What characteristics should I look for in a "good" product to secure USB ports on Windows computers?
Removing or blocking a computer's USB ports isn't really practical as a security measure as so many peripherals now use them to connect. Another approach is to require users to only use encrypted USB flash drives. Such a restriction ensures data security if the drive is lost or stolen. It doesn't, however, control what data a user copies to or from the USB device. So, let's look at the features and characteristics that make a good USB security product. You can then judge for yourself which vendors have the products that match your requirements.
Your main goal when trying to secure USB ports is to control which devices can be used and what data can be read from or written to them. Therefore my wish list for a security product would have features that could do the following:
- Control which USB devices are allowed to connect to the PC.
- Control time and day when USB devices can be accessed.
- Control who can read and write data via USB-connected devices.
- Define which types of data can be accessed on a USB device.
- Enforce encryption.
- Detect and block malware such as keyloggers.
- Manage policies and setting centrally.
- Log USB activity.
Any products with the above feature set will provide comprehensive control over how a computer's USB ports are used. A good place to start would be DeviceLock Inc. Its main product allows administrators to centrally manage access to all types of devices and local ports on Windows computers. Using Microsoft Active Directory and Group Policy, administrators can control access to USB and other plug-and-play devices depending on the time of day and week. It can also ensure that only removable storage devices with approved encryption can be accessed and grant read or read-and-write permissions for certain groups of users. Its logging capabilities can capture full copies of files that are copied to removable devices, along with all port and device activity, such as uploads and downloads.
Certainly, for a large enterprise, the DeviceLock Enterprise Server will make it a lot easier to implement and manage USB security across a large number of users and computers. Other alternative products to compare to DeviceLock include Cryptzone AB's Simple Encryption Platform and the USB Data Theft Protection Tool for Windows Network from monitorusb.com.
As your enterprise uses Windows, you should consider an early upgrade to Windows 7, which has a great new feature, BitLocker To Go. This extends the data encryption features of Vista's BitLocker to removable storage devices like USB thumb drives. Group policy can be used to require strong passwords to access protected devices and enforce encryption for any removable storage device that users want to write data to. You can also disable the Windows AutoRun functionality to help prevent the execution of arbitrary code when a removable storage device is used.
Dig Deeper on Data loss prevention technology
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.