Disable USB ports to prevent unauthorized data transfers

by James Detwiler | Jan 16, 2003 8:00:00 AM

Tags: James Detwiler, USB port, BIOS, Members TheChas, workstation, USB

Takeaway: USB storage technology might just become the next floppy drive. But does the small size and blazing speed pose a security risk? One TechRepublic member thinks so. Find out what she did to remedy the situation.

Emerging USB storage technology allows massive amounts of data to be transferred at lightning speeds. Devices continue to decrease in size (now the size of a key chain), and the storage capacity keeps multiplying (currently up to 1 GB). All this makes for fast, efficient, and convenient information exchange, but there is a downside—security. Employees can use these tiny, portable USB storage devices to download sensitive data and upload potentially harmful apps or viruses.

How should an IT pro address these security concerns? TechRepublic member mrs_doctor_jones would most certainly like to know.

"I was wondering whether or not it is possible to disable USB ports on workstations. If so, is there a way to do it so that 'smart' workstation users could not easily enable them again?"

Mrs_doctor_jones says, "In an interest of network security, I think it would be prudent for us to disable the ports on all workstations in the office so that no one could use USB drives to put stuff onto or pull stuff off of the network."

Block those USB ports with BIOS settings
Members TheChas and DR The Corporate Groups both think the BIOS is the place to start. BIOS settings can be modified so that USB functionality is disabled on a workstation Check out this article in the HP archives for info on how to enter into the BIOS on various computers.

In DR's words, "Most newer motherboards have a disable feature in the BIOS to disable the two [or four] built-in USB ports located next to the mouse and keyboard connectors." Furthermore, "add-on USB ports via a PC card or bracket can simply be unplugged."

TheChas elaborates. "Your best option is to disable the USB ports in BIOS settings. Then, set a BIOS password. Finish up with case locks or other security hardware so that users cannot open the case, and then reset the CMOS memory."

An extreme remedy
TheChas also offers a "truly foolproof option." To completely disable the USB ports (for good), he suggests "carefully filling the USB connectors with a thick epoxy adhesive."

This is a radical (and creative) solution and will render the ports unusable. If USB will never be used on the workstation again, this might be the way to go. But TheChas warns: "Use extreme caution not to allow the epoxy to seep into other connectors or motherboard components." Good advice; you must be careful not to "gum up" an entire system just to disable one component.

Print/View all Posts Comments on this article

Port Locks ___._ | 01/15/03

Software Locks philip.coakes@... | 01/15/03

try a little trust- it's cheaper Erich.Izdepski@... | 01/15/03

Why Trust In Two Words hoffelrl@... | 01/15/03

What about other USB peripherals? Winterfrost | 01/15/03

Unplug the mouse CenterDirector | 01/16/03

Re: USB splitters Earl Bediant | 01/17/03

Too true... scviking@... | 01/18/03

Custmom ADM temlpate for disabling USB joe_marsden@... | 11/19/04

Custom ADM temlpate for disabling USB alin@... | 02/24/05

Disable USB What about other USB peripherals? rich.leclair@... | 08/20/04

New Mobos jbaker@... | 05/18/05

Why Trust In Two Words More Why siddman | 01/16/03

That was the important example BFraser | 01/16/03

Can you stop a determined foe? the docman | 01/18/03

That's a weak argument... TomSal | 01/20/03

Wake up & smell the coffee. Michel Pizaz | 01/16/03

Bah dgood@... | 01/16/03

This is why kevaburg@... | 01/22/03

Me too bikernerd | 01/28/03

you must have a nice budget VenVen | 03/03/04

Possible in Linux... jellyroll | 01/16/03

Alternative solutions howady@... | 02/27/04

USB Lock RP v 2.0 (New) Systadm | 08/19/05

USB Lock RP itmgrte | 09/09/05

Linux Security FixITright_theFirstTime | 01/16/03

Paranoia! FreeMan50 | 01/16/03

Paranoia is right rick@... | 01/16/03

Agreed jammer2k | 01/17/03

Network Printer alvarocervantes@... | 01/17/03

A little paranoia is good for the soul TheChas | 01/17/03

A Potential Solution... glen@... | 01/16/03

Key solution ardieroque@... | 01/16/03

Enterprise Solution higginbm@... | 01/16/03

It's still a risk scviking@... | 01/18/03

Why disable USB? scviking@... | 01/18/03

USB is the only port available. Cyclopz | 01/21/03

USB LOCK Systadm | 06/14/05

USB Lock yaaky | 06/14/05

Have you tried it ? Systadm | 06/24/05

You Must Be Crazy bryen@... | 01/16/03

Tape over users' eyes shiva | 01/16/03

April Fools? lksixt | 01/17/03

Really a good solution... s.cabrera | 09/01/04

Blocking USB ports. jallison@... | 01/16/03

Not on standard ATX TheChas | 01/16/03

But... GuruOfDos | 01/25/03

Simple, elegant, and flexible: Try It! gziv@... | 01/16/03

All right! kirm | 01/16/03

Deny hardware changes ivar@... | 01/16/03

Interesting and effective? rdunn@... | 01/16/03

rename USBSTOR.DLL on WIN98/ME andrewlim@... | 01/17/03

no .dll or .sys file, please help mrpadilla | 07/11/05

You should give this a try Systadm | 07/11/05

Hmm.... scviking@... | 01/18/03

scViking: A clarification. gziv@... | 01/23/03

Thanks scviking@... | 01/24/03

but how to make the script :) ronz17@... | 03/30/04

Clarification... better late than never... gziv@... | 08/18/04

Cross-over cable kevin@... | 01/19/03

Not all computers are networked! GuruOfDos | 01/25/03

Re:Simple, elegant, and flexible: Try It! wangqi64@... | 04/02/04

Here's the GPO definition for disabling USB storage devices gziv@... | 08/18/04

Implement in the NT 4.0 domain anto_sumartono@... | 10/04/04

Use a product solution instead D Szerszen | 10/05/04

SecureWave is Great... but yaaky | 05/18/05

USB Disable sudhirforu@... | 01/31/09

I could not found the USBSTOR.dll file wshamroukhs@... | 10/13/04

Important corrections to original posting.. Please read! gziv@... | 10/15/04

Important corrections to original posting.. Please read! gziv@... | 10/15/04

I want to add ACL on USB Drive hrushikeshk@... | 11/05/04

No file by either name kennethv@... | 11/14/04

Result = badly installed devices Systadm | 06/24/05

Big Brother?? dverduin@... | 01/16/03

you are fired themainframeisback | 01/17/03

What a Fool jim@... | 09/17/07

What are you people thinking??? Houston Brown | 01/16/03

Dilbert's Boss Zone OldITGuy | 01/16/03

Solution from an inexperienced tech rdunn@... | 01/16/03

Epoxy: Our friend CenterDirector | 01/17/03

Not everyone can be traced though RichGL | 01/20/03

BIOS would have been cheaper... yaaky | 05/18/05

Solution from an inexperienced tech rdunn@... | 01/16/03

change useage not remove norskifevo@... | 01/17/03

Sanity Check Paul S. | 01/17/03

Ultimate security the docman | 01/18/03

roflmbo CharlieG | 01/19/03

This is naive kevaburg@... | 01/22/03

No such thing as 'absolute' security... yaaky | 05/18/05

why disable ports ancianoman@... | 01/17/03

Interesting Tangents TheChas | 01/18/03

bios disable not an option we need 1 Hansdekleijn@... | 01/18/03

Check through the discussion TheChas | 01/19/03

What about the COM ports? kevaburg@... | 01/22/03

How about Autorun feature? jkn | 01/20/03

Use the "Pencil" solution ...!? Thamer | 01/21/03

continues... Thamer | 01/21/03

But................. kevaburg@... | 01/22/03

Why Disable in the BIOS? techrepublic@... | 01/22/03

And in ME/9x too, but... GuruOfDos | 01/25/03

Yes but.. Dr Dij | 01/30/03

Unless the case is locked... yaaky | 05/18/05

Not many know how to do it kevaburg@... | 06/02/05

Yes Dr Dij | 06/02/05

Won't reconize com 3 o 4 DCEDIAMOND55@... | 01/25/03

Paranoia is security dbreed | 01/26/03

Information Security is NOT "all or nothing" yaaky | 05/18/05

Here is a thought. feral@... | 07/31/03

Possible solution.... casey@... | 11/18/03

one additional detail... casey@... | 11/18/03

Solution "USB LOCK AP" Systadm | 06/24/05

Even easier beads@... | 07/12/05

New USB Lock Standard replaced USB Lock AP javier.arrospide@... | 10/24/08

RE: Disable USB ports to prevent unauthorized data transfers hktown@... | 11/28/07

May be you should try this gotmilkcrazy@... | 07/04/08

A Softer method gotmilkcrazy@... | 07/07/08

RE: Disable USB ports to prevent unauthorized data transfers centurion.2050@... | 03/30/09