Blocking USB memory storage

PPAlen
PPAlen W/ Member Posts: 4 Security Scout
in WithSecure Business Suite

Hi all, i know that is possible on PolicyManager to control USB devices, but i was thinking is it possible to denny acces to some USB devices.

Here is the example:

USB memory not encrypted - can not be allowed, and can not be accesed

USB memory encrypted - can be accesed on Client computers


Is this possible?

Answers

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff
    edited October 2020

    Hi PPAlen,

    You can limit or block access permissions for removable drives using Device control. Refer to the following link for instructions:


    Limiting access permissions for removable drives

    Blocking device access using predefined rules

    Getting Hardware ID for a device


    You can make rules of various USB Classes where you can set the access level to Block and than make a white-list rule to allow the devices by hardware ID. 

    To know various Class please check this page, 

    https://en.wikipedia.org/wiki/USB 

    ( Scroll down and find Device Classes ) 

    Once you have blocked it make another rule to whitelist the devices by hardware ID.

    To add an exception to a rule, follow these instructions:


    1. Get the hardware ID for the device that you want to allow.

    The hardware ID has to be more specific than the ID which is used to block the device.

    2. Go to the Settings tab and select Windows > Device control.

    3. On the Device access rules table, click Add.

    4. Enter the hardware ID for the device as the Hardware ID in the new rule.

    5. Set Access Level to Full access to allow the use of the device.

    6. Set Active to Yes for the new rule


    To Find Hardware ID Please refer to this, 

    Follow these instructions to find the hardware ID either with F-Secure Policy Manager or Windows Device Manager.

    In Advanced view:

    1. Open F-Secure Policy Manager and go to F-Secure Device Control > Statistics.

    Use Hardware IDs, Compatible IDs and Device Class columns to find the ID of the device that has been blocked.

    2. If you cannot find the ID using the statistics or the device has not been blocked yet, open Windows Device Manager

    in the client computer.

    3. Find the device which ID you want to know in the list of devices.

    4. Right-click the device and select Properties.

    5. Go to Details tab.

    6. Select one of the following IDs from the drop-down menu and write down its value:

    • Hardware IDs

    • Compatible IDs

    • Device class guid

    Note: Device control can only be configured from the Policy Manger. There is no local configuration user interface.

  • PPAlen
    PPAlen W/ Member Posts: 4 Security Scout

    Thank you for your comment.

    I know that it is possible to control USB devices but mine question was is it possible to controle more than that?

    Control devices that are or not encrypted?

    If the device is encrypted than the access is granted if not than the device is denied.

This discussion has been closed.

Categories