The task was to provide blocking of user access to the devices which are connected via the external USB ports.
It is very popular task for Corporate Security software. Solutions variates much depending on the range of supported (blocked) USB devices, options for customizing the level of access.
In our solution rules of blocking should be user, device type, device and manufacturer specific.
We will be able to define the user context by setting filters on devices for example when a device is opened. USB-port is a bus so different functional devices appear on it. As the filters we must use any properties of USB controller which administrator can browse in the Device Manager such as “Device Instance Id”, “Hardware Ids”, “Matching Device Id” etc.
Problems with USB-Device Blocking
The main problem is user-specific device blocking (device should work for user1 but not for user2). As it was mentioned above USB is a bus therefore we should expect any devices which functionality should be blocked.
The analysis of operations of input/output for USB device does not guarantee that it will be possible to detect user context in application – device interaction. Therefore it is impossible to define the user context by general USB-bus filter.
Moreover the service for access to cameras and scanners appears in Windows XP. These devices are also connected to USB, and the context for them is detected as system service (SYSTEM registration record) from filter driver. In this case we have to detect logouted user and user context of application that uses that device.
If we need to block devices which provide functionality on USB we have to use filters for devices that are higher in the stack of devices – exactly they are functional. I.e. it is possible to find devices which were created on the USB bus in the tree of devices (DeviceTree) and put filters on them also to block access in accordance with the rules.
The most of connected devices will have the context of user working with this device. There are devices which the system works directly with – such as keyboard, mouse and some others. Such devices will be the exceptions.
If the access to the devices is forbidden for the system, than the most of devices can work incorrectly because of failed initialization. For example, mass-storage will not be connected to the system because it will not be possible to open it. We will be able to detect mass-storage connected to USB bus by setting the filters of the file systems.
Using the described approach we’ve blocked the access to the most of functional devices where it is possible to detect user context. Because of initially blocking task was formulated as user specific it’s impossible to develop fully universal driver for the devices of all of types.
We detect user context in different ways for different types of USB devices. For example file system filters were used for mass-storages as far as it’s easy to define the user context at this level. For other devices (such as USB audio columns) the filters of functional devices in the Device Tree were created. For the devices of «scanners and cameras» type we had to find higher level solution. Support of devices of this type is also present however it’s put in a separate interface for the comfortable work with such devices by means of the system tools.
Learn more about Corporate Security tasks that we solve at Corporate Security System Components page