Your main goal when trying to secure USB ports is to control which devices can be used and what data can be read from or written to them. Therefore my wish list for a security product would have features that could do the following:
- Control which USB devices are allowed to connect to the PC.
- Control time and day when USB devices can be accessed.
- Control who can read and write data via USB-connected devices.
- Define which types of data can be accessed on a USB device.
- Enforce encryption.
- Detect and block malware such as keyloggers.
- Manage policies and setting centrally.
- Log USB activity.
Any products with the above feature set will provide comprehensive control over how a computer's USB ports are used. A good place to start would be DeviceLock Inc. Its main product allows administrators to centrally manage access to all types of devices and local ports on Windows computers. Using Microsoft Active Directory and Group Policy, administrators can control access to USB and other plug-and-play devices depending on the time of day and week. It can also ensure that only removable storage devices with approved encryption can be accessed and grant read or read-and-write permissions for certain groups of users. Its logging capabilities can capture full copies of files that are copied to removable devices, along with all port and device activity, such as uploads and downloads.
Certainly, for a large enterprise, the DeviceLock Enterprise Server will make it a lot easier to implement and manage USB security across a large number of users and computers. Other alternative products to compare to DeviceLock include Cryptzone AB's Simple Encryption Platform and the USB Data Theft Protection Tool for Windows Network from monitorusb.com.
As your enterprise uses Windows, you should consider an early upgrade to Windows 7, which has a great new feature, BitLocker To Go. This extends the data encryption features of Vista's BitLocker to removable storage devices like USB thumb drives. Group policy can be used to require strong passwords to access protected devices and enforce encryption for any removable storage device that users want to write data to. You can also disable the Windows AutoRun functionality to help prevent the execution of arbitrary code when a removable storage device is used.
This was first published in October 2009