| « Router Security from Port Scans | Search Engine Purgatory » |
Increase Security By Disabling USB Ports
06/18/18
Increase Security By Disabling USB Ports
It is possible to increase the security of your servers, workstations and network by disabling the USB ports.
It may sound a bit extreme but disabling USB access to computers and servers can help keep unwanted software, malware and viruses out of your systems. It can also keep sensitive information on your system, in the office, where it belongs.
An infected USB key inserted into a workstation or server can spread viruses, malewares, Trojan horses, keyloggers all sorts of nasty stuff, and of course, files from the computers and networks can be copied to the USB key and removed from the office.
So lets talk about a couple of ways to keep your network secure by disabling, disconnecting the USB ports or setting up a notification event for USB devices.
Follow up:
Servers:
The simplest solution works for a normally headless server, one with no attached keyboard, mouse or monitor.
Simply reboot the server, with a KB and monitor connected, enter the system bios and turn off USB support. If USB support is turned off at the bios level, the OS will not install drivers, nor even see the USB ports as present. They will never be active.
NOTE: This solution works great for any computer (server or workstation) that uses a PS2 mouse and keyboard. Even if the server normally uses a USB keyboard and mouse, fear not, if you need to restore USB support, reboot the server with a USB keyboard attached, during the POST, you can press your normal key sequence (DEL, f2, TAB or escape, however your Mother Board requires) and gain access to the Bios to turn the USB ports back on.
Another method, drastic as it may seem, is great for most servers and workstations.
Physically disconnect the “Front USB ports and Card Readers” from the Mother Board.
Most modern, commercially available computers have front USB ports and some have memory card readers on the front panel for convenience. Those can easily be disconnected from the main board. Open the computers side cover, trace the wires from the front panel connectors, and then remove the plug from the board. They will usually be marked USB0, USB1 etc on the main board itself. This will leave the rear panel USB ports unrestricted however, but if you need to use USB printers, Keyboards and mice, then you will still have that access.
As an IT or network admin you can always tell users that all USB ports have been disabled for security reasons, most will never check to see if the back side ports are active.
Disable or deactivate the USB ports at the software or OS level:
The inspiration for this article talks about removing the USB drivers from a linux based system, and it is a good read.
Windows OS based systems are a bit easier from a graphical user interface standpoint.
(Windows 7 is my reference here) Access the Control Panel > System > Device Manager > USB Serial BUS Controllers, then, Disable the USB Host controllers that you are not using (for Keyboard, mouse and printers normally).
You would need to make sure your users accounts do not have access to system settings or they can turn them back on.
In researching this article I gave thought to triggering an alert or system process if an unauthorized USB device is connected to an active port.
It is possible to do this in Windows 8.1 & 10 (not sure about 7 though) using Power Shell and a Dat execution file.
That question was addressed here:
“windows - Starting scheduled task by detecting connection of USB device - Super User”
You would then setup your Dat file to execute an alert or send an email to the sys admin, or have it do pretty much anything you like, my favorite is set it up to lock and shutdown the computer.
There are some commercially available security options for locking out USB ports and setting up alert conditions that work very well. You can search those out.
Also on a side note, many routers and switches also have USB ports that can be used for network printers, storage and media shares, you would want to consider turning those off in the switch or routers control panel.
With the exponential growth of USB storage capacity both on Flash and Hard Drive, security to your systems and the ability to keep sensitive files private has required that IT and sys admins consider disabling the use of USB ports.
It may sound drastic or even crazy paranoid, but if you do have a security breach or a sudden infection, this approach might not seem so far fetched.
Like Computer Care on FaceBook
Follow us on Twitter
computer Care on Pinterest
computer Care on instagram
Visit the Computer Care Catalog Online for all your part needs.
Bookmark this article at
No feedback yet
Comment feed for this postLeave a comment
