How to detect whether a user is using USB tethering?

There's several options:

  • On windows 7 you can control which USB devices can be connected. See this article for example.

  • You can monitor that the PC is connected to the network, for example by monitoring the status of the switch port the machine is connected to. (modern computers keep the NIC connected even when the machine is off, so shutting down the computer should not trigger an alarm). This can be done at low cost using free open source solutions (anyway you should have a monitoring in your network !)

EDIT in response to comment:
If the user add a wireless adapter, the metric of this new interface will be higher than the metric of the wired interface, so Windows will continue to use the wired interface. Since the user doesn't have administrative privileges he cannot overcome this.

  • You could use a proxy to access the Internet and force the proxy settings trough GPO. So if the machine is disconnected from the network and cannot access the proxy, it cannot access anything. This solution could be easy in a small network, but very difficult to implement in large network.

As pointed out by @Hangin on in quiet desperation in comment, there's always a cost. Your time costs money to the company, and you have to consider the actual cost of putting in place security vs the potential cost of the bad behavior.


You can use Group Policy to prevent the installation of new network devices.

You'll find an option in Administrative Templates \ System \ Device Installation \ Device Installation Restrictions \ Prevent installation of devices using drivers that match these driver setup classes.

From its description:

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

Using policy settings here, you can either create a whitelist (which you seem to not want) or a blacklist, either of individual devices or entire classes of devices (such as network adapters). These take effect when a device is removed and reinserted, so it will not affect the NIC built into the machine, provided you don't apply the setting to devices that are already installed.

You will need to reference the list of device setup classes to find the class for network adapters, which is {4d36e972-e325-11ce-bfc1-08002be10318}. Add this class to the blacklist, and soon afterward, nobody will be able to use USB network adapters.


What type of antivirus you are using? In Kaspersky antivirus you can define trusted and local networks. So, you can configure your local network as trusted and prohibit any other networks. This works if computer is only used in office.

I have KSC and i can manage centralized all computer. KSC rule


I think an option is to create, on the target machine, a script to monitor the PC network settings (eg: IP address and gateway) and to alert you (eg: via email) when something change.


Never forget that the user can check porn directly on the user's cellphone via the LTE network, so no one will never know it (and a new cell phone has got a big screen...) Why the user used the bridge on the computer intrigues me.

That bring about another important question... do you manage the cellphone with an enterprise rule?

An example from the BES administrator book:

Selecting this rule prevents the device from pairing with any computer other than the Apple Configurator host. This rule applies only to devices that are supervised using Apple Configurator.

or

Selecting this rule prevents users from using AirDrop to share data with other devices. This rule applies only to devices that are supervised using Apple Configurator.

And yes, controlling the USB is good, but that device can have important enterprise documents/emails on it and not controlling it is a security risk.

After that if you control all cellphones, you can ask that no personal cell to be present at the employee desk/computer.

For any other case, I will tell like user DoktorJ, that if they try to bring a big setup to bypass your security, they will be at risk to be fired directly.