blocking the use of USB ports

billybob01

We have just been instructed to block the usage of USB ports on our workstations, but due to the fact that we have usb keyboards and mouses, we need to keep 2 open, any clues?

vCole

billybob01 wrote: »

We have just been instructed to block the usage of USB ports on our workstations, but due to the fact that we have usb keyboards and mouses, we need to keep 2 open, any clues?

You can block the use of USB ports for removable media (assuming this is the main issue) with GPO: Disable USB Disks with GPO

azjag

I read in one of the Article on Microsoft Website which tells you How to Disable Storage Devices.All you need to do is changes in Registry key would disable the device,but before changing any keys in registry read this note

"Warning : Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. If a USB storage device is already installed on the computer" set the Start value in the following registry key to 4:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

When you do so, the USB storage device does not work when the user connects the device to the computer.

To set the Start value, follow these

steps:1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

4. In the right pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already
selected), and then click OK.
6. Quit Registry Editor.

Let me know How it worked for you.

pizzaboy

Some corporate antivirus products have this functionality as well. You can check to see if yours has that capability.

RobertKaucher

Liquid Nails?

gunbunnysoulja

You don't want to leave 2 open because that doesn't actually prevent USB usage as those devices could simply be unplugged temporarily. Go with vCole's method. The DoD restricts USB ports for removable media and CAC readers, keyboards, mice, etc. work fine.

JDMurray

As an alternative: Leave all the USB ports accessible and install a host agent to log all USB port usage and report it back to a central server. In this way, you will find out how information and Malware is infiltrated/exfiltrated from your organization. Use a product like BlueCoat to monitor all Web activity to find out the same. Block all sites that support file transfer using SSL/SSH (Gmail, DropBox, etc.). In fact, block all file uploading sites because stenography tools can be used to store data in still-images and video. Monitor all printer usage to discover what's walking out your doors as hardcopy. Disallow cell phones with digital cameras. No, better yet, no cell phone allowed at all. Install a video surveillance system at each workstation to monitor when people copy information from their screen using pen and paper. Listen in on all phone conversations and read all internal IMs, as information leaks out that way too. Document everything as policy and SOPs. Watch the color drain out of the faces of your CxO's when you tell them it's all necessary for "compliance."

Job security for security people! Woo-hoo!