Methods to bypass Windows security policy: All Removable Storage Classes – Deny All Access
My partner recently got given work laptop and if you try and put in a USB mass storage device you get an error saying it is not allowed. Without having administrator access I assume this is via the group policy All Removable Storage Classes - Deny All Access.
This got me thinking about how to bypass this. Just to clarify, neither of us are interested in bypassing it on the specific work laptop, this is just me thinking about techniques to bypass the GPO in general as an academic exercise. I know there are other methods to transfer files to/from a system that uses this policy, so the question is not about how to transfer files in general, it is specifically about defeating this particular group policy.
My understanding is that the Windows USB host controller constantly scans USB ports to see if something is plugged in. When this happens it passes a request to the device driver to scan the bus and sends a request to the device to identify itself. The USB device has some sort of information about itself (vendor ID, product ID, version, device type, maybe some other things?) that it passes on to the device driver thereby identifying itself as a mass storage device, HID, printer etc.
So the GPO looks for a device which declares itself as a mass storage device and says "you can't access this". Using the work laptop as a case study, you can still plug in webcams, HID devices or a phone (to charge but not as a mass storage device).
This got me thinking:
- is there a way to alter how a device declares itself to the operating system (and how)?
- if so, is there a way to leverage some sort of protocol to then talk to it to allow the transfer of files (and what protocols/how)?
Or am I overthinking this and there is a much simpler approach I am overlooking?
EDIT: Just to clarify the last point about alternate approaches - I am looking for possible alternate ideas with regards to using a USB device. Privesc techniques, setting up a simple http server etc are outside the scope of what I'm after.
