Blocking USB ports and USB drives

Blocking USB ports and controlling media connected to a computer helps reduce the risk of unauthorized copying of data outside the company. In practice, this mainly concerns flash drives, external USB drives, and mobile phones connected as mass storage devices. This function is part of the monitoring mechanism available in Ewida Audit.

To use this area of configuration, the Agent must be installed on the monitored computer. Ewida Audit is a Windows desktop solution, so device blocking and authorization take place directly on the workstations where the Agent is running.

In practice, two basic working models can be adopted:

  • complete USB access blocking — all selected USB devices are blocked,
  • USB media authorization — only devices that were approved earlier are allowed to be used.

Where to configure USB authorization and blocking

To configure access rules for USB media, open Program Settings in Ewida Audit, go to the Agent section, and then select the settings related to USB monitoring. This is where you define whether the Agent should only record device usage or also actively restrict it.

In this part of the configuration, three main areas are available:

  • USB - Authorization,
  • USB - Disabled,
  • Excluded hosts.

This structure makes it possible to manage the list of allowed media separately, computers with USB completely blocked, and exceptions to the general rules.

Authorizing new USB media

To allow only previously approved devices to be used, select the option Allow only authorized drives to be used. After enabling it, the Authorize new USB drive button becomes active.

After starting this function, the program waits for the device that should be authorized to be connected. When a flash drive or phone is detected, its serial number is automatically added to the list of authorized devices. This allows further use of that media in line with the company’s adopted policy.

This solution is convenient because it does not require manual entry of device identifiers. The administrator simply connects the media that should be approved, and the program saves its identification data.

Monitoring vs. blocking - an important difference

By default, the USB media authorization function is turned off. This means that the Agent allows all devices to operate, unless an additional rule restricting access has been enabled.

It is worth distinguishing USB monitoring from USB blocking. By default, active monitoring only records logs of media and mobile phone usage, but it does not block their operation. If the company wants to block USB devices completely or allow only authorized hardware, these functions must be enabled deliberately in the settings.

This is an important distinction, because the mere presence of logs does not yet mean that the user has been restricted from connecting a device.

Hosts with blocking and excluded hosts

The USB - Disabled setting makes it possible to indicate hosts, meaning computers, where USB access should be completely blocked. This is a good solution for workstations where the security policy requires USB access to be fully disabled.

The Excluded hosts section, on the other hand, lets you indicate computers for which USB monitoring should be completely disabled. This kind of exception may be needed, for example, for administrative, service, or test workstations where standard rules should not apply.

Thanks to this, the configuration can be adjusted not only globally but also individually for selected computers. In practice, this is usually the most effective approach: one general policy for most workstations and exceptions where they are genuinely needed.