Ask the Expert

How to secure USB ports on Windows machines

What characteristics should I look for in a "good" product to secure USB ports on Windows computers?

    Requires Free Membership to View

Removing or blocking a computer's USB ports isn't really practical as a security measure as so many peripherals now use them to connect. Another approach is to require users to only use encrypted USB flash drives. Such a restriction ensures data security if the drive is lost or stolen. It doesn't, however, control what data a user copies to or from the USB device. So, let's look at the features and characteristics that make a good USB security product. You can then judge for yourself which vendors have the products that match your requirements.

Your main goal when trying to secure USB ports is to control which devices can be used and what data can be read from or written to them. Therefore my wish list for a security product would have features that could do the following:

  • Control which USB devices are allowed to connect to the PC.
  • Control time and day when USB devices can be accessed.
  • Control who can read and write data via USB-connected devices.
  • Define which types of data can be accessed on a USB device.
  • Enforce encryption.
  • Detect and block malware such as keyloggers.
  • Manage policies and setting centrally.
  • Log USB activity.

Any products with the above feature set will provide comprehensive control over how a computer's USB ports are used. A good place to start would be DeviceLock Inc. Its main product allows administrators to centrally manage access to all types of devices and local ports on Windows computers. Using Microsoft Active Directory and Group Policy, administrators can control access to USB and other plug-and-play devices depending on the time of day and week. It can also ensure that only removable storage devices with approved encryption can be accessed and grant read or read-and-write permissions for certain groups of users. Its logging capabilities can capture full copies of files that are copied to removable devices, along with all port and device activity, such as uploads and downloads.

Certainly, for a large enterprise, the DeviceLock Enterprise Server will make it a lot easier to implement and manage USB security across a large number of users and computers. Other alternative products to compare to DeviceLock include Cryptzone AB's Simple Encryption Platform and the USB Data Theft Protection Tool for Windows Network from

As your enterprise uses Windows, you should consider an early upgrade to Windows 7, which has a great new feature, BitLocker To Go. This extends the data encryption features of Vista's BitLocker to removable storage devices like USB thumb drives. Group policy can be used to require strong passwords to access protected devices and enforce encryption for any removable storage device that users want to write data to. You can also disable the Windows AutoRun functionality to help prevent the execution of arbitrary code when a removable storage device is used.

This was first published in October 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: