Detecting and Preventing USB Tethering Bypass on Windows Domain PCs: Technical Solutions with PowerShell and Group Policy


1 views

When a domain-joined Windows 7 PC suddenly appears to have internet access while disconnected from the corporate network, USB tethering is often the culprit. This creates serious security gaps in managed environments where network-level controls are intentionally bypassed.

Here are several approaches to detect USB tethering, starting with the most effective:

1. Network Interface Monitoring

USB tethering creates distinct network interfaces that can be detected via WMI:

Get-WmiObject Win32_NetworkAdapter | Where-Object { 
    $_.NetConnectionID -like "*Mobile*" -or 
    $_.Name -like "*RNDIS*" -or 
    $_.Name -like "*Remote NDIS*" 
} | Select-Object Name, NetConnectionID

2. DHCP Lease Checking

Tethering connections often use specific DHCP patterns:

ipconfig /all | findstr "192.168.42. 192.168.43. 192.168.44."

3. Route Table Analysis

Tethered devices often create specific routing entries:

route print | findstr "0.0.0.0.*192.168"

Implement these GPO settings to make tethering difficult:

1. Disable RNDIS Driver Installation

Computer Configuration > Policies > Administrative Templates > System > Device Installation > Device Installation Restrictions
Add Hardware IDs to prevent: USB\Class_ff&SubClass_ff&Prot_ff

2. Network Authentication Requirements

Computer Configuration > Policies > Windows Settings > Security Settings > Network List Manager Policies
Set "All Networks" to "User cannot change location"

3. Firewall Rules for Tethered Subnets

netsh advfirewall firewall add rule name="Block Tethering Subnets" dir=out remoteip=192.168.42.0/24,192.168.43.0/24 action=block

Create a scheduled task that runs this PowerShell script hourly:

$tetherDetected = $false
$adapters = Get-NetAdapter | Where-Object { $_.InterfaceDescription -match "Remote NDIS" }

if ($adapters) {
    $tetherDetected = $true
    $logEntry = "$(Get-Date) - Tethering detected on $env:COMPUTERNAME by $env:USERNAME"
    Add-Content -Path "\\fileserver\logs\tethering.log" -Value $logEntry
    Start-Process -FilePath "msg" -ArgumentList "*", "Corporate network access required for security updates" -Wait
}

return $tetherDetected

Implement 802.1X authentication for all network interfaces, including USB:

Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > 
NAP Client Configuration > Enforcement Clients > Configure DHCP Quarantine Enforcement Client

Besides the obvious security implications, uncontrolled tethering creates:

  • Patch management blind spots (WSUS/AV updates fail)
  • Compliance violations (unfiltered web access)
  • Network performance issues (bypassing QoS policies)
  • Shadow IT proliferation

When users circumvent corporate network security by establishing USB tethering connections through mobile devices, multiple security controls become ineffective. The immediate impacts include:

  • Bypassed content filtering systems
  • Skipped patch management through WSUS
  • Disabled antivirus definition updates
  • Potential data exfiltration risks

The most reliable detection method involves monitoring network interface characteristics. USB tethering typically creates specific interface patterns we can query through WMI:

# PowerShell detection script for USB tethering interfaces
$tetheringIndicators = Get-WmiObject -Class Win32_NetworkAdapter | Where-Object {
    $_.Name -match "Remote NDIS" -or 
    $_.Name -match "RNDIS" -or
    $_.PNPDeviceID -match "USB\\"
} | Select-Object Name, NetConnectionID, PNPDeviceID

if ($tetheringIndicators) {
    # Log event to Windows Event Log
    Write-EventLog -LogName "Application" -Source "Network Security" 
        -EntryType Warning -EventId 501 
        -Message "Potential USB tethering detected: $($tetheringIndicators | Out-String)"
}

For domain-joined Windows 7 systems, implement these GPO settings:

# ADMX policy settings to configure:
1. Computer Configuration → Policies → Administrative Templates → Network → Windows Connection Manager:
   - Prohibit connection to non-domain networks: Enabled
2. Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options:
   - Network security: Restrict NTLM: Outgoing NTLM traffic: Deny all
3. Computer Configuration → Preferences → Windows Settings → Registry:
   - Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
   - Value: DisableIPSourceRouting (REG_DWORD): 2

Create a scheduled task that runs every 5 minutes to check for unauthorized network connections:

# Create monitoring scheduled task
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" 
    -Argument "-WindowStyle Hidden -File C:\Scripts\NetworkMonitor.ps1"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) 
    -RepetitionInterval (New-TimeSpan -Minutes 5)
Register-ScheduledTask -TaskName "Network Security Monitor" 
    -Action $action -Trigger $trigger -RunLevel Highest -Force

For environments where USB drivers can't be modified, consider these supplementary approaches:

Method Implementation Accuracy
DNS leak detection Compare resolved IPs against corporate DNS High
Network latency profiling Measure ping times to internal resources Medium
Route analysis Check for unexpected default gateways High

For comprehensive protection across all domain-joined systems:

  1. Implement Network Access Protection (NAP) with health policies
  2. Configure DHCP snooping to detect rogue network connections
  3. Deploy 802.1X authentication for all network ports
  4. Enable Windows Firewall logging for outbound connections

The complete detection script package including installation instructions can be found on our internal IT security share at \\fileserver\IT\SecurityTools\NetworkMonitoring