USB Port Security: deny by default but allow IT dept

Hi, DA newbie here. We're trying to make the logic work in our environment and I could use some guidance from more experienced DA administrators.

 

By default, we would like to restrict all non-HID USB devices while allowing the IT team (In an OU and a Security Group) full access.

 

Individual users who are approved for specific uses - say, downloading pictures from a camera, or using a USB stick to transfer postal meter data - should be allowed to use ONLY that device and ONLY on the computer they are approved for.

 

I don't want a user to have access to USB mass storage except for an approved device. Recommendations on how to configure? The DA video on the support site is not very helpful and it's so tiny I can't see what settings are being applied.

 

Thanks in advance for any and all assistance.

  • I am not an expert on the ins and outs of the USB device capabilities and their rules so hopefully an expert can chime in...

    Because you have a couple of different scenarios I would create a few rules. One for admins: set up a permissions set with the user list being your group of admins and allowing all actions and a permission set for everyone else that denies most things - be careful as many people use wireless keyboard/mice.

    Then you can create a set of Device Exception rules, that allows that specific user to use that specific device. Because it is user-based it will work on any computer but only for that person and that user.

    I've never looked at the VID and PID fields of the device exception fields and if you could generate a class of approved devices using them, if not its going to be tedious to set up a rule for each and every device you want to allow. You could have a lot to manage!

    Hope that helps!
    Mark
  • Hi mark.broge,

    USB/PS is one of the more complex setups in Desktop Authority (DA). The first thing to note is that each USB/PS element starts with a “Default” permission set that is set to Allow every device type and uses the Group “Everyone”. It’s important not to change this.

    To begin you will create a new permission set in addition to the existing “Default” permission set. In this example the new USB/PS permission set will be called “Lockdown”.  If you want to lock down ALL devices but exclude HID devices just use the checkbox for that “Disable all USB devices (Except HID)”.

      

    Next you need to edit the “Users” section of you new Lockdown permission set. By default its set to “Everyone”. If you want this to apply to everyone but your IT team then it will need to be changed as your IT team is a member of “Everyone”. Your easiest way to configure this is to just create a new Active Directory group (example: “USB Lockdown”) and just add the users you want to lockdown to this AD group.
    Then remove “Everyone” from the Users section and add your new USB Lockdown AD group.

      

    Next use the USB Exceptions tab to Allow any specific devices that you want users to have access to.

    Finally Validation Logic. Before USB/PS can apply any permission sets it needs to be installed on the user’s machine. For me I find it easiest to look at USB/PS’s Validation Logic tab as “Where do I want USB/PS installed?”.

    Validation Logic and Settings/Permission Sets are two separate things. Having a user or group listed in Permission Sets does not automatically mean that they are going to get any USB/PS settings. The Permission Sets will only apply to machines that have USB/PS installed which is defined in the Validation Logic tab.  

    When configuring USB/PS’s Validation Logic, I find that it's best to use only machine names or machine OUs and not user names or user OUs. This is because users can move from one machine to another and if they are used for Validation Logic then any machine that they log into will install USB/PS. That’s not recommended. It's best to have USB/PS install to the machines and use the Settings/Permission Sets to define what rights users get.

    So if you want USB/PS to install on every machine you can leave Validation Logic Rules blank.
    If you only want it install on a subset of machines then you can use some Active Directory variable.
        Example: Organizational Unit (Computer) =“Lab Computers”

    Important Note: The install of USB/PS on client machines requires a reboot. This will also happen after Desktop Authority is upgraded.

  • Thanks Mark! I'm on the same track, your logic confirms that I (hopefully) am proceeding in an intelligent manner...
  • Excellent information that was very helpful in understanding how all the moving parts work together. I had the Exceptions piece figured out, but struggled with the Allow when there was an explicit Deny for a much larger group.

    To facilitate IT access, I created a Permission set that sits at the top of the hierarchy and has the Advanced option "If this profile is validated during execution, do not process any subsequent profiles" enabled. This prevents any Deny permissions from being applied if other items match. This also obviated the need to create a special AD group that would need managing separately.

    Thanks to everyone for the help, the boss is happy and our devices are safe. Can't beat that.