Endpoint Security: How to Control USB Devices

USB ports are a fact of life in modern IT–which means they are also a headache for every IT manager.

“You’ve got to live with USB ports, and you’ve got to secure them,” says Ari Tammam, VP of alliances at Promisec, a maker of endpoint control software. “I don’t think you can get away with blocking them for everyone.”

The USB port control native to Windows XP and Windows Server 2003 is extremely limited. You can disable ports or render them read-only, but finer control over allowed devices or file types is lacking.  However, there are a number of third-party applications that give you control over your USB ports with varying degrees of granularity.

One of the features of the USB hardware specification is that each device tells the system what kind of device it is as part of the connection process. Some manufacturers take advantage of this to let you block specific kinds of devices on specific ports. For instance, you might opt to allow a USB mouse on any port, but never allow thumb drives. But remember, the principle of least privilege applies with a vengeance to USB ports. Generally, the question shouldn’t be “what do you want to block?”; it’s “what do you want to allow?”

Some manufacturers go much further with the controls they allow, and let you require “a specific device with a specific serial number linked to a specific user” to use a particular port, says Gil Sever, CEO of the endpoint security tools manufacturer Safend. You might also mark certain devices as read-only or specify which kinds of files can be read and written through a given USB port. This helps prevent two security risks: someone loading rogue programs into the system through the port, or someone taking out unauthorized kinds of data. For example, a user may be authorized to download Excel (.xls) or Word (.doc) files, but not database files.

Some products also block USB ports at the OS level–that is, they become part of the connection process and won’t allow specific kinds of devices to connect on any port on the network. Others will only allow certain specific devices while blocking other devices of that class. Thus the user can download files to, say, the disk drive in her laptop, but to no other USB disk drive. Alternately, you could set things up such that only a thumb drive encrypted with corporate-approved encryption and registered to a specific user could be allowed.

When shopping for a USB protector, the major things to look for are ease of management and granularity. Because a typical network will have thousands of USB ports, you probably want to be able to manage all of them in a single central location. Ideally, you’ll want something that allows you to manage the ports on a Windows network through the group policy feature or something equally seamless. A few products have the ability to manage the ports on all the networks in the enterprise rather than having to manage each network separately.

Of course USB port control isn’t the be-all and end-all of security, nor can you absolutely guarantee that data can’t be leaked out USB ports. But then that’s true of any other endpoint in the network as well. The point is to do what you can to mitigate the risks of these pesky but oftentimes useful devices.

Rick Cook is a freelance writer based in Phoenix.