USB ports are a fact of life in modern IT--which means they are also a headache for every IT manager.\u201cYou\u2019ve got to live with USB ports, and you\u2019ve got to secure them,\u201d says Ari Tammam, VP of alliances at Promisec, a maker of endpoint control software. \u201cI don\u2019t think you can get away with blocking them for everyone.\u201dThe USB port control native to Windows XP and Windows Server 2003 is extremely limited. You can disable ports or render them read-only, but finer control over allowed devices or file types is lacking.\u00a0 However, there are a number of third-party applications that give you control over your USB ports with varying degrees of granularity.One of the features of the USB hardware specification is that each device tells the system what kind of device it is as part of the connection process. Some manufacturers take advantage of this to let you block specific kinds of devices on specific ports. For instance, you might opt to allow a USB mouse on any port, but never allow thumb drives. But remember, the principle of least privilege applies with a vengeance to USB ports. Generally, the question shouldn\u2019t be \u201cwhat do you want to block?\u201d; it\u2019s \u201cwhat do you want to allow?\u201d Some manufacturers go much further with the controls they allow, and let you require \u201ca specific device with a specific serial number linked to a specific user\u201d to use a particular port, says Gil Sever, CEO of the endpoint security tools manufacturer Safend. You might also mark certain devices as read-only or specify which kinds of files can be read and written through a given USB port. This helps prevent two security risks: someone loading rogue programs into the system through the port, or someone taking out unauthorized kinds of data. For example, a user may be authorized to download Excel (.xls) or Word (.doc) files, but not database files.Some products also block USB ports at the OS level--that is, they become part of the connection process and won\u2019t allow specific kinds of devices to connect on any port on the network. Others will only allow certain specific devices while blocking other devices of that class. Thus the user can download files to, say, the disk drive in her laptop, but to no other USB disk drive. Alternately, you could set things up such that only a thumb drive encrypted with corporate-approved encryption and registered to a specific user could be allowed. When shopping for a USB protector, the major things to look for are ease of management and granularity. Because a typical network will have thousands of USB ports, you probably want to be able to manage all of them in a single central location. Ideally, you\u2019ll want something that allows you to manage the ports on a Windows network through the group policy feature or something equally seamless. A few products have the ability to manage the ports on all the networks in the enterprise rather than having to manage each network separately.Of course USB port control isn\u2019t the be-all and end-all of security, nor can you absolutely guarantee that data can\u2019t be leaked out USB ports. But then that\u2019s true of any other endpoint in the network as well. The point is to do what you can to mitigate the risks of these pesky but oftentimes useful devices.Rick Cook is a freelance writer based in Phoenix.