×

How to Lockdown USB Ports

Last Updated: June 17th, 2024 by in Guides

How to Lockdown USB Ports

USBs have always posed a security risk, both on a personal and a business scale. If you are a business enterprise of any size, it is important to realize the threat of employee negligence, information theft, potential spyware attacks, and many more. If your business has any sensitive data, it would be wise to implement security measures to make sure that employees don’t cause any security risks for you. You can achieve this by restricting USB port access to your employees. Luckily, there are many ways you can do this. We will list a couple in this article and hope that you find the right solution for you.

So Why Exactly Should I Disable My USB Ports?

There are two primary reasons why you should disable your USB ports, the first one is potential leaks of sensitive information, and the second is malware that could infect your entire network. Employees usually have access to sensitive company information that is essential for your business. It isn’t uncommon for employees who have given their resignation notice to steal company information to benefit themselves after said resignation. Other than that, regarding malware, they can both be products of negligence or genuine malicious intent. An employee’s personal home computer could be infected with malware which could then get transferred to the USB device that they will bring to work, which will in turn infect the workplace computer as well which can spread to the entire network. The other possibility is simply an unhappy employee who deliberately loads up a USB with malware purposefully to hijack the business without anyone knowing. Information leaks and malware infections are extremely difficult to detect without any security measures, and you often find out about the fact after it has already been too late. Luckily there are ways to monitor, log, and track every information transfer on the system at the workplace. Alternatively, you can simply disable the USB ports so this potential security flaw is completely sidestepped.

Disabling USB Ports Using Device Manager

The device manager is an application that allows you to oversee and control your desktop’s hardware. This luckily includes the USB ports as well.

  1. Open up the search bar and look for the Device Manager.
  2. Once you have it opened, you will see a variety of your hardware listed. Near the bottom, you should see the Universal Serial Bus controllers. Click on the > button next to it to drop down a menu.
  3. Right-click on a desired USB slot and click on disable device.

Disabling USB Ports Using the Windows Registry

The Windows registry is a tool that allows you to change and modify a vast variety of system options. It would be wise to exercise caution while using it since any mistake has the potential to destroy your current system. You can create a backup before proceeding with this method to add a layer of security in case something goes wrong.

  1. Open up the search bar and look for the Registry Editor.
  2. Navigate through the following folders HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>USBSTOR.
  3. Click on the USBSTOR folder itself, don’t collapse it, on the right side of the screen you should have several registries displayed for you.
  4. Right-click on the registry called Start, and click on Modify.
  5. Under the value data, you should see the number 3 displayed, this number means that the USB port is automatically enabled.
  6. Change the value to 4, and click OK. The value number 4 implies that the service is now disabled.

If you followed the instructions correctly, your USB ports should now be disabled.

Disconnecting the USB Ports by Hand

It is possible to simply manually disable the USB ports on your motherboard itself. Simply unplug all of your cables, and open up your computer case. Plug out the cable from the USB header which will cause the ports to disconnect from the motherboard, making them effectively not exist until you plug them back in. Whenever you would like to re-enable your ports you can simply repeat the method and plug it back in.

Third-Party Security Options

The previous two methods are effective albeit a bit crude. They aren’t able to selectively filter devices or information. There’s no logging and monitoring of your security which could be attacked differently. There are however software choices that can elevate your security much further with a combination of locking your devices, encrypting your data, monitoring all data transit, and more.

CoSoSys Endpoint Protector

The CoSoSys Endpoint Protector is a great option for a DLP (Data Loss Prevention) solution. It allows for incredible control and oversight for system administrators in your business network. It has selective control over which peripheral devices are allowed on a certain machine and it creates detailed logs of every activity involving them. The precision with which you can manage said devices is granular, meaning that you can modify whitelists and blacklists per user, computer, or group. Furthermore, you can add or remove access remotely, even when offline, and still receive a full log once the machine gets back on the network.

So Which Features Does the Endpoint Protector Offer

We’ve crudely mentioned some of the features that the Endpoint Protector can offer, but here are some of the fine details that you can expect while using this service.

  • Content-Aware Data Loss Prevention So what does Content-Aware Data loss prevention mean exactly? Look at it this way. Every business has a network infrastructure and employees need to communicate with each other. Businesses will often encourage said employees to communicate efficiently through the use of services such as Email, Dropbox, Skype, and Slack. However, it is important to realize that every single one of those tools that helps you keep expanding your business and having it flourish, may cause you damages and losses as well. The primary danger to large enterprises doesn’t come from outside sources, rather they are mostly negligent employees. When they communicate on these platforms, they often interchange valuable company data, which if it falls into wrong hands can result in major issues. The solution for this is complete monitoring of any outcoming traffic through these systems. This is where Content-Aware Data loss prevention comes into play to help you and your business stay secure.
  • Enforced Encryption This feature is an additional security measure to the previous Data Loss Prevention. The CoSoSys Endpoint Protectors encryption feature is military grade. This means that the data in transit is protected by a password that is very unlikely to be cracked. As your business scales up, so does the number of employees that carry sensitive data on them. For example, it is extremely easy to steal a USB device or to just simply lose it as well. If anyone acting maliciously were to come across such a device, they would have to also know the password for said information. Alternatively, they can try breaking military-grade encryption which is highly unlikely to happen. If an employee reports the device stolen or missing, the system administrator may easily wipe the confidential files remotely. It is also worth mentioning that this feature is cross-platform.
  • eDiscovery eDiscovery is a Data Loss Prevention tool for data at rest specifically. It has contextual scanning possibilities that allow it to detect critical and confidential information that you may want to be protected. It then encrypts this information at your business’s endpoints to provide maximum security. This is particularly useful if you deal with information such as Personally Identifiable Information, Credit Card Numbers, Social Security Numbers, Intellectual Property, and more. Your business can easily achieve compliance with multiple regulations such as HIPAA, PCI-DSS, GDPR, and others.

CoSoSyS Endpoint Protector Summary

We’ve covered ways to protect your USB ports by simply disabling them, however, the CoSoSyS Endpoint Protector takes it to another level. Disabling ports is a crude way of dealing with the issue of potential security leaks. Measures such as that only keep the honest people out. Anyone with genuine malicious intent and enough drive will find a way to bypass this and use another point of infiltration such as the internet. The Endpoint Protector, however, covers you from every angle of attack. You will always know where leaks have happened, and act upon them in real-time. Even if a potential leak does happen, the data is always encrypted and likely safe. There are so many security measures included in the system that it would be extremely difficult for your business to be compromised. This is why by using the Endpoint Protector, your business can attain various compliance with multiple regulations easily.

Conclusion

In this guide, we’ve covered multiple ways to protect your system. From disabling your ports to changing your registries to manually unplugging your USB devices. Some of these methods may be inconvenient if you want to use some peripheral devices that require a USB connection, but as far as security is concerned, it is effective nonetheless. If you wish to get a security method that can selectively track and monitor devices and data, you will have to look into third-party options to protect your system. We do however hope that you found the solution that you were looking for within this guide.