How to block USB devices:
Professional 2.02: USB Security Tool
If the USB port is enabled, users are able to transfer files from and to the company
network with USB sticks, memory cards and USB hard disks. These files can contain malicious
code like viruses and worms. The memory devices often do not
need to be installed with special device drivers, any user is able to
install them automatically with plug
& play. Administrators do not have the possibility to allow a list of
devices and block others.
USBSecure Professional gives administrators the ability to define
white lists with users who are allowed to use USB, IDE Floppy and CD
drives. You can specify USB devices that are allowed for a
certain user - all other devices are blocked.
USBSecure Professional can help
you need to control who can and who cannot access
certain USB devices and floppy / cd drives in your network
you have users that need their USB ports for certain devices,
but you don’t want them to install additional devices like USB
you need a user-based, easy-to-use USB security tool
New in version 2.02
than 255 USB devices allowed per user (--> 1000)
install and silent uninstall for easier deployment
How does USBSecure
USBSecure Professional runs as a Windows service. You can define the
users who are able to use certain USB devices. When a user logs on,
the current config files will be downloaded from the server and the
USB devices, disc- and CD/DVD drives will be enabled or disabled. You
don't need a dedicated USBSecure server. Any existing fileserver can
merely a share "devices$" is needed.
USBSecure Professional is a Windows Scripting File (VBScript). In addition to this file you need a few tools from Windows
Resource Kit and a free tool from Microsoft:
srvany.exe => Windows Resource Kit (free
instsrv.exe => Windows
Resource Kit (free
shutdown.exe => Windows
Resource Kit (free
devcon.exe => free download from Microsoft
Create a share on a
fileserver called "devices$". Grant read permissions for
the group Everyone on that share. Copy the files floppy.cfg,
usb.cfg in the folder.
Service “Windows Management Instrumentation” must be running on
the client that should be protected. This
is the default behaviour.
the files instsrv.exe, srvany.exe
und shutdown.exe from Windows Resource Kit to your
USBSecure source folder (the folder containing setup.cmd).
Here is the download
the free file devcon.exe from Microsoft, start it
for extraction and copy the extracted file devcon.exe
to your USBSecure source folder. The file must
have a size of 55K! Download link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q311272
on with administrative privileges to the client that should be
protected and start the installation with setup.cmd. During
installation you will be prompted for the USBSecure destination
path (default: C:\Program Files\USBSecure) and the name of the
USBSecure server. Grant Read permission for Everyone to the
USBSecure folder. Please ensure that the Everyone Group has no
the service “USBSecure”. A logfile USBSecure.log
will be created in the USBSecure folder.
Syntax: setup.vbs [install_path] [devices$_server]
Example: setup.vbs "C:\Program Files\USBSecure" fileserver1
installation.log can help you if
the installation is running into problems.
Don't hesitate to
send this file to email@example.com.
config files floppy.cfg, cd.cfg und usb.cfg
are whitelists for allowed devices. User not listed in these files
will have no access to the devices - except to devices in
the [AllUsers] section in usb.cfg.
that should have access to the Disc or CD/DVD drives, must be listed in
the files floppy.cfg and cd.cfg, one
user per line:
permissions for USB devices are managed in usb.cfg.
The users should be listed in brackets without any domain prefix or
suffix. The username is followed by the list of allowed devices. The
notation is the same as used in the registry. You can get a list
including all installed USB devices in the correct notation with the
script ShowExistingUsbDevices.vbs (run the script with
administrative privileges), so the allowed
devices can be transferred via copy & paste.
users with full access to any USB device get an asterisk (*).
Devices which should be accessible for all
users (e.g. USB Root Hub, scanners, mouse) can be listed in section
you can get the Vid/Pid identifier from Device Manager in the
properties window of the USB device:
can place wildcards (*) instead of the device name,
because the name during installation and the final name is not the
same in most cases. A
device can be recognized during device installation as „Solid
State Disk: Vid_08ec&Pid_0834“, but the final name is „USB
mass storage: Vid_08ec&Pid_0834“. This
problem can be fixed with „*: Vid_08ec&Pid_0834“.
For better documentation you can
place comment lines. Lines beginning with the # character will be ignored by