USB: Universal Security Breach or Uniquely Secured Bus? Assessing the Effectiveness of Windows 11 Group Policy at Controlling USB Device Installation for Budget-Constrained Security Teams

USB-based attacks have escalated dramatically, with 51% of malware attacks now targeting USB devices, nearly a six-fold increase since 2019 (Honeywell, 2024). Budget-constrained organizations often cannot afford commercial USB security solutions, leaving them dependent on native operating system controls whose effectiveness against modern attack vectors has remained largely unexamined.

This study evaluates three progressively granular Windows 11 Group Policy (GPO) configurations—class-based blocking, VID/PID allowlisting, and Device Instance ID allowlisting—against legitimate business peripherals and a Hak5 USB Rubber Ducky configured as a composite BadUSB device, using the Windows 11 v25H2 Security Baseline as the unmodified reference state.

Results show that each successive control tier closes gaps left by the previous one, with Device Instance ID allowlisting successfully blocking all Rubber Ducky spoofing attempts through structural properties of Windows device identifier construction that a spoofing device cannot replicate without prior knowledge of the target system’s hub and port topology.

This study contributes a tiered decision framework for selecting a minimum viable GPO configuration and the novel finding that Windows applies ASCII hexadecimal encoding to certain storage device serial numbers when constructing Device Instance IDs—a behavior with direct implications for allowlist design. Budget-constrained security teams can implement all three tiers using tools already present in Windows 11 Enterprise, without additional licensing costs or specialized hardware.