USB-Lock-RP Device Control Endpoint Security Software logo by Advanced Systems International

Device Control - Managing Devices Access

Device Control is the branch of endpoint security that refers to the control of devices access to computers and the measures involved in protecting systems and data from the risks associated with device usage.


  • Endpoint Computers in a network can act as both, Device-Host & Network-Host.
  • External drives and Removable devices can be infected and transfer malware to computers.
  • External drives and Removable devices can be used to extract data assets from computers.
  • Devices can be lost or stolen and sensible data be exposed.
  • Organizations need to control devices access to protect their network systems & data.

Most vulnerable USB-host protocols:

  • USB Mass Storage Device Class (UMS).
  • Media Transfer Protocol (USB-MTP).
  • USB Attached SCSI Protocol (UASP).
  • USB Human Interface Device Class (HID).

Most dangerous Source/Device:

  • USB flash drives.
  • Smartphones.
  • Card readers.
  • USB adapters.
  • Wireless Transceivers.
  • BadUSB (aka. USB Rubber Ducky).
  • External drives (USB, e-Sata, Firewire).
  • Compact discs.

Common active Countermeasures:

  • Driver restriction.
  • USB Lockdown.
  • Drive Dismount.
  • Disc Ejection
  • Device Disable.

Best Practices:

  • Centralized USB Management.
  • Block USB Devices (System-wide).
  • Specific Authorization (Whitelist).
  • USB Monitoring.
  • USB Encryption.
  • Event Logging.

Most vulnerable USB Host/Network Host:

  • Server.
  • Workstation/Desktop.
  • Laptop.
  • Tablet-PC.

Most vulnerable organizations sector:

  • Manufacturing.
  • Processing.
  • Energy production.
  • Government.
  • Defense/law enforcement.
  • Finance.
  • Healthcare.
  • Technology.

Risk to Organizations/enterprise:

  • Operating Systems malware infection.
  • Confidential/Sensitive data loss.
  • Keystroke/payload injection Attacks.
  • Malicious command/code execution.

Mayor concerns:

  • Endpoint availability loss leading to personnel/environment endangerment.
  • Sensible data disclosure/exploitation.
  • Assets loss.

Related Fields:

  • Endpoint Security (Parent).
  • Data Loss Prevention (DLP).
  • USB Device Control (a.k.a., USB Lockdown, USB Control, USB Access Control).
Devices: USB, e-SATA, FireWire drives, mobile phones MTP, CD, Bluetooth, IRDA, WiFI.

Removable devices such as USB flash drives can be infected and transfer malware to computers. This could escalate to compromise a network infrastructure. Preventing systems infection from unauthorized devices is within Device Control Scope.

Effective Device Control solutions should act to deny the presence of the device in the system. Blocking is the most effective way to prevent malware incoming from devices such as USB flash drives. Antivirus should act as a backup measure when it comes to unauthorized devices as they should be blocked.

Furthermore, Removable storage can be used to extract data assets from computers and put confidential information at risk. By blocking unauthorized devices this risk will be greatly diminished.

Nevertheless it’s important to consider that authorized devices can be lost or stolen while in transit. Therefore it’s important that authorized devices activity is monitored and that encryption is forced on data transferred to them.


Enforcing device control at Endpoint, requires that detection and blocking measures be active and locally enforced. Such measures should be able to adjust/escalate depending on device type/status.

USBs and peripheral devices connection events should be sent to the Central Control in real-time and include:

  • Device VID (Vendor ID), PID (Product ID) and Serial Number.
  • Source IP, Machine name, and Logged-User.
  • Date/Time.
  • Severity/Outcome.

Device Control and blocking scope should be system-wide (not user-wide). User-wide restrictions have diminished security value in preventing virus/malware infection or code injection compared to system-wide restrictions.

Unauthorized devices should be blocked, blocking measures should remain until the device is physically or remotely removed from the system.

Specific USB Devices Whitelisting/Authorization should have auto-detection capability.

Monitoring function should be available to allow visibility over data transfers from endpoints to authorized USB drives.

Encryption function should be available to secure authorized USB drives data transit.

All device identifiers should be stored encrypted to prevent spoofing.


The Management of devices requires that protective measures and permissions should be set from a Centralized Control located in a Server/System within the organizations network/domain.

Security setting are to be sent, applied and enforced to clients in real-time without delay or need to reboot.

The Central Control interface should show clients updated security status and receive events/alerts from clients.

Authorized personnel ability to access the Central Control should not depend on internet access, external services or entities.

The Central Control should work with encrypted data, only readable within the Control Interface.

Depending on the organization:

  • Events should be sent via secure email to an inbox within the organization domain.
  • Events format should be standardized to Syslog or CEF (Common Events Format) to be relayed to SIEM solutions.

Note: When readable reports outside the Control interface are required, access to reports should be managed/secured to prevent device identifiers disclosure.

understanding device control role

Today, it’s well understood that:

  • Industrial networks in manufacturing, processing and energy production sector MUST implement device control to safeguard:
    • Environment.
    • Personnel.
  • Both Industrial and Enterprise IT Networks should implement device control to prevent:
    • Malware infection.
    • Confidential or sensible data loss.
    • Arbitrary commands/code execution (ACE).

Cyber-attacks grow in frequency, stealth and complexity. It's important that IT security personnel select the adequate solucion to fulfill the requirement. Decisive Control requires a tool that can be fully tested within its thought operating environment.

NOTE: This page content outlines USB-Lock-RP Device Control design model. This straightforward and effective endpoint security security solution serves its purpose and will continue to evolve based on the technical security challenges to come.


USB-Lock-RP management interface

Straightforward approach:
To allow only specifically authorized devices and reject the rest.
Without interfering with harmless peripherals normal operations.

Client-side trademarks:

  • Smart device detection & blocking.
  • Personalized desktop Lockdown.

USB-Lock-RP Device Control

USB-Lock-RP is a complete device control software solution to protect Servers, Workstations & Laptops running Windows Operating Systems.

Since 2005 it serves organizations as an effective security tool for centralized device management.

Controls the access of a broad range of devices such as:

  • USB flash drives.
  • Smartphones.
  • Card readers.
  • USB adapters.
  • Wireless Transceivers.
  • BadUSB (aka. USB Rubber Ducky)
  • External drives (USB, e-Sata, Firewire)
  • Compact discs.

Functions that security administrators and pen testers highlight:

  • On-Premises Centralized Management.
  • Events Logging.
  • USB Transfers Monitoring.
  • Device Encryption.
  • Real-time Response.
  • Autonomy.
  • Ease of use. (Intuitive interface)
  • Data protection strength.
  • Personalization.
  • Permanent use licensing.

USB-Lock-RP by Advanced Systems, Controls devices and removable media like no other software in the market does.

For Microsoft® Windows® Operating Systems (Servers & Clients / 64 & 32 bit)

USB-Lock-RP (Remote Protector) box

Learn more about USB-Lock-RP Device Control to effectively secure Windows® networks.