Managing USB devices is almost as critical as managing the other portable devices falling under the BYOD category, such as tablets and smartphones; however, I would venture a guess that many companies don't give much thought to how employees might use (or misuse) USB flash drives, iPods or other devices that connect to the computer.
Because of the rules and regulations surrounding credit card information, and the implementation of PCI, my organization was forced to take a much closer look at how this data was being handled and just where it might be landing. It seems everyone needs some kind of flash drive to store their work data on. But in my mind, this adds more problems than it solves.
Being able to take data home with you on a flash drive makes remote work possible. In a situation where you do not regularly work from a home office, why is it that you would want to volunteer to work from home? That, to me is just weird. Voluntary free work happens all the time, and yes I do it too, but it is quite funny how many think this will make them "more productive".
From an IT perspective, allowing anyone who might want to use a device to collect data or transport information is a security risk. I do not know where the super flash drive you have has been. I do not know if it is clean and safe for use, nor do I trust it. Because the devices contain storage, they could contain malware. Since the employee owns the device, I cannot wipe the device as it may contain personal information. It is best to block it entirely.
GFI has a solution to assist with managing peripheral devices, and I am currently evaluating it as a way to control which devices are allowed, as not allowing any would be just as much work. Generally I am not this paranoid about devices and their usage, but lately paranoia seems a far smarter option than the alternatives.
GFI EndPointSecurity runs using a SQL database to store information collected by its agents, which get deployed to manage the policies around peripheral devices. The agent also allows authentication using Active Directory to allow the policies to be effective for predefined groups of users. In my case, the policy governing the peripheral devices will be applied to the users in the group for managed devices.
The main window of the GFI EndPointSecurity console is shown in Figure A
Once the rules are configured, devices can be specified as Allowed by adding them to a policy whitelist (or denied using a blacklist). When specifying a device, it can be done by the vendor id and product id of the hardware so all similar devices are affected, or by the serial number of the device. Using granular control down to the serial number level allows a serial number to be assigned to an employee. This helps an organization keep tabs on devices that it distributes to its workforce.
Creating a new policy
In addition to allowing the configuration of working / usable devices, EndPointSecurity manager has a few other sweet features including:
- Device usage tracking
- Temporary access to devices
- Scanning for connected devices
- Device Usage Tracking
GFI allows several categories of devices and port types to be monitored. The benefit of this initially was not clear to me, but then I realized how many devices have to specifically allowed, for example, USB to parallel printer cables. Because they aren't printers, they aren't under that category, but without them being allowed, the attached device(s) will not work.
Included categories are:
Included port types are:
If a category or port type is not defined in a security profile, it will not be monitored and will be completely allowed. Like other configurations, it is probably best to start small, adding USB Storage to a profile to get a feel for the application without causing all devices to disconnect.
Because the application loads an agent, when changes are made to a profile, the profile can be redeployed to the assigned computer(s) and the changes will take effect. It loosely works like Group Policy, where updates to items get applied on a schedule. No restart/logon is needed for the GFI EndPointSecurity configuration changes to get applied.
Temporary access to devices
When implementing a solution that changes access to items (peripheral or networked) there will be a warming up period needed and the employees impacted by the solution will likely have a few questions. One thing that is available in this solution is temporary access. This is different from existing connected devices in that the administrator generates a code that matches a computer. The code tells the agent when it is active as well as the length of time that the temporary access should be allowed.
Temporary access code
Once generated, the user will input this code into a control panel applet for device access (installed by the GFI agent) and send another access code back to the administrator for enablement. This works like two-factor authentication, making both sides prove their identity before allowing access. This is a great feature to allow employees a way to migrate their documents from personal storage to company-supplied storage (depending, of course, on company policy). When the timed access code expires, the computer will no longer allow access to those devices without a new access code.
Scanning for existing devices
Because there have been USB and other peripheral devices in an environment prior to a control solution, computers with the GFI agent installed can be scanned to determine what devices (and types of devices) are or have been connected to the system.
When devices are detected, they can be added to the list of known items. This database can then be used to populate the exceptions options, whitelist, blacklist, or general allowance rules.
Because my environment has several users that move around and a few laptops that are used for presentations, using a whitelist for devices that are allowed is easiest. In this manner, if a category of devices is included to be monitored in a profile and it isn't on a whitelist or explicitly allowed, it does not function.
There are power user groups that, when populated with accounts, will allow those accounts access to any devices, regardless of configuration. Administrators or help desk staff may be a good set of users to place here.
Scanning for devices in an environment
Because the GFI EndPointSecurity application runs with an agent on the computers in an environment, activity of devices is tracked in a SQL database (MSDE or SQL Express by default). Any time a device is connected to a computer running the agent, its presence is captured. The results are returned and stored in the database to give the management team for the application an idea of the devices being connected in an environment. When a device shows up in the activity monitor, the computer it is found on must be scanned to allow the device to be added to the table of devices. This is an area where a feature to add the device directly from the activity monitor would be extremely useful.
Updating deployed policies and pushing out changes
Whenever a policy is updated, including new device additions or device removals, the agents that are assigned to the policy need to receive these changes. This can be done by right clicking an individual computer and selecting deploy or using Ctrl+D to display a window containing all of the computers that should receive the modified policy. From there, select the checkboxes for computers you wish to update and click OK.
Policy edits can come in the form of additions to the white/black lists, new device categories being monitored, or most commonly (at least for me) new individual devices being added to keep them functioning as normal.
In addition to the activity monitoring tab within the management console, GFI EndPointSecurity also includes (as a separate download) a reporting console. Once this console is installed it can be accessed from the management console. There are a number of prebuilt reports, but custom items can be added as well. This additional functionality makes it even easier to see which computers or users are attempting to interact with peripheral devices.
I have been looking for a good way to manage and monitor USB and other peripheral devices for some time. In a previous release of GFI, I was not able to understand how EndPointSecurity operated and had trouble getting it to behave as needed. This prompted me to search for other tools, which is how I found USB and port security from Quest. This product plugs in to the Quest Desktop Authority product (which I also use in my organization).The Quest solution was not as full-featured as I needed it to be. Using the vendor and product IDs for the hardware would allow a bunch of devices to be controlled, but getting down to a specific device's serial number was not something that ever worked, even after several attempts and numerous discussions with support. Note: Quest has been acquired by Dell and these products are in the process of a rebranding.
When I was able to quickly get this working in the new evaluation version of the GFI product, in addition to the granularity of reporting both in the console and in the report center, GFI EndPointSecurity quickly moved to the top of the stack.
In addition to GFI and Quest, ManageEngine also has a product that can manage USB and peripheral devices, which you may want to include in your evaluation of solutions. Have you found one that you prefer?
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.