Analecta Cyber Company Blog: Restricting Removable Devices on Network Machines Part 2: Disabling Host Machine Ports

2018-07-31

Restricting Removable Devices on Network Machines Part 2: Disabling Host Machine Ports

Restricting removable devices on network machines - disabling host machine ports - Analecta LLC Graphic banner

Educating and restricting go hand in hand


In Part 1 of our series on Restricting Removable Devices, we discussed the threats caused by removable devices and how to avoid them through user awareness and training. Studies have shown that user behavior is a contributing factor in 70% to 95% of malware infections. Modifying risky behavior through consistent and thorough employee training can reduce these proportions by 45% to 70%.

Employee training and corporate policies only go so far in protecting a business from infections caused by removable devices. In the second of this two-part series, we discuss administratively disabling removable media ports through the operating system and physically altering the connection to better protect your network from “removable device” -based cyber attacks.

Configuration settings for locking down removable devices 


You can restrict the use of removable devices by changing the configuration of the operating system. Most operating systems can be configured to restrict or allow removable devices based on device type rather than a complete ban of all USB devices which would affect necessary components like keyboards and mice.

In Windows 10, a USB storage device can be disabled through the registry. If you need to make the same restrictions across multiple Window machines, it may be more effective to control the devices through the Group Policy Editor under: Computer Configuration > Administrative Templates > System > Removable Storage Access. There you will be presented with options to “Deny All” removable storage classes or go into each individual type and control the permissions for read, write and execute. These group policies can then be deployed to any domain-based computers on your network.

The same holds for disabling an internal DVD/CD drive although it is slightly easier as there is usually only one per machine. Disable the drive under its property settings from the Device Manager.

Physically disabling ports 


Start locking down USB ports on desktop computers by physically disconnecting them. Most motherboards will have one or more USB ports directly connected. These port openings are usually located on the rear of the machine. You cannot disconnect these ones, so they are best used for a keyboard and mouse. The remaining USB ports connect via a cable. Disconnect this cable from the USB header and you disable the ports.

how to disable usb ports graphic
Limit USB usage on company computers by disconnecting ports from the motherboard, disconnecting ports from the case or by removing them completely. USB drives that cannot be removed/disabled can be reserved for mouse and keyboard use only.

You can go a step further by drilling out the USB connector. The Department of Defense and other U.S. government agencies drill out connectors to permanently lock down the device. With this simple but permanent fix, an organization doesn’t need to worry about myriad settings across different operating systems. Some commercial organizations fill USB ports with epoxy. This will act as a physical barrier to the insertion of a USB device.

Reducing removable risks


Here are some things you can do right now to reduce risks from removable devices:
  • Limit the use of all removable media devices except where there is a valid business case that has been approved by the organization’s chief IT security officer. In that particular situation, it should still be a business owned USB peripheral connecting to a business machine.
  • Configure anti-virus software to scan any device that connects to your PC via peripheral ports. USB is but one flavor. Don’t forget about CD drives, firewire connections and media cards.
  • Disable the Autorun and Autoplay features for all removable media devices. Many operating systems now do this by default, but verify after each update.
  • Restrict wireless smart media devices to a guest or other network. Tablets and eReaders usually connect directly to your network via wireless connections although they are also able to connect through a wired connection. Gaming devices and smart printers with storage capacity also fall into this category. These devices can be locked out of a wired connection by settings on the host device. If they connect to a wireless network, they should be restricted to a guest or untrusted device network.
  • Physically control and securely store all digital media in a locked desk, drawer or media library. By restricting access to the removable media, you reduce the number of people that can modify the information on the devices.
  • Choose a limited number of USB-based devices to support, and consider their security features and vulnerabilities.
Additional things that the National Institute of Standards and Technology (NIST) Cybersecurity Framework guidance recommends:
  • Use only recognized and company-owned devices. Require that all removable devices have an identifiable owner prior to use. This will allow you to assign responsibility and hold people accountable in case of any issues. Do not insert unmarked/unknown thumb drives, CDs, DVDs, and external hard drives into any company machine. 
  • Protect and control approved removable media during transport outside of the controlled work environment to prevent others from tampering with the device.

Questions about policy and implementation?


Analecta can help guide you through the nuances of acceptable-use policies and how to implement a more secure network posture to mitigate the threats removable media can pose to your organization. Additionally, we can provide a comprehensive look at all security practices within your organization and around high-risk assets. Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that cause customer loss, reputation damage and loss of revenue. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com or visit our website.

Further Resources