Controlling access to USB devices
This protection type allows you to control how USB devices are used on user workstations.
Rules may apply to USB device classes (printer, video, audio, storage, etc.) and/or vendors, models or device serial numbers.
For every USB device category, you can:
- Allow its use,
- Block its use,
- Display a message for the user to confirm whether or not to use the device when it is connected. The confirmation request is shown to the user who is currently connected locally on the workstation. In other situations when the device is plugged in (e.g., remote connection, local session locked, startup or session signed out), the confirmation message does not appear and the device will always be blocked.
- Monitor the use of USB devices in a set of audit rules.
EXAMPLE 1
SES Evolution also allows the detection of Rubber Ducky USB keys. Such keys act as keyboards, run malicious scripts and save data on micro SD cards. If you create a rule that asks for user confirmation every time an HID or human-interface device (e.g., keyboards or mice) is plugged in, a message will indicate that a keyboard has just been plugged in. The user can then deny access to this malicious device that appears to be a USB key.
EXAMPLE 2
You can choose to allow only headsets, speakers and mobile phones provided by your company’s IT department.
WARNING
When keyboards or mice (HIDs) are plugged in before the workstation has started, they are automatically allowed so that they do not make the workstation unusable.
However, on Microsoft Windows 10 and 11 operating systems, if Turn on fast startup is selected, it will switch to Hibernate mode when the PC is shut down. This means that if you have set a rule on an HID containing a block action or request for user confirmation, the device will be blocked once the PC comes out of hibernation. You must then fully restart the PC by using the standard menus, or by holding down the power button.
If you choose to apply a whitelist, you must create rules to allow the use of certain devices in your pool. The last rule must block all other devices. We recommend that you choose the Passive rule mode for the last rule to avoid blocking devices that allow workstations to run properly. Doing so will allow you to test the rules you want to apply to USB devices in a production environment, and refine them later after checking the logs.
To create rules for USB devices:
- Select the Security > Policies menu and click on your policy.
- Select a rule set.
- Click on the Devices > USB tab.
- If you are in read-only mode, click on Edit in the upper banner.
- Click on Add a rule (USB device). A new row appears.
- In the left side of the rule, click on
to indicate one or several device identifiers to which the rule applies. Depending on whether you want to filter a specific device or a device category, fill in some or all of these properties:- Enter a name for this device,
- Select the USB class of the device from the drop-down list. Click on
to enter a value manually if necessary. - Enter the USB sub-class consisting of two hexadecimal characters.
- Enter the first few letters of the vendor name to show the list and select the desired vendor. You can also enter the four standardized hexadecimal characters corresponding to the vendor.
- Select the product from the list of this vendor’s products or enter the four hexadecimal characters.
- Enter the serial number of the product.
- In the Access field, select Allow, Block or Request if you are in a protection rule set, or Allow or Audit if you are in an audit rule set.
- In the upper banner in the rule, you can:
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies. - Select the log settings that this rule will send.
- Specify whether an action must be performed when a log is sent for this rule.
- Enter a description to explain what this rule aims to achieve.
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
- The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
- Click on Save at the top right of the window to save changes.
To find out the vendor or product IDs, or the serial numbers of devices, look up the Windows device manager when the device in question is plugged in or use the dedicated utilities.
Refer to the international USB standard to find out the identifiers of USB device sub-classes.