Home

   Produkte   Downloads   FAQ  

Kontakt

      
     
 

How to block USB devices:

USBSecure Professional 2.0: USB Security Tool

If the USB port is enabled, users are able to transfer files from and to the company network via USB sticks and memory cards. These files can contain malicious code like viruses and worms. The memory devices often do not need to be installed with special device drivers, any user is able to install them automatically with plug & play. Administrators do not have the possibility to allow a list of devices and block others.

USBSecure Professional gives administrators the ability to define white lists with users who are allowed to use USB, IDE Floppy and CD drives. You can specify USB devices that are allowed for a certain user - all other devices are blocked.

USBSecure Professional can help you...

  • if you need to control who can and who cannot access certain USB devices and floppy / cd drives in your network
  • if you have users that need their USB ports for certain devices, but you don’t want them to install additional devices like USB sticks
  • if you need a user-based, easy-to-use USB security tool



How does USBSecure Professional work?

USBSecure Professional runs as a Windows service. You can define the users who are able to use certain USB devices. When a user logs on, the current config files will be downloaded from the server and the USB devices, disc- and CD drives will be enabled or disabled. You don't need a dedicated USBSecure server. Any existing fileserver can be used, merely a share "devices$" is needed.



Additional tools

USBSecure Professional is a Windows Scripting File (VBScript). In addition to this file you need a few tools from Windows Resource Kit and a free tool from Microsoft:

srvany.exe => Windows Resource Kit 
instsrv.exe => Windows Resource Kit
shutdown.exe => Windows Resource Kit
devcon.exe => free download from Microsoft website (55K) 


Installation

Server installation

Create a share on a fileserver called "devices$". Grant read permissions for the group Everyone on that share. Copy the files floppy.cfg, cd.cfg and usb.cfg in the folder.

Client installation

Pre-requisites: Service “Windows Management Instrumentation” must be running on the client that should be protected. This is the default behaviour.

  1. Copy the files instsrv.exe, srvany.exe und shutdown.exe from Windows Resource Kit to your USBSecure source folder (the folder containing setup.cmd).
  2. Download the free file devcon.exe from Microsoft, start it for extraction and copy the extracted file devcon.exe to your USBSecure source folder. The file must be 55K of size!
    Download-Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q311272
  3. Log on with administrative privileges to the client that should be protected and start the installation with setup.cmd. During installation you will be prompted for the USBSecure destination path (default: C:\Program Files\USBSecure) and the name of the USBSecure server. Grant Read permission for Everyone to the USBSecure folder. Please ensure that the Everyone Group has no Write permission.
  4. Start the service “USBSecure”. A logfile USBSecure.log will be created in the USBSecure folder.

Logfile installation.log can help you if the installation is running into problems.


Configuration  

The config files floppy.cfg, cd.cfg und usb.cfg are whitelists for allowed devices. User not listed in these files will have no access to the devices.  

Users that should have access to the Disc or CD drives, must be listed in the files floppy.cfg and cd.cfg, one user per line:

UserA
UserB
UserC

The permissions for USB devices are managed in usb.cfg. The users should be listed in brackets without any domain prefix or suffix. The username is followed by the list of allowed devices. The notation is the same as used in the registry. You can get a list including all installed USB devices in the correct notation with the script ShowExistingUsbDevices.vbs (run the script with administrative privileges), so the allowed devices can be transferred via copy & paste.




Priviledged users with full access to any USB device get an asterisk (*).

[UserB]
*

Devices which should be accessible for all users (e.g. USB Root Hub, scanners, mouse) can be listed in section [AllUsers].  

Alternatively you can get the Vid/Pid identifier from Device Manager in the properties window of the USB device:

         

You can place wildcards (*) instead of the device name, because the name during installation and the final name is not the same in most cases. A device can be recognized during device installation as „Solid State Disk: Vid_08ec&Pid_0834“, but the final name is „USB mass storage: Vid_08ec&Pid_0834“ eingetragen wird. This problem can be fixed with „*: Vid_08ec&Pid_0834“.

For better documentation you can place comment lines. Lines beginning with the # character will be ignored by the script.

Download