Home » Securing USB Devices
Applicable For Endpoint Central MSP 
 
 

Securing  USB Devices

This document will explain the following:

Description

The Secure USB configuration is used for both users  and computers to block or unblock the use of the USB devices.

Using this configuration, you can block or unblock  the following devices:

  1. Mouse

  2. Disk drives  (for example, USB drives and external hard-disk drives)

  3. CD ROMs

  4. Portable devices  (for example, mobile phones, digital cameras and portable media players)

  5. Floppy disks

  6. Bluetooth  devices

  7. Images (for  example, USB cameras and scanners)

  8. Printers

  9. Modems

  10. Apple USB  devices (for example: iPhone, iPad and iPod touch)

You can also exclude devices using the Vendor ID or  Device Instance ID assigned to each device.

Applying  Secure USB Settings to Computers

When you apply the Secure USB configuration to both  computers and users, the settings made for computers will be applied before  the settings made for users. For example, assume that you have made the  following settings:

  1. Settings  configured for users

    1. Administrator:  You have unblocked the usage of the disk drive

    2. Other  users (excluding the administrator): You have not deployed any  configurations

  2. Settings  configured for computers : You have blocked the usage of portable  devices and disk drives

The following actions will take place:

  1. Computer startup:  The Secure USB configuration settings made for the computer are applied  when the computer is started. This means that no portable devices  and disk drives can be used.

  2. Administrator  logon: The Secure USB configuration for the computer is applied. However,  it is over written by the settings made for the administrator. This  means that the administrator can use disk drives.

  3. Other users  (excluding the administrator) log on: The Secure USB configuration  made for the computer is applied.

  4. Other users  (excluding the administrator)log off: The log off action settings  made for users are applied when a user logs off. If the log off-action  setting is set to Don't alter device status, then the settings made  will apply to the next user who logs on, provided that the user does  not have any settings that apply to them.

    Note: Block USB, represents to block the access to use any USB device.
    Unblock USB, represents to re-enable the access to the USB devices that has been blocked.  
    No Change, represents that no change has been made to the current settings.

 

Adding Restrictions  to secure USB Devices

As an administrator, you can create a configuration  block or unblock specific USB devices. You can also exclude specific devices,  if required.

To create a configuration to secure USB devices for  users, follow the steps given below:

  1. Navigate to Configurations tab and choose Secure USB from the list of Windows configurations.

  2. Enter a name and description  for the configuration

  3. Click Add  to apply restrictions

  4. To add restrictions, select  the devices, choose to block or unblock devices. When you have chosen  to block devices, you can also specify the devices which needs to  be excluded.

  5. Define  the target

  6. Specify the required execution  settings

  7. Click Deploy

You have created configurations to secure USB devices. These configurations  will be applied when the user logs in to the computer.

Excluding Devices

When you block a device  you can exclude certain devices from being blocked. This can be done,  by using Vendor ID or the Device Instance ID assigned to each device.  You can exclude devices only when you have blocked a device. To exclude  devices, follow the steps given below:

  1. Click the Exclude  Devices link against a device

  2. You can also choose to block all the devices, from the specified vendor. You will have to specify the Device Instance ID using which, the product will fetch the  vendor instance ID and exclude all devices from the specific vendor. 

  3. You can choose to exclude  All Encrypted devices/encrypted devices  from the list of specified devices. Devices that are encrypted  using  BitLocker can be added to the exclusion list.

  4. Click Close

You have excluded a device  from being blocked.

Device Instance  ID

Every USB device has a unique  ID. This ID is assigned to devices by the system to identify them easily.  You can identify the Device Instance ID of a Device by following the steps  mentioned below:

    1. Right click on My  Computer

    2. Click on Properties

    3. Click on Device  Manager (Refer to the figure below)

    4. From the list of devices,  expand the list of devices for which you want the Device Instance  ID.

      (For example : if you want to identify the Device Instance ID of  a mobile phone that you have connected to the computer, expand  portable devices and follow the next step.)

    5. Right-click on the name of a specific device and click Properties (Refer to the figure below)

    Figure 2: Properties

      1. Click the Details tab

      2. In the drop-down box, select Device Instance ID or Device Instance Path (Refer to the figure below)

    Figure 3: Device Instance ID

     

    In computers which have the operating system Windows Vista (and later versions), the Device Instance ID is called the Device Instance Path. You can copy the Device Instance Path from the Properties property sheet of the Device Manager.

    In computers that have older versions of the Windows operating system installed in them, you cannot copy the Device Instance ID directly from the Properties property sheet of the Device Manager.

    To copy the Device Instance ID you must open the dcusbaccess log file. This file is located in <Drive>\<Desktopcentral_Agent  Folder>\logs\dcusbaccess.log. It contains information about the following:

    • Action Time (inserted\removed time)

    • Action (inserted\removed)

    • Friendly name

    • Device Instance ID

    You can now view and  copy the Device Instance ID for a specific device.

Revoking  All USB Restrictions applied to the Computer

Administrators can choose to revoke all USB related restrictions which  are applied to the computer.

To create a configuration, in order to revoke all  USB related restrictions for users, follow the steps given below:

  1. Navigate to Configurations tab and choose Secure USB configuration from the list of Windows configurations.

  2. Enter a name and description  for the configuration.

  3. Click Remove  to revoke all restrictions  applied to the computer.

  4. Define  the target

  5. Make the required execution  settings.

  6. Click Deploy.

You have created configurations to secure USB devices. These configurations  will be applied when the user logs in to the computer.