This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Endpoint Security to disable USB ports

We have Sophos enterprise environment. I am hoping from the Sophos Enterprise Console I will be able to create a policy that will disable the USB ports for anything other the mouse and keyboard. I basically want to be able to set up PCs in common areas such as  conference rooms where multiple users or even guests may share a common PC and not have to worry about rogue thumb drives. If I need to create a special OU in Active Directory for these devices, that would be fine too. All suggestions welcome



This thread was automatically locked due to age.
Parents
  • Hello JimBlack,

    first of all SESC is port-agnostic, thus you can't use it to block specific ports. Nevertheless AFAIK all SESC licenses include (please see the linked article) Device Control. As an aside, since Vista/2008 you can use a GPO/Administrative Template for granular control of access to removable storage.

    Christian

  • maybe I asked the question wrong or just need more research. I have no idea what SESC. I am in the Sophos Enterprise Console and see DEVICE CONTROL in the left panel. It iis looking like I can block removable storage which I assume includes USB sticks. I just have to figure out how to assign it to OUs in Active Directory. After I get further, I will post more info...thanks

Reply
  • maybe I asked the question wrong or just need more research. I have no idea what SESC. I am in the Sophos Enterprise Console and see DEVICE CONTROL in the left panel. It iis looking like I can block removable storage which I assume includes USB sticks. I just have to figure out how to assign it to OUs in Active Directory. After I get further, I will post more info...thanks

Children
  • Hello JimBlack,

    SESC is short for Sophos Endpoint Security and Control (managed by SEC).

    how to assign it to OUs
    with SEC you assign a policy to SEC Groups and indirectly to the computers in these groups.
    If you are using AD sync the SEC groups under the syncpoint mirror the AD OUs in the synced AD container. If you do not use AD sync you must create one or more groups in SEC, put the desired computers into these, and create and assign an appropriate Device Control policy. 

    Removable storage includes USB sticks (as normally they present themselves as removable storage).

    Christian 

  • Hi, I have an add-on question for this if I may.  I have a customer w/ premise Safeguard v8 and Sophos Central for AV.  If I use Central > Device management to block USB flash drives, will this affect their sometimes needing a usb flash to unlock Bitlocker (flash containing the Bitlocker key file)?