jun 2026
- Matt Bromiley
Bridging the Gap Between Threat Intelligence and Business Risk
Research PaperThe importance of the threat intelligence function has grown significantly over the years to become a cornerstone of any cybersecurity group.
- 29 May 2026
- Kevin Garvey
2026 SANS Cyber Threat Intelligence (CTI) Survey Insights
Research PaperEvery year, the SANS CTI Survey gets sharper. This year, it takes a step the field has needed for a while. For the first time, the 2026 survey includes a dedicated module for security executives, capturing responses from 67 CISOs and CSOs.
- 15 May 2026
- Rebekah Brown, Andreas Sfakianakis
Untested: An Overlooked Link in the Software Supply Chain
Research PaperThis research explores test code as an attack surface and takes a first step toward creating a tool to help analysts detect and mitigate malware lurking in test libraries.
- 16 Apr 2026
- Evan Ottinger
Cyber Risk Intelligence and Security Posture (CRISP): From Compliance to Threat-Informed Intelligence
Research PaperThis paper presents CRISP (Cyber Risk Intelligence & Security Posture), a platform that automates the transformation of STIG compliance data into threat-informed security intelligence.
- 7 Apr 2026
- Eric Kaden
Enhancing Linux Threat Detection: A Sysmon - Based Approach to Identifying Sandworm TTPs
Research PaperLinux systems have become foundational across modern IT enterprises. Threat actors are increasingly targeting Linux systems, including well - known advanced persistent threats (APTs) such as Sandworm.
- 20 Mar 2026
- Joshua Keller
Open-Source National Security Infrastructure for Sweden’s National Security Apparatus
Research PaperThis paper investigates whether core IT infrastructure implemented using open-source software and infrastructure-as-code techniques can achieve compliance with selected information security requirements defined in Chapter 4 of PMFS 2022:1.
- 18 Mar 2026
- Fredrik Bolinder
Configuring Windows 11 Workgroup Computers to CIS Windows 11 L1 and BitLocker Baseline Recommendations Using PowerShell DSC
Research PaperEndpoints are often the first points of cyberattacks. Enterprises would often try to harden them according to established security baselines, such as those published by the Center for Internet Security (CIS).
- 24 Feb 2026
- Tan Gui De
Infrastructure as Code-Driven Group Policy Infrastructure: A Comprehensive Engine for Group Policy Architecture and Enforcement
Research PaperThis study introduces a PowerShell-based Infrastructure as Code (IaC) engine developed to automate the setup and enforcement of a STIG-compliant Group Policy framework.
- 5 Dec 2025
- Garland Brown
Defending Vulnerable Populations Against Scams: Effectiveness of Browser Extensions in Mitigating Scammer Attack Chains
Research PaperThis research evaluates the effectiveness of a browser extension as a security control—Grandma’s Guardian—designed for simplicity and accessibility so that even non-technical home users can benefit from enterprise-grade protection.
- 19 Nov 2025
- Thomas Gorman
Building Scalable Detection-as-Code Pipelines with Agentic Validation and Refinement
Research PaperThe proposed DaC pipeline uses large language models (LLMs) for logic conversion, variant analysis, and simulation testing via Atomic Red Team, with queries executed against Splunk to measure true positives and false negatives.
- 6 Nov 2025
- Benjamin Opel
Isolated Trust: Zero Trust in Standalone Systems
Research PaperThe use of air-gapped, isolated systems remains an essential tool for organizations that require high confidentiality or integrity, including those in the government, industrial control systems, and the banking industry.
- 6 Nov 2025
- Brian Crowley
"You Again": Fingerprinting and Tracking Mechanisms of Malicious Sites
Research PaperBrowsers provide many APIs for any visited site to perform stateful and stateless tracking, and legitimate websites utilize these capabilities. Yet little is widely known about what tracking, if any, malicious sites perform.
- 26 Sep 2025
- Erin Kuffel-Flato
A New Era in Vulnerability Management: A SANS Review of the Seemplicity Platform
Research PaperIn this paper, Dave Shackleford offers an inside look at Seemplicity, a vendor-agnostic remediation orchestration platform designed to unify vulnerability management across code, cloud, and infrastructure.
- 18 Aug 2025
- Dave Shackleford
Enhanced Decisions with WatsonX: A Look at IBM QRadar Investigation Assistant
Research PaperThis paper examines IBM QRadar Investigation Assistant, an AI-powered tool that enhances SOC performance by streamlining incident triage, automating threat enrichment, and enabling natural language query capabilities.
- 6 Aug 2025
- Matt Bromiley
SOC AI Automation Masterclass: How Swimlane Enhances Incident Response and Visibility
Research PaperAs organizations grapple with rising alert volumes and growing tool complexity, Swimlane Turbine provides essential value by automating and unifying disparate security systems to speed up response times and boost operational efficiency.
- 31 Jul 2025
- Mark Jeanmougin
Balancing On-Prem and Cloud Security Strategic Considerations for Modern Organizations
Research PaperThis paper examines the strategic trade-offs between cloud and on-prem deployments, and the growing trend of consolidating tools into integrated security platforms.
- 30 Jul 2025
- Matt Bromiley
Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing
Research PaperWhile most evaluations rely on vendor checklists and surface-level comparisons, this white paper takes a different approach: building and applying a hands-on testing framework grounded in NIST SP 800-207 and the CISA Zero Trust Maturity Model.
- 11 Jul 2025
- Derron Carstensen