Manage Learn to apply best practices and optimize your operations.

Using security and desktop management products to block USB access

While gluing your USB ports shut is one way to avoid data loss via a portable driver, a less drastic -- but still effective -- option is a security or desktop management product.

A rogue employee can easily carry a lot of private data out of your offices using a USB drive. While gluing your USB ports shut (like my local library did) is one way to prevent data loss via a portable driver, a less drastic -- but just as efficient -- option is a security or desktop management product. These products block read or write access to removable USB or CD drives. This not only prevents data loss, but it also protects desktops from an infected disc or drive.

The following five products are major players in the area:

How the products work
At the highest level of operations, each of these products requires a management agent on all corporate endpoints. However, this can be a challenge, since not all endpoint operating systems are supported by all products. Most of these products began in the 32-bit Windows world, and they have since branched out to include 64-bit Windows, Mac and even Linux desktops.

The next step is to set up a series of policies of the management server -- typically by using a Web browser to connect to a separate machine -- that locks down the removable drives. When a user inserts a drive, he (along with the administrator) gets a message that says the drive isn't operable because of corporate security policies. You can allow particular groups of users, such as IT testers, unimpeded access to their drives, or you can allow specific types of drives.

The tricky part with all these products is that although you want block USB drives, you still want to allow access to other USB attachments such as keyboards, mice, cameras and printers. In other words, you want your PCs safe and usable. Therefore, it's important to understand how each product differentiates the harmful USB devices from the benign ones.

It's also critical to evaluate the level of integration of device protection with the host intrusion-protection, data loss prevention and antiviral solutions that may or may not be present in each product. This means you can track or block the storage of particular kinds of data (such as customer lists or executables) but not others to removable drives.

Note that many of these endpoint products do more than just enforce policies for removable drives. They can also require PCs to be up to date on their OS and antivirus patches, make sure that desktop firewalls are installed and operational, and perform hundreds of other endpoint security tasks.

The products up close  

Safend Protector is several years old, and it has many different controls for removable devices. For example, you can control particular external storage devices and U3 smart drives, and you can decide whether to burn data to a DVD. Safend also makes software that works to complement device-control features such as hard disk encryption, data loss protection and content inspection. The company is planning to add support for Mac endpoints in September.

Cost: $35 per year, per desktop; less with quantity discounts.

Figure 1: Safend's port-control features cover a variety of removable devices. (Click to enlarge.)


Symantec Endpoint Protection (SEP) Enterprise v11 combines several of the company's security features -- host intrusion protection and desktop firewall, antivirus protection, and device and application controls -- into one package. SEP is also available in a small-business edition, but this version doesn't include the device-control features. SEP controls different features, like writing to a USB device, accessing the Autorun feature, changing Internet Explorer or registering Browser Helper Objects. It can also govern specific devices such as USB drives, mice and keyboards. It is very simple to set up and configure, and it's one of the few products that supports Mac and Linux endpoints.

Cost: $50 per year, per desktop; less with quantity discounts.

Figure 2: SEP's application-control features complement its device-control ones. (Click to enlarge.)


Skyrecon StormShield Endpoint Security v5.5 comes in a variety of modules including device control, host-based intrusion protection, firewalls and antivirus protection. Currently, the product only supports 32-bit Windows versions up to Vista, but additional support for Mac and Windows 7 endpoints will be added later this year.

Cost: $30 one-time fee or less per desktop with quantity discounts for just the device-control features.

Figure 3: Skyrecon has a long list of device controls that can be blocked for its managed endpoints. (Click to enlarge.)


Sophos Endpoint Security and Data Protection v9.5 only supports 32-bit and 64-bit Windows clients, but it does allow you to create sophisticated policies. For example, you can create a policy to block all USB drives except for encrypted ones. It also includes application controls and data leak prevention policies, such as the ability to block access to online cloud storage sites.

Cost: $110 per year, per desktop, which drops to much less for more users.

Figure 4: Sophos lets you block or monitor the types of data copied to removable devices. (Click to enlarge.)

In addition to traditional endpoint security products, some desktop management products can also help you control USB access. While these tools aren't specifically designed for endpoint security, they can be used to monitor the software and OS patches running on your desktops.


Dell Kace K1000 Systems Management Appliance is a typical example of such a product, and like the endpoint security tools above, it installs its own management agent. It also uses a script to modify the Windows registry settings on each managed endpoint to make the USB drive read-only or to disable the USB drive completely. This can also be used to collect PC inventories and push out scheduled patches to desktops.

Cost: $8,900 for 100 nodes; additional nodes $31 per year.

Figure 5: Dell's Kace K1000 appliance offers a way to modify Windows registry settings. (Click to enlarge.)

Endpoint control products can be used to block removable USB and DVD drive access. By combining them with your existing security products, you can craft a coherent and integrated protection regime.


David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of, Network Computing magazine and Read more from Strom at


Dig Deeper on Unified endpoint management