Recently a user unplugged their company PC from the network and used USB tethering with their Android phone to bypass the company network entirely and access the internet. I don't think I need to explain why this is bad. What would be the best way, from a zero-cost (i.e. open source, using scripting and group policy, etc.) and technical standpoint (i.e. HR has already been notified, I don't think that this is a symptom of some sort of deeper underlying corporate culture problem, etc.), to detect and/or prevent something like this from happening again? It would be nice to have a system-wide solution (e.g. by using group policy), but if that is not possible then doing something specific to this person's PC could also be an answer.
A few details: The PC is Windows 7 joined to an Active Directory domain, the user has ordinary user privileges (not administrator), there is no wireless capabilities on the PC, disabling USB ports is not an option
NOTE: Thank you for the great comments. I added some additional details.
I think that there are a lot of reasons why one would want to disallow tethering, but for my particular environment I can think of the following: (1) Anti-virus updates. We have a local anti-virus server that delivers updates to network connected computers. If you are not connected to the network you cannot receive the updates. (2) Software Updates. We have a WSUS server and review each update to approve/disallow. We also deliver updates to other commonly used software programs such as Adobe Reader and Flash via group policy. Computers cannot receive updates if they are not connected to the local network (updating from external update servers is not permitted). (3) Internet filtering. We filter out malicious and, uh, naughty(?) sites. By using a tether you can bypass the filter and access these sites and possibly compromise the security of your computer.
More background information: HR was notified already. The person in question is a high level person so it is a little bit tricky. "Making an example" of this employee although tempting would not be a good idea. Our filtering is not severe, I'm guessing that the person may have been looking at naughty sites although there is no direct evidence (cache was cleared). He says he was just charging his his phone, but the PC was unplugged from the local network. I'm not looking to get this person in trouble, just possibly prevent something similar from happening again.
You can use Group Policy to prevent the installation of new network devices.
You'll find an option in Administrative Templates \ System \ Device Installation \ Device Installation Restrictions \ Prevent installation of devices using drivers that match these driver setup classes.
From its description:
Using policy settings here, you can either create a whitelist (which you seem to not want) or a blacklist, either of individual devices or entire classes of devices (such as network adapters). These take effect when a device is removed and reinserted, so it will not affect the NIC built into the machine, provided you don't apply the setting to devices that are already installed.
You will need to reference the list of device setup classes to find the class for network adapters, which is
{4d36e972-e325-11ce-bfc1-08002be10318}. Add this class to the blacklist, and soon afterward, nobody will be able to use USB network adapters.There's several options:
On windows 7 you can control which USB devices can be connected. See this article for example.
You can monitor that the PC is connected to the network, for example by monitoring the status of the switch port the machine is connected to. (modern computers keep the NIC connected even when the machine is off, so shutting down the computer should not trigger an alarm). This can be done at low cost using free open source solutions (anyway you should have a monitoring in your network !)
EDIT in response to comment:
If the user add a wireless adapter, the metric of this new interface will be higher than the metric of the wired interface, so Windows will continue to use the wired interface. Since the user doesn't have administrative privileges he cannot overcome this.
As pointed out by @Hangin on in quiet desperation in comment, there's always a cost. Your time costs money to the company, and you have to consider the actual cost of putting in place security vs the potential cost of the bad behavior.
What type of antivirus you are using? In Kaspersky antivirus you can define trusted and local networks. So, you can configure your local network as trusted and prohibit any other networks. This works if computer is only used in office.
I have KSC and i can manage centralized all computer.
I think an option is to create, on the target machine, a script to monitor the PC network settings (eg: IP address and gateway) and to alert you (eg: via email) when something change.
Never forget that the user can check porn directly on the user's cellphone via the LTE network, so no one will never know it (and a new cell phone has got a big screen...) Why the user used the bridge on the computer intrigues me.
That bring about another important question... do you manage the cellphone with an enterprise rule?
An example from the BES administrator book:
or
And yes, controlling the USB is good, but that device can have important enterprise documents/emails on it and not controlling it is a security risk.
After that if you control all cellphones, you can ask that no personal cell to be present at the employee desk/computer.
For any other case, I will tell like user DoktorJ, that if they try to bring a big setup to bypass your security, they will be at risk to be fired directly.
For tethering
You can set windows unable to find the RNDIS drivers file c:\windows\inf\wceisvista.inf file.
For your test just rename extension to ".inf_disable", your OS will not be able to find an appropriate drivers for tethering.