KB2201311 - Security mechanisms in USBSecure
This article explains what security mechanisms are implemented in USBSecure Enterprise and USBSecure OT to protect the administrator and your organization from serious misconfiguration.
Refers to: USBSecure Enterprise 5, USBSecure OT 5
Misconfiguration of central systems
The misconfiguration of central systems such as Active Directory, DNS or network components can have serious consequences for a company. For this reason, the number of people administering such systems should be kept to a minimum. Even with USBSecure, misconfiguration can cause network-wide critical devices to fail. To reduce this risk, several security mechanisms have been implemented in USBSecure.
Security mechanism 1: Implicitly switched on devices
USBSecure version 4.3 introduced that certain devices are implicitly turned on even if they are missing in the USB configuration file. This includes all USB hubs and all wired USB keyboards and mice.
Security mechanism 2: File size check of the configuration files
Also since version 4.3 there is the file size check of the configuration files usb.cfg and bluetooth.cfg. The files usb.cfg and bluetooth.cfg are discarded if the file size is smaller than 50% of the previous version. The respective file from the cache directory is then used instead. The same happens if the files are smaller than 15 bytes.
Security mechanism 3: The 20 lines check
Starting with USBSecure version 5.0, when editing configuration files in the USBSecure admin interface, the administrator receives a warning if he has deleted more than 20 lines. This prevents accidental deletion of large areas. In addition, the administrator receives a warning message when the AllUsers section is deleted - the section that determines which devices are allowed for all users.
Security mechanism 4: StaticDevices
StaticDevices were introduced with USBSecure version 5.0. This allows particularly important USB devices to be assigned the "static" suffix. A static device is still allowed on the client even if it is removed from the central configuration. See the KnowledgeBase article KB2201062 - StaticDevices explained.
Security mechanism 5: Automatic backup
Every time a USBSecure configuration file is changed (more precisely: every time it is saved), a copy of the file is automatically created. The restore function can be used to restore to any older state at any time. The automatic backup is always switched on and cannot be deactivated.