Configuring USB Device Control

HOWTO98518
Last Updated April 01, 2019

In Symantec Endpoint Protection Small Business Edition (SEP SBE) cloud, USB Device Control enables administrators to prevent malicious code injection and intellectual property theft by controlling employee use of USB removable storage devices. USB mice and keyboards are unaffected by USB Device Control because they do not provide data storage. USB Device Control configuration is part of either a new policy or an existing Endpoint Protection policy. Endpoint Protection policies enable you to enforce the following levels of security over USB storage devices based on groups.

  • Allow

    The default Endpoint Protection policy setting for device control allows full access to USB storage devices.

  • Block

    By default, small pop-up notifications on the endpoint are disabled.

Note:

Device control restrictions do not apply to servers.

When your policy allows USB devices, all computers in the groups to which the policy applies have complete access to USB storage devices. Allow is the default setting. You may specify read-only access for USB storage devices.

When your policy blocks USB devices, you may enable notifications on the endpoint. The notifications appear as small pop-up messages in the bottom, right-side corner of the endpoint computer. Notifications are off by default.

All blocking events are logged for review and reporting. The blocking events are recorded in a number of locations:

  • As a line item in the Endpoint Protection widget on the Home page.

  • As line items on the Computer Profile > Services tab

  • As individual events that are recorded on Computer Profile > History tab

  • In the USB Device Control portion of the Endpoint Protection Security Overview report

To configure USB device control in an existing Endpoint Protection policy

  1. In SEP SBE Management Console, click Policies.

  2. On the Policies page, locate the Endpoint Protection policy to modify and double-click it.

  3. In the USB Device Control section, use the drop-down to Allow or to Block access to USB devices.

  4. Use the checkboxes to:

    • Disable or enable read-write access to the USB storage device.

      Note:

      Only active for the Allow option.

    • Enable or disable user notification of USB blocking.

      Note:

      Only active for the Block option.

  5. When you are done, click Save and Apply.

Overriding USB Device Control on an endpoint

USB Device Control can temporarily prevent the insertion of a USB thumb drive into a computer by setting a password. This capability reduces the risk of malicious code injection or theft of an organization's intellectual property. This security service can thwart the legitimate efforts of network administrators. Many administrators carry USB storage devices containing management software with them to service the computers on their network.

Note:

Best practices suggest that the use of USB devices for software installation is a security risk.

To configure an override password for agent administrators

  1. In SEP SBE Management Console, click Settings and then Computer Settings.

  2. Under Agent Administrator Password, select Use this password for features displaying the lock icon.

  3. Enter the new password and confirm the password.

  4. The agent administrator password can now override USB device controls or uninstall password protection on an endpoint.

    This feature enables a trusted administrator to insert and use a USB device in endpoint computers.

To override USB Device Controls on an endpoint

  1. From the notification area on the endpoint computer, open Symantec.cloud Agent.

  2. From the main interface page, click Endpoint Protection.

  3. When the main Endpoint Protection page opens, click the Override USB Device Control option in the right side menu.

  4. Enter the administrator password into the USB Device Control password box when it opens and click OK.

    The agent Administrator password provides full access to the inserted USB storage device until you restart the computer.

    Note:

    The administrator's password must be entered and confirmed before the USB device is inserted into the computer. If the USB device is inserted before the password is entered, remove the USB device, reenter the administrator password, then reinsert the USB device.

Legacy ID: v79486082_v98916675

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation