Controlling access to USB devices

This protection type allows you to control how USB devices are used on user workstations. It applies to devices that are connected after the workstation has started. Devices that were already connected at startup are systematically allowed.

Rules may apply to USB device classes (printer, video, audio, storage, etc.) and/or vendors, models or device serial numbers.

For every USB device category, you can:

  • Allow their use,
  • Block their use,
  • Display a message for the user to confirm whether or not to use the device when it is connected,
  • Monitor the use of USB devices in a set of audit rules.

EXAMPLE 1
SES Evolution also allows the detection of Rubber Ducky USB keys. Such keys act as keyboards, run malicious scripts and save data on micro SD cards. If you create a rule that asks for user confirmation every time an HD device is plugged in, a message will indicate that a keyboard has just been plugged in. The user can then deny access to this malicious device that appears to be a USB key.

EXAMPLE 2
You can choose to allow only headsets, speakers and mobile phones provided by your company’s IT department.

If you choose to apply a whitelist, you must create rules to allow the use of certain devices in your pool. The last rule must block all other devices. We recommend that you choose the Passive rule mode for the last rule to avoid blocking devices that allow workstations to run properly. Doing so will allow you to test the rules you want to apply to USB devices in a production environment, and refine them later after checking the logs.

To create rules for USB devices:

  1. Select the Policies menu and click on your policy.
  2. Select a rule set.
  3. Click on the Devices > USB tab.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. Click on Add a rule (USB device). A new row appears.
  6. In the left side of the rule, click on to indicate one or several device identifiers to which the rule applies. Depending on whether you want to filter a specific device or a device category, fill in some or all of these properties:
    • Enter a name for this device,
    • Select the USB class of the device from the drop-down list. Click on to enter a value manually if necessary.
    • Enter the USB sub-class consisting of two hexadecimal characters.
    • Enter the first few letters of the vendor name to show the list and select the desired vendor. You can also enter the four standardized hexadecimal characters corresponding to the vendor.
    • Select the product from the list of this vendor’s products or enter the four hexadecimal characters.
    • Enter the serial number of the product.
  7. In the Access field, select Allow, Block or Request‎‎ if you are in a protection rule set, or Allow or Audit if you are in an audit rule set.Example of a USB device rule
  1. In the upper banner in the rule, you can:
    • Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
      Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode.
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule.
    • Enter a description to explain what this rule aims to achieve.
  2. The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
  3. Click on Save at the top right of the window to save changes.

To find out the vendor or product IDs, or the serial numbers of devices, look up the Windows device manager when the device in question is plugged in or use the dedicated utilities.

Refer to the international USB standard to find out the identifiers of USB device sub-classes.