Manage Learn to apply best practices and optimize your operations.

How to secure USB ports on Windows machines

A readers asks expert Michael Cobb about which product can best secure USB ports.

What characteristics should I look for in a "good" product to secure USB ports on Windows computers?

Removing or blocking a computer's USB ports isn't really practical as a security measure as so many peripherals now use them to connect. Another approach is to require users to only use encrypted USB flash drives. Such a restriction ensures data security if the drive is lost or stolen. It doesn't, however, control what data a user copies to or from the USB device. So, let's look at the features and characteristics that make a good USB security product. You can then judge for yourself which vendors have the products that match your requirements.

Your main goal when trying to secure USB ports is to control which devices can be used and what data can be read from or written to them. Therefore my wish list for a security product would have features that could do the following:

  • Control which USB devices are allowed to connect to the PC.
  • Control time and day when USB devices can be accessed.
  • Control who can read and write data via USB-connected devices.
  • Define which types of data can be accessed on a USB device.
  • Enforce encryption.
  • Detect and block malware such as keyloggers.
  • Manage policies and setting centrally.
  • Log USB activity.

Any products with the above feature set will provide comprehensive control over how a computer's USB ports are used. A good place to start would be DeviceLock Inc. Its main product allows administrators to centrally manage access to all types of devices and local ports on Windows computers. Using Microsoft Active Directory and Group Policy, administrators can control access to USB and other plug-and-play devices depending on the time of day and week. It can also ensure that only removable storage devices with approved encryption can be accessed and grant read or read-and-write permissions for certain groups of users. Its logging capabilities can capture full copies of files that are copied to removable devices, along with all port and device activity, such as uploads and downloads.

Certainly, for a large enterprise, the DeviceLock Enterprise Server will make it a lot easier to implement and manage USB security across a large number of users and computers. Other alternative products to compare to DeviceLock include Cryptzone AB's Simple Encryption Platform and the USB Data Theft Protection Tool for Windows Network from

As your enterprise uses Windows, you should consider an early upgrade to Windows 7, which has a great new feature, BitLocker To Go. This extends the data encryption features of Vista's BitLocker to removable storage devices like USB thumb drives. Group policy can be used to require strong passwords to access protected devices and enforce encryption for any removable storage device that users want to write data to. You can also disable the Windows AutoRun functionality to help prevent the execution of arbitrary code when a removable storage device is used.

This was last published in October 2009

Dig Deeper on Data loss prevention technology