Deciding what you would like to lockdown in your environment as well as how you would like to lockdown your environment is a vital part of achieving optimum security. Within this scope, falls the use of USB drives. Managing and addressing USB drives is an essential part of security as they are a potential threat to corporate data. There are, of course, certain cases in which you might need to authorize the use of USB drives. Here we will cover our bases, demonstrating how to block USB drives, in addition to how to permit them.
Blocking USBs
In this example, we are creating the Deny Policy at the group level.
- In the ThreatLocker Portal, navigate to 'Storage Control' > 'Policies'.
- On the top right corner, select the group in which you would like to place your Policy.
- Select 'New Storage Policy' at the top left corner to open a pop-up window.
- Enter in a name for the Policy, and select 'Deny' > 'Read and Write' as shown below.
- Under 'What type of interface should this apply to (e.g. USB or SATA)?', select 'Select an interface' > 'USB'.
- Once the necessary changes have been made, select 'Save'.
- Select 'Click to Deploy Policies'.
Within 60 seconds, all USB Storage Devices within the selected group will be blocked.
Permitting USBs
For this example, we will permit all USB drives on an individual computer.
- Navigate to 'Storage Control' > 'Policies' from the ThreatLocker Portal.
- In the top right-hand corner, select the desired computer.
- Select 'New Storage Policy' on the top left-hand corner to open up a pop-up window.
- Enter a name for the permit Policy and ensure that 'Permit' is selected along with your preference if read, write, or both should be allowed.
- Under 'What type of interface should this apply to (e.g. USB or SATA)?', select 'Select an interface' > 'USB'.
- Select 'Save'.
- Select 'Click to Deploy Policies'.
Within 60 seconds, all USB drives will be permitted on the specified computer.
Permitting a USB Drive by Serial Number
To populate a list of all the USB devices by serial number that ThreatLocker has observed in your environment in the past month, navigate to the Reports page.
- Select 'Storage devices' in the dropdown under 'Category'
- Choose 'USB Serial Numbers' under the 'Report' category.
- Click 'Generate'
The report will generate the Serial Number, the User, and the Computer Name. With this information, you can create a policy to allow selected USB devices by serial number.
- Navigate back to Storage Control > Policies.
- Click 'New Storage Policy'.
- Name your policy.
- Select if you want to permit read or read & write access.
Remember to be as restrictive as possible. If the end users don't need to write anything to the USB, only permit them to read.
- Under 'Which storage devices should this apply to?', select 'Allow me to select specific storage devices' and input the serial number, or a portion of the serial number, into the text box and click 'Add'. You can add multiple serial numbers into this box, but you must click add in between each one.
For more information about creating Storage Control policies, see our ThreatLocker University course, Storage Control.