USB filter

In a similar way to whitelisting for applications, USB devices can also be listed as trusted. USB devices that are not in the approved list will not be accepted by the operating system. Hence, for the maintenance of the devices, uniform USB service flash drives can be defined that contain only approved applications and are checked regularly. Non application-specific (e.g. private) USB flash drives therefore cannot cause any harm. The USB filter serves all devices that are connected via USB. These also include, for example, HID devices such as mouse/keyboard, and all mass storage devices such as USB flash drives, hard disks and card readers.

However, the USB filters in an operating system refer to a vendor and product ID (Vendor ID [VID] / Product ID [PID]) in the USB, which have no cryptographic security and can be forged.

In order to block external interfaces such as USB, they can be physically secured, e.g. by a control cabinet. But even if the device is installed in a control cabinet, there are situations where a USB port has been or must be used. In order to reduce the available attack surface, the use of the interface should be adapted and limited in the operating system.

However, the IDs used with the USB filters are not cryptographically secured, meaning that malicious attacks with prepared USB devices can circumvent the USB filters.

There are several ways to restrict USB devices at the operating system level.

• If the device has not yet been installed, installation can be prevented by denying the current user and the SYSTEM user access to the following files:
• %SystemRoot%\Inf\Usbstor.pnf
• %SystemRoot%\Inf\Usbstor.inf
• %SystemRoot%\System32\DriverStore\Usbstor.inf*
• In order to prevent the general use of USB mass storage devices, the entry "ImagePath" can be set to an invalid path in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSer\services\USBSTOR.
• How to restrict the use of USB devices more granularly via policy settings (Group Policy) is described here.
• USB interfaces can also be switched off in the BIOS. Note that input devices such as the keyboard and mouse no longer work via interfaces that are switched off in this way.

Note that values set via the registry are NOT automatically synchronized with the values set in the group policy. It is recommended to make the settings exclusively via the group policy.