Increase Security By Disabling USB Ports
« Router Security from Port ScansSearch Engine Purgatory »

Increase Security By Disabling USB Ports

06/18/18

Permalink 08:58:25 am, by Computer Care, 834 words   English (US) latin1
Categories: Computer Help, Tips and Tricks

Increase Security By Disabling USB Ports

  
Increase Security By Disabling USB Ports

It is possible to increase the security of your servers, workstations and network by disabling the USB ports.
It may sound a bit extreme but disabling USB access to computers and servers can help keep unwanted software, malware and viruses out of your systems. It can also keep sensitive information on your system, in the office, where it belongs.

An infected USB key inserted into a workstation or server can spread viruses, malewares, Trojan horses, keyloggers all sorts of nasty stuff, and of course, files from the computers and networks can be copied to the USB key and removed from the office.
So lets talk about a couple of ways to keep your network secure by disabling, disconnecting the USB ports or setting up a notification event for USB devices.

Follow up:



Servers:
The simplest solution works for a normally headless server, one with no attached keyboard, mouse or monitor.
Simply reboot the server, with a KB and monitor connected, enter the system bios and turn off USB support. If USB support is turned off at the bios level, the OS will not install drivers, nor even see the USB ports as present. They will never be active.

Disable USB ports at the bios level

NOTE: This solution works great for any computer (server or workstation) that uses a PS2 mouse and keyboard. Even if the server normally uses a USB keyboard and mouse, fear not, if you need to restore USB support, reboot the server with a USB keyboard attached, during the POST, you can press your normal key sequence (DEL, f2, TAB or escape, however your Mother Board requires) and gain access to the Bios to turn the USB ports back on.

Another method, drastic as it may seem, is great for most servers and workstations.
Physically disconnect the “Front USB ports and Card Readers” from the Mother Board.
Most modern, commercially available computers have front USB ports and some have memory card readers on the front panel for convenience. Those can easily be disconnected from the main board. Open the computers side cover, trace the wires from the front panel connectors, and then remove the plug from the board. They will usually be marked USB0, USB1 etc on the main board itself. This will leave the rear panel USB ports unrestricted however, but if you need to use USB printers, Keyboards and mice, then you will still have that access.

disconnect the front usb ports from the main board


As an IT or network admin you can always tell users that all USB ports have been disabled for security reasons, most will never check to see if the back side ports are active.

Disable or deactivate the USB ports at the software or OS level:
The inspiration for this article talks about removing the USB drivers from a linux based system, and it is a good read.

“How to increase Linux security by disabling USB support
If you're looking for a slightly different approach to bolstering your Linux server security, you might try disabling USB support. Jack Wallen shows you how on Ubuntu Server 16.04”
.

Windows OS based systems are a bit easier from a graphical user interface standpoint.
(Windows 7 is my reference here) Access the Control Panel > System > Device Manager > USB Serial BUS Controllers, then, Disable the USB Host controllers that you are not using (for Keyboard, mouse and printers normally).
You would need to make sure your users accounts do not have access to system settings or they can turn them back on.

In researching this article I gave thought to triggering an alert or system process if an unauthorized USB device is connected to an active port.
It is possible to do this in Windows 8.1 & 10 (not sure about 7 though) using Power Shell and a Dat execution file.
That question was addressed here:

“windows - Starting scheduled task by detecting connection of USB device - Super User”

You would then setup your Dat file to execute an alert or send an email to the sys admin, or have it do pretty much anything you like, my favorite is set it up to lock and shutdown the computer.

There are some commercially available security options for locking out USB ports and setting up alert conditions that work very well. You can search those out.

Also on a side note, many routers and switches also have USB ports that can be used for network printers, storage and media shares, you would want to consider turning those off in the switch or routers control panel.

With the exponential growth of USB storage capacity both on Flash and Hard Drive, security to your systems and the ability to keep sensitive files private has required that IT and sys admins consider disabling the use of USB ports.
It may sound drastic or even crazy paranoid, but if you do have a security breach or a sudden infection, this approach might not seem so far fetched.

Like Computer Care on FaceBook
Follow us on Twitter
computer Care on Pinterest
computer Care on instagram
Visit the Computer Care Catalog Online for all your part needs.

Bookmark this article at ...

No feedback yet

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)
This is a captcha-picture. It is used to prevent mass-access by robots.
Please enter the characters from the image above. (case insensitive)
December 2024
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
We will be posting information to aid you in the repair of your DesignJet Plotter and LaserJet Printer, Computer or Network.

We will do our best to answer questions you may have. We will also make every effort to post as much information as we can on each and every topic.

Sponsor

Donation

Did this site save
(or help earn) you money?
Say thanks with a
small donation.
easter-northeast

Search

XML Feeds

Disclaimer

All information is presented As-Is, with no warranty. Use at your own risk. DesignJetParts.com is operated by Computer Care. One Stop for all you computer, printer, plotter and network parts and supplies
multiblog
Our Sitemaps: XML  HTML  ROR