How to Lockdown USB Ports

How to Lockdown USB Ports

It is quite often said that the employees within their organizations pose the gravest threat to a business’s cybersecurity and hence, are their weakest links when it comes to cybersecurity. The fact that these employees also have access to the use of USB drives doesn’t help their case.

It, therefore, makes sense that businesses learn how to lock down USB ports to ensure the security of their digital assets – as we shall be seeing in this post.

Why Do We Lock Down USB Ports?

There are many reasons why a business would need to lock down USB ports on its network:

  • Infected portable devices Open USB ports are a clear invitation for trouble. Employees can plug in infected USB devices that can then propagate themselves and bring the entire network to a halt, if not to its knees.
  • Booby-trapped USB drives These are drives that have executable programs that run as soon as they are plugged into USB ports. Once executed, the programs hand over the control of keyboards, drives, and software, as well as spread to other devices over the network.
  • Infected or programmed charging cables Then we have mobile charging cables that are often plugged into corporate computers as employees go about their busy days. Not many people know that this is a risky behavior because the system can be hacked into with a device that is known as a USBsamurai – an easy-to-create hacking tool that lets hackers record keystrokes – or a printed circuit board (PCB) with an embedded WiFi chip that lets hackers connect to a computer via its USB port and remotely manipulate the cursor and steal information from it.
  • Data theft or loss Disgruntled employees could try to hurt a business by stealing sensitive data or intellectual property. They often use USB flash drives to transfer data and get it out of the business Alternatively, an employee might lose a flash drive that they had copied sensitive data onto. This could lead to a huge breach and loss of data.
  • Time wasted on the business’ hours Employees might log into the corporate computer (which is on the corporate network), plug in their USB drives, and proceed to work on their hobbies or side hustles on company time. This results in lost productivity due to fewer man-hours
  • Cryptojacking Cryptocurrency miners break into networks and computers to hijack and exploit resources for mining purposes. The initial access and breaching of the network can begin when an unsuspecting employee plugs an infected USB drive into their corporate computer. As an example, BitCoinMiner, one of the popular malicious crypto miners, is spread via files, messages, emails, and USB devices.

As you can see, a simple USB device could wreak havoc on a network and a business. These are some of the reasons you need to lock down USB ports on corporate networks.

Ways to Lock Down USB Ports

There are several ways of disabling USB ports on all devices that are on a business network. Here are a few of them:

Editing the registry

You can alter the registry values for USB Mass Storage Devices to prevent them from being accessed by following these steps:

  • Open Windows Run dialog; type regedit and press Enter to open Windows Registry Editor.
  • Now navigate to the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

  • In the right pane, double-click on the Start DWORD value and change its value from 3 to 4. If you can’t find the Start dword you can create a new one.
  • Exit from the registry editor and plug in any USB storage device to see if you have locked your USB ports; if done correctly, you won’t be able to access the device.

Edit registry to disable USB

Disabling USB ports from Device Manager

Disabling the USB ports through the Device Manager is also pretty straightforward:

  • Right-click on the Start menu and click on Device Manager.
  • When the window appears, click and open the Universal Serial Bus controllers dropdown menu – the last option on the list.
  • Next, find and right-click on USB Mass Storage Drivers.
  • You can then choose Disable device to prevent any access to mass.
  • You can also choose the Uninstall device option for the USB drive – this will stop Windows from recognizing any USB device users may plug in.

Lock USB ports - disable device

Disabling USB Storage using the Group Policy Editor (GPE)

You can disable access to USB storage devices with the help of the Group Policy Editor. Here’s how:

  • Go to the Run dialog; type msc and press enter.
  • Next, on the left pane navigate to Computer Configuration -> Administrative Templates -> System -> Removable Storage Access
  • Clicking on Removable Storage Access opens new options in the right pane.
  • Search for, and click on, the options that say Removable Disks: Deny execute access, Removable Disks: Deny read access, and Removable Disks: Deny write access.

Group Policy Editor - disable USB

  • Click on each one of them to configure them.
  • A window with the name of the option appears and to the left, there will be three options: Not Configured, Enabled, and Disabled.
  • Click on Enabled to disable USB read, write, and execute accesses.

Enable and disable USB access

  • If you want to enable them again simply go back in and choose the Not Configured or Disabled options to revert to the old status.

Using Command-line

You can also use the command line to run commands to edit the registry and enable or disable USB ports.

The commands:

  • To enable, type:

reg add HKLM\System\CurrentControlSet\Services\cdrom /t REG_DWORD /v “Start” /d 1 /f

  • To disable, type:

reg add HKLM\System\CurrentControlSet\Services\cdrom /t REG_DWORD /v “Start” /d 4 /f

Lock USB ports - command line registry editing

Note: you only need to use one of the methods we have seen above. Although you can go ahead and use them all, it would be overkill.

Using third-party software solutions

Finally, there is the option of using third-party software solutions, which allow you to control USB port access with an easy-to-use GUI.

Note: we recommend you use the third-party software solutions instead of having to enable the lockdown of USB ports manually.

There are some great solutions out there and we will have a look at some of the best of them. But, first, let’s have a look at a few features that help us decide which tool is best to lock down USB ports:

  • Remote and central access Administrators should be able to enable and disable USB ports from a central point.
  • Easy-to-use GUI Administrators should be able to lock USB ports with ease all the time and every time, without complications.
  • Small digital footprint Running USB port lockdown commands on multiple computers shouldn’t bring the entire network to a halt.
  • Integration capability The tool should run on any network configuration which is made up of any operating system.
  • Reversible processing Locking USB ports should be reversible (with the right authority and authentication). “Breaking” the USB port access is not a solution.
  • Reasonable price The price should be affordable, if not free.

With these features in mind, let’s go ahead and have a look at some of the best tools you can use to lock down USB ports.

The Best Tools to Lock Down USB Ports

Let’s have a look at four of the best tools you can use to lock down USB ports on a corporate network:

1. CoSoSys Endpoint Protector

CoSoSys Endpoint Protector - USB drives lock

CoSoSys Endpoint Protector is a leading data loss prevention (DLP) tool that, among its many features, includes the capability to lockdown USB ports.

Key Features:

  • It offers remote monitoring of USB and peripheral ports from a simple web-based UI without affecting the performance of the endpoints themselves.
  • It can lockdown, monitor, and manage devices using granular control based on their names, IP addresses, vendor IDs, product IDs, or serial numbers.
  • It is flexible and works on OS like Windows, macOS, and Linux – with administrators also being able to set policies for clients running the operating systems.
  • Administrators can grant USB access remotely, even when computers are offline – the status is updated in a log report for confirmation once they connect back to the network.
  • They can uniquely identify any USB-connected devices on their network.
  • Apart from locking USB ports, they can also define which devices are allowed to be used – they can create device whitelists and blacklists – and even define policies per user, computer, or group depending on the business’ policy.

CoSoSys solution protects from data leaks, theft, and exfiltration as well as minimizes the risk of insider threats while helping companies to reach compliance with data protection regulations.

Try CoSoSys Endpoint Protector – request a demo for FREE.

2. Symantec Data Loss Prevention (DLP)

Symantec Data Loss Prevention (DLP) dashboard

Symantec Data Loss Prevention (DLP) is a solution that detects and prevents sensitive data from being copied from desktop or laptop endpoint devices.

Key Features:

  • The solution scans endpoints, network file shares, databases, and other data repositories for sensitive information to build complete visibility and control over a business’ information – be it at rest or in motion.
  • Administrators can use this tool to create a policy that prevents a keyword from being leaked. When a user tries to copy any files that contain the keyword to a USB drive, the action will be blocked by the DLP Agent.
  • They can also encrypt and apply digital rights on files that are transferred to USB drives – it provides a wide range of responses including identity-based encryption and digital rights management (DRM) for files that are transferred to USB.
  • On the other hand, they can also create whitelists that allow only certain USB drives to be used on a device – meaning any other USB devices will be locked out.
  • The solution alerts users to incidents using on-screen pop-ups or email notifications – to clarify the preventive actions to them.
  • On the other hand, users can also be allowed to override policies by providing a business justification or canceling the action in cases of false positives.

Although this DLP is a complete data loss solution, it is the “Endpoint Prevent” tool that is dedicated to controlling the access of USB data.

Unfortunately, there are no trial versions of Symantec Data Loss Prevention (DLP).

3. Trellix (formerly McAfee DLP Endpoint)

Trellix

Trellix (formerly McAfee DLP Endpoint) is another big player in the field that offers data loss prevention to protect a business’s data. It helps protect confidential information and comes with a detailed automated reporting capability. McAfee Enterprise’s DLP Endpoint was rebranded to Trellix in 2021 after its acquisition by Symphony Technology Group (STG) and merger with FireEye. Trellix now focuses on advanced extended detection and response (XDR) solutions.

Key Features:

  • This solution works on almost any platform running popular operating systems like Windows, macOS, and OS X to detect and protect devices like USBs, flash drives, CD/DVDs, Apple iPods, and more. It even has enhanced virtualization support to protect remote desktops and VDI solutions.
  • It is centrally managed by a cloud-native management console that makes it easy to implement streamlined policy and incident management.
  • The solution also scans endpoints to discover the data that resides on them so the information can be used to mitigate risk, build an understanding of how data is used, or simply compile and inventory data.
  • Trellix has a unique tagging technology for identifying documents according to their origin. This helps prevent sensitive information from being copied from web applications, network applications, and network shares.
  • It has support for plug-and-play devices and removable storage devices which can then be blocked or made read-only or offer file access protection for files that reside on them.
  • This is a scalable and flexible enterprise solution that has comprehensive device management to control and block confidential data based on device parameters such as product ID, vendor ID, serial number, device class, and device name and allows for the application of different policies – like blocking or encrypting – that can be enforced based on the content loaded onto the devices.

It runs in the background and can be installed in a minimum-resource environment to cover almost all possible leak areas including email messages, cloud uploads, as well as USB device use.

Try Trellix DLP Endpoint – request a demo for FREE.

4. Code 42 Incydr

Code 42 Incyder dashboard

With Code 42 Incydr we have a complete solution for visibility, context, and control – everything needed to stop data leaks and theft.

Key Features:

  • Incydr automatically identifies files that are being moved outside a trusted environment, allowing for easy detection of files being sent to personal accounts or unmanaged devices.
  • Its exfiltration detectors can even track files as they cross over into third-party office productivity solutions like Salesforce, Microsoft Office, and Gmail.
  • It has a collection of insightful and interactive dashboards that are dedicated to granular data sets for easy plugging of leaks – like exposure and even trends – to make sure administrators are in control at all times.
  • They are always in the know about exfiltration vectors in use thanks to 90-day historical visibility that gives them an understanding of file movement trends by exfiltration method. They can easily spot gaps in training and tools as they uncover and address employee workarounds, corporate policy violations, and improper file sharing.
  • Administrators can automate management workflows and get focused visibility into file activity for a set of targeted users who are more likely to put data at risk – like departing employees, for example.
  • This is the ideal DLP tool for businesses that have campuses spread across various locations because it detects and responds to threats in collaborative and remote enterprise setups – in the shortest amount of time without putting pressure on resources or diminishing UX at the endpoints

The tool detects file exfiltration – be it via web browsers, USB, cloud apps, email, file link sharing, Airdrop, or other ways – and shows how files are being moved and shared – without the need for policies, proxies, or plugins.

Try Code 42 IncydrFREE for 14 days.

Lock Down USB Ports as Part of Network Security

Now you know how to lock down USB ports in your corporate network. This is a strategy that will further enhance your digital investment’s security. You should adopt it along with other network security strategies you need to implement.

We’d like to hear your thoughts – leave us a comment.

Leave a Reply