For the old SunRay thin clients one could disable the USB ports by policy (and enable for certain users, iirc). That was an important feature there, as one intended application was as public kiosk systems, e.g. in a library.

The same is possible in Windows 10 and 11, but the users will revolt, if a sysadmin were to enforce such (the same users who insist on using Windows instead of a more secure system).

> For the old SunRay thin clients one could disable the USB ports .... >The same is possible in Windows 10 and 11, but the users will revolt, if a >sysadmin were to enforce such (the same users who insist on using Windows instead >of a more secure system).

Can I add a little more colour here (and have worked in and designed-for very secure environments) - users will revolt if removing the USB ports makes their life more difficult. This can work if there is an effective feedback loop that makes sure the users can still do their jobs efficiently in the absence of USB ports, and corrects for them when they can't. Users won't go around something unless it gets in their way!

Plenty of organisations enforce "no USB devices" on all their users. Not even super secure places, but just many regular admin-type office workers get their USB ports disabled in software.

Partly it's to prevent leaking of company secrets, unauthorized use of corporate devices for home use, harder to track the location of data, as well as the possibility of malware.

But you can almost always just reboot into safe mode to get around it.

Interesting. So no USB camera, headset, etc either?

> Interesting. So no USB camera, headset, etc either?

My workplace has a policy of no USB storage devices (though you can request an exception). By default, other USB devices work, and storage devices are mounted as read-only.

I don't think the goal is so much system security as preventing data breaches/data exfiltration.

I work in finance, and this sort of setup is pretty common. Yes, I have a USB headset and camera for calls. My USB keyboard and mouse work just fine. If I plug my phone in, best I can do is charge it (slowly), so I use a wall-plug charger instead.

I could easily bypass the policy since I have the permissions to do so, but I won't. Working in the trading/hedge fund space, it's not unheard of to see employees sued for stealing trade secrets (quant models, for example). One only needs to search "citadel sues former employees" for examples.

edit: former Citadel employee; have not worked there in over a decade.

Depends. USB devices have "class"es which define their functions. Or you can allow per device via "manufacturer:model" identifiers.

The controls can be very granular, if you decide to manage that.

The few occasions I worked in a bank, our client made it very clear that anyone inserting an USB drive anywhere would be walked to the front door by security within an hour.

Today the malware can be in a cable, it doesn't need to be a drive. Some of these cables also behave like they should, so they are difficult to notice.

I used a Sun Ray thin client on an airgapped network in my first job, working for the government. They were perfect for this.

No persistent storage, so no concerns about easily recoverable classified data sitting on desks. You could disconnect from your session and pick it up again in the other office across town, or just leave your stuff running overnight.

99% of "disabled" usb ports aren't. Keyboards and mice still work, which means there remains a path to be exploited.

Ps/2 superiority!

I'm pretty sure I wouldn't use a PS2 keyboard or mouse that's been through the NSA fulfillment warehouse.

Even a malicious ps/2 keyboard could run any command it desires automatically.

I had a PS/2 keylogger disguised as an extension cable, controllable by specific keystroke and it would dump its records as typed text... Simple and efficient !

Or just passively key capture everything.

But it still cuts down on attack surface, no? Most USB hacks are via ignorant employees plugging in compromised usb drives/devices or am I missing something here? The hot glue is a significant reminder that you add “you can be fired for misusing company computers” to the company employee manual

Yeah,I was going to point out that a software block is unlikely to help against bad-usb stuff that infects the USb firmware?

Depends. It won't help against exploitative firmware or shocker devices, but most USB exploits don't come with zero-day firmware exploits or even require user interaction, which this policy will prevent.

Additionaly, even when attacked with such extreme measures, most users won't try to plug in planted, potentially malicious USB devices if they don't expect them to work.

Actually, the attack of leaving a USB drive forgotten in the parking lot has proven time and time again to be extraordinarily effective.

In organizations where only HID USB devices are allowed, not mass storage? I'm not aware of any reported successes in that environment, although it's theoretically possible (Heck, you could even have your evil HID-presenting SOC USB stick open a command prompt and type in the malware if it detects a long enough lapse in input without an obvious screen lock command).

It is, but if your organization completely forbids any non-HID USB devices, users are less likely to try their found USB stick on a company PC, since they don't expect it to work anyway.

https://usbguard.github.io/ for Linux, amongst others. Mostly to be found in the context of 'anti-forensics' there.

> the same users who insist on using Windows

People don’t like windows let alone corporate deployments of windows.

We had to use epoxy. They picked the hot glue out.

They aren’t that hard to desolder either if you have downtime and are tired of playing hearts.