USB filter

In a similar way to whitelisting for applications, USB devices can also be listed as trusted. USB devices that are not in the approved list will not be accepted by the operating system. Hence, for the maintenance of the devices, uniform USB service flash drives can be defined that contain only approved applications and are checked regularly. Non application-specific (e.g. private) USB flash drives therefore cannot cause any harm. The USB filter serves all devices that are connected via USB. These also include, for example, HID devices such as mouse/keyboard, and all mass storage devices such as USB flash drives, hard disks and card readers.

However, the USB filters in an operating system refer to a vendor and product ID (Vendor ID [VID] / Product ID [PID]) in the USB, which have no cryptographic security and can be forged.

In order to block external interfaces such as USB, they can be physically secured, e.g. by a control cabinet. But even if the device is installed in a control cabinet, there are situations where a USB port has been or must be used. In order to reduce the available attack surface, the use of the interface should be adapted and limited in the operating system.

However, the IDs used with the USB filters are not cryptographically secured, meaning that malicious attacks with prepared USB devices can circumvent the USB filters.

There are several ways to restrict USB devices at the operating system level.

USB filter 1:

Note that values set via the registry are NOT automatically synchronized with the values set in the group policy. It is recommended to make the settings exclusively via the group policy.

Options for the handling of USB devices can be configured in Windows 10.

1. Open the group policy editor by entering gpedit.msc in the Run window. Depending on the application, select Prevent/Allow Installation of devices that match any of those device IDs
USB filter 2:
2. Activate the group policy and enter the devices that are allowed or should be blocked:
USB filter 3:
The USB filter is now configured.

For more information, see the Microsoft documentation: http://msdn.microsoft.com/en-us/library/bb530324.aspx