Table of Contents
Blocking USBs | Permitting USBs | Permitting a USB Drive by Serial Number
Deciding what you would like to lock down in your environment and how you would like to lock down your environment is a vital part of achieving optimum security. Within this scope falls the use of USB drives. Managing and addressing USB drives is essential to security as they are a potential threat to corporate data. There are some instances in which you might need to authorize using USB drives. Here we will cover our bases, demonstrating how to block and permit USB drives.
Blocking USBs
In this example, we are creating the Deny Policy at the group level. First, navigate to the ‘Modules’ dropdown using the left-hand side of the page. Select ‘Storage Control’ from the list of modules.
Within the ‘Storage Control’ page, select the ‘+ New Policy’ button from the top left corner of the page.
Selecting this button will open the ‘Create Storage Policy’ side panel.
In the ‘Details’ section, start by inserting the ‘Policy Name’ of the application. You can optionally enter a description to denote what the policy is doing within your organization.
In the ‘Applies To’ section, you can select the level at which this policy is placed. You can choose between the entire organization, global groups, computer groups, or individual computers. For this example, we will be selecting 'Workstations'.
Within the ‘Conditions’ section, select ‘Read/Write’ and ‘Selected Interface’. Under the ‘Selected Interface’ portion, a dropdown will appear. Select ‘USB’ from the list of options.
Within the ‘Actions’ section, you will notice that ‘Permit’ has automatically been selected. Choose ‘Deny’ to deny access to using USBs. You can optionally allow users to request access, meaning they can retain access to ThreatLocker prompts that will permit them to send requests for USB access to the ‘Approval Center’.
Once you have made all changes, select the ‘Create’ button at the bottom of the page.
Select the ‘Deploy Policies’ button found in the top right corner of every page once you have created the policy.
Within 60 seconds, all USB Storage Devices within the selected group will be blocked.
Permitting USBs
For this example, we will permit all USB drives on an individual computer. Start by navigating to the ‘Modules’ dropdown on the left-hand side of the page. From here, select the ‘Storage Control’ option.
Select the ‘+ New Policy’ button found in the top left side of the page.
Selecting this button will open the ‘Create Storage Policy’ side panel.
Within the ‘Details’ section, insert the name for the Policy you are creating; you can also optionally enter a description.
Using the ‘Applies To’ section, you can use the dropdown menu to select where this policy will be applied. For this example, we will only be permitting the USB device on one user's computer.
Within the ‘Conditions’ section, select ‘Read/Write’ and ‘Selected Interface’. Under the ‘Selected Interface’ portion, a dropdown will appear. Select ‘USB’ from the list of options.
The ‘Actions’ section is set to permit by default. Make sure that this is selected. Additionally, you can optionally not have it logged within the Unified Audit.
Once all your changes have been set, select the ‘Create’ button at the bottom of the page.
Select the ‘Deploy Policies’ button found in the top right corner of every page once you have created the policy.
Within 60 seconds, all USB drives will be permitted on the specified computer.
Permitting a USB Drive by Serial Number
To permit a USB drive by serial number, you must define a Device within Storage Control. Using the left-hand side of the page, select the ‘Modules’ dropdown, then select ‘Storage Control’ from the list.
Once on the 'Storage Control' page, select the '+ Storage Device' button in the top left corner.
This will open the ‘Create Storage Device’ side panel. You can define this storage device and enter its serial number here.
After defining your storage device, you can add it to a new policy.
-
Navigate to Modules > Storage Control.
-
Select ‘+ New Policy'
-
Name your policy and set the level where you want to allow this.
-
Under Conditions, set the access to Read or Read/Write.
-
Under Selected Storage Devices, select your defined Storage Device
-
Under Actions, ensure that this is set to Permit.
-
Create and deploy policies.
To find your device’s serial number, you can view this within the Unified Audit under “Additional File Details”, labeled in yellow as “S/N”
Additionally, the SerialNumber can be found locally on your Windows machine using Windows Management Instrumentation (WMI). By using ‘PowerShell’, you can enter the following command and receive information about the disk drive on your system:
Get-WmiObject Win32_DiskDrive | select Model, Name, InterfaceType, SerialNumber
The command will display the model, name, interface type, and serial number for you.
Some storage devices may also physically contain their serial numbers.
For more information about creating Storage Control policies, see our ThreatLocker University course, Storage Control.