Initial Rollout - KB2201061
Dec-18-2023
This article describes the procedure for the initial USBSecure rollout. The aim is to restrict the use of USB mass storage devices (sticks, hard disks, card reader). All other devices should still be allowed for all users. It is assumed that no USB protection software is in use in your company up to this point.
USBSecure Enterprise 5, USBSecure OT 5, USBSecure Enterprise 6, USBSecure OT 6
Installing the USBSecure server (shares)
First, install the USBSecure server. The USBSecure server consists only of the two network shares devices$ and devicesRW$. Make sure that the shares work as described in the Installation Guide. You should also have two or three of your workstations equipped with the USBSecure client (MSI package) to be familiar with the basic configuration.
Customize the configuration
Customize the USBSecure configuration to allow all users to use all devices. This looks like the following in detail:
usb.cfg and bluetooth.cfg
[AllUsers]
*
sdcard.cfg, esata.cfg, firewire.cfg, cd.cfg, floppy.cfg
AllUsers
These configuration settings do not disable any devices. The aim is to initially only collect information about existing devices.
Distribute the client software
Distribute the USBSecure client software (MSI package) to all desired computers. Do this according to your standard rollout procedure. Usually, the distribution is staggered, from a few selected computers to all.
Analyze the USB devices used
The USBSecure client can be configured to report information about installed USB devices back to the "server". This information is then stored in the DevicesRW$ share in the ExistingUsbDevices directory. To do this, set the value for LocalDevicesCopy in the USBSecure.ini file to a value greater than 0.
The reporting function of the USBSecure Admin accesses this data. Via Edit / Create Report you have the possibility to create different reports that help you to refine the USB device configuration.
Please note: The collected data concerns all USB devices that have ever been connected to the computer (since the operating system was installed). Since the operating system does not log the data itself, but only stores it in the registry, the data cannot be narrowed down in time or to individual users - in case multiple users log on to one computer.
Specify the configuration
When you have collected enough data, you can refine your configuration. In the USB configuration, instead of the asterisk (*) that allows all USB devices for all users, you can now allow the large mass of USB devices via the "services" entries. The services have nothing to do with the services running on a Windows computer. This is about the "Service" entry that each USB device has (Device Manager / Properties of the device / Details / Service).
Now configure your USB configuration as follows:
[AllUsers]
service=usbhub # USB root hubs allowed
service=usbhub3 # USB root hubs V3 allowed
service=iusb3hub # USB root hubs V3 allowed
service=hidusb # USB keyboards and mice allowed
service=usbccgp # USB composite devices
service=usbaudio # audio devices
service=rtux64w10 # USB network adapters (Realtek)
service=msux64w10 # USB network adapters (Microsoft)
service=usbscan # USB scanner
service=usbprint # USB printers
service=usbvideo # USB cameras
service=wudfwpdmtp # smartphones, tablets, cameras
service=winusb # fingerprint scanners
service=wudfrd # smartphones, tablets, ingerprint scanners
service=bthusb # USB Bluetooth adapters
service=rtsuer # card readers (Realtek)
service=usbstor # USB mass storage devices
service=uaspstor # USB SCSI hard disks
Attention: When this configuration is applied to your clients (at the next start of the USBSecure service), it is very likely that a few USB devices will not work anymore, because they do not correspond to any of the listed services! Make sure you are ready to act then (USBSecure administrator available, skills für unlocking devices). Think in advance about USB devices that are particularly important in your company - and specify these devices in the USBSecure configuration. Either as a service entry or via the Vid/Pid identifier.
If this approach seems too risky, then please proceed in smaller units (e.g. department by department).
Also note: Many built-in devices are USB devices! It is not only about devices that are plugged into a USB port. Examples: Bluetooth adapters, fingerprint scanners.
With this USB configuration USB mass storage devices (sticks, hard disks, card reader) are still allowed. In the next step you can remove the last three lines
service=rtsuer # card readers (Realtek)
service=usbstor # USB mass storage devices
service=uaspstor # USB SCSI hard disks
from the configuration. At the same time, you should make individual entries per user for users who are to use USB sticks, USB hard disks or card readers:
[Lincoln]
USB\VID_090C&PID_1000\AA201106043279 # Silicon Motion 64 GB USB stick
[Whitehead]
USB\VID_0BDA&PID_0129\2010002013683 # Realtek card reader
[Wright]
USB\VID_0781&PID_558C\MSFT303234A503833 # SanDisk Extreme 1 TB USB hard disk
This configuration is exemplary and can be adapted to your conditions.