Desktop computers equipped with open USB ports are a common sight among offices. Unlike earlier computers that needed to sport obscure ports or connectors designed for each specific hardware, today’s typical USB port allows workers to utilize a multi-use, universal embrasure for a variety of productive tasks such as printing, scanning, storage, and networking, among many others.
However, enabling this kind of openness in the workplace for gizmos or other hardware can post great security threats since mischievous office staff can virtually plug in any capable flash drive, external hard disk drive, or even normal music player to copy or transfer sensitive corporate data to their devices in a breeze. Some ‘smart’ employees even resort to the unethical practice of copying licensed software for personal use through USB ports, while some wicked parties use them to inject Trojan horses, viruses, or spyware into their office networks.
While putting in and pulling off stuff into workplace networks can be convenient and efficient, some IT experts still find it potentially harmful. In the interest of network security, some admins only find it prudent to deliberately disable USB drives to prevent employees from using them. The ways in which IT administrators address security concerns involving USB ports are as follows.
The Smart Ways
- Changing the BIOS settings for each workstation and then assigning passwords to the BIOS settings to prevent non-admins from modifying them.
- Disabling write access or write privileges to USB ports via Windows Registry so that data cannot be transferred to a connected device (and thus rendering them as read-only).
- Completely disabling users from attaching and reading USB storage devices by editing values of certain registry entries or adding new registry keys.
- Disabling USB ports from the Device Manager function of Windows or uninstalling the USB mass storage drivers completely.
- Creating a Group Policy that disables read and write access to USB devices attached to computers within the network.
- Unplugging the built-in USB ports from the PC card or bracket within the motherboard to prevent users from connecting to this common PC component.
The Not-So-Smart Ways
- Completely disabling USB ports by “gumming” them up, e.g., filling them with thick epoxy adhesives to render the ports unusable for life (the radical solution).
- Fixing tapes over USB ports to prevent USB device insertion (the dumb solution).
- Downloading paid or free software such as Intel’s USB Blocker or IntelliAdmin’s USB blocking tool for those who don’t want to mess around the registry entries.
Choosing among either the smart or the not-so-smart ways has a downside for IT administrators, however. Both approaches can eventually appear counter-productive because workers can no longer use and attach wireless mouse, USB keyboards, and/or cameras, printers, or microphones to their computers, which, for the most part, are still essential to the daily work grind.
Specifically, if sysads choose to go ply the radical route — a.k.a. making physical changes to the actual setup of the PCs — then future users of any given workstation will never be able to use the USB ports ever again. In essence, this is impractical because it’s akin to ruining an entire system just to disable one measly component.
Henry Conrad is a 29-year-old game developer from Albuquerque, New Mexico. Aside from gaming and being a tech junkie, he also dabbles in creative writing, which allows him to create great storylines and backgrounds for his characters. Follow him on Twitter and join him in Google+.
Image: USB Stencil Red by *USB* (via Flickr)