Unexpected USB drive activity

The Network: Midwest US banking institution, hundreds of servers and thousands of workstations

The Expectation: All USB storage devices are disabled across all machines by Group Policy

The Catch: EventTracker USB insert/remove feature of its Windows Sensor was enabled. Within a few days of installation, a routine report on USB activity, which was expected to be empty indicated that two machines showed staff inserting USB sticks and copying data to them.

The Find: Seems the two machines had somehow not processed the Group Policy, leaving a gap in coverage.

The Fix: Force GPO processing on the machines

The Lesson: Trust in Allah but tie up your camel.