How to Lockdown Other Devices
PortBlocker blocks Mass Storage (Flash Drives), Media Transfer Protocol (Phones), and Picture Transfer Protocol (Cameras) devices from connecting to the host computer. These protocols are the most common to transfer files from computers to physical devices, however, there are others. Other ways include: CD/DVD, Floppy, Bluetooth, Infrared, WiFi, Serial and Parallel ports. The following steps can be taken in addition to installing PortBlocker to provide a more secure workstation. Keep a note that DataLocker devices require read and write to both mass storage and CD/DVD drives for full functionality.
Disable any unused ports either physically or with BIOS configuration. For example, disable parallel ports and floppy connectors if these legacy systems are not needed. BIOS should be configured with an administrator password to prevent users from re-enabling.
Disable Removable Storage access using Active Directory GPO where available. This can be configured by navigating to Computer Config -> Policies -> Administrative Templates -> System -> Removable Storage Access in the Group Policy Editor. The following policies are recommended to be enabled:
Floppy Drives - Deny read / write access
Tape Drives - Deny read / write access
WPD Devices - Deny read / write access
WPD Devices include Windows Mobile Phones and ZUNE devices.
Note about built-in media card readers: Due to how card readers are enumerated in Windows, only the actual reader can be blocked or allowed through PortBlocker; control by individual media cards is not possible. Internal media card readers may require a reboot after enabling or disabling to simulate the card reader being “plugged in” to the system.
PortBlocker should not be used with other software that restricts USB device access for mass storage, mtp, or ptp devices.
PortBlocker should not be run on computers in which users have local admin access to modify the registry or protected system files, or uninstall system wide application.