That is a policy I heard to be used in already not-extremely-secure environments like software development at a bank (completely isolated from production environment).
They didn't go so far as to cause alarms on unknown device ids, but devices would just not be mounted if they were not whitelisted.
About 13-14 years ago some parts of the US DoD resorted to hot glue gun filling all the usb ports on desktop PCs, except for the two ports required for the keyboard and mouse.
This was during the windows XP era when it seemed there were an endless number of security problems related to usb devices, no matter how good the group policy and registry settings pushed via active directory membership were.
My company stayed on NT4 until 2008 because it didn't have USB support. Network was fully locked down and any unknown MAC would cause an immediate search by IT.
They probably did. The sort of IT folks that would run a decade old OS are the same kind that would resort to this sort of security theater to "lock down" their network. Capturing MAC addresses off a device is pretty simple if you don't mind a little bit of connectivity loss during the process.
>About 13-14 years ago some parts of the US DoD resorted to hot glue gun filling all the usb ports on desktop PCs, except for the two ports required for the keyboard and mouse.
Here's a current story:
Someone ordered the wrong desk phones at your large company?
1.) Assemble your crew. Go to various departments and recruit non-technical people.
2.) Task them with disassembling 1000 desk phones.
Is the disassembly and reassembly just for more billable hours? Seems to me you could fill user-accessible USB ports with hot glue without it, same as a user could fill it with an unauthorized USB device.
It solves two problems: one is someone covertly or foolishly plugging in an untrusted USB device (which might be easily missed on, say, the back of a desktop) and it means that checking to make sure that only a keyboard or mouse are attached is as simple as putting tamper-evident seals on those cables.
Attempting to authenticate USB devices is a very hard problem — a sufficiently advanced attacker can spoof manufacturer and device IDs, even if you lock things down to prevent anything other than a keyboard or mouse it's possible to send keystrokes to open the wrong website, there's always a chance of an exploitable flaw in your USB stack, etc. — but anyone diligent can be paid to walk around every week checking to make sure that a seal is solid and the tamper-evident stickers have the same serial number as listed on the inventory. There is a real value in having things where the failure modes are obvious and intuitive.
The closest thing to a USB hub I've got is one of my external drives for my Mac Mini has a built in USB hub so I can plug stuff into that as well as directly into the computer. The last time I worried about such things was back when desktop computers only had one or two USB ports. Plus, in a DoD situation, I'd imagine that having your own USB hub plugged into a DoD computer would be the kind of thing that could put your job at risk. A friend who teaches at the Naval War College often laments the unusability of DoD IT because of the level of locking down, but any "Why don't you do X?" suggestions have a response of "I'd get fired."
The safeguard doesn't need to be perfect, it just has to be good enough.
If my experience with users holds true, they'll abandon the quest at the first obstacle and the USB will harmlessly sit in a desk drawer for the rest of time.
It doesn’t solve for an outsider or malicious employee getting access to a machine. What it does solve for is an employee plugging in a compromised usb device on accident since they probably won’t unplug there keyboard or mouse for it.
That's what my alma mater, the University of Waterloo, did for some of our labs when I attended. Then at some point something must have happened and they moved all the electronics into the PC case and only the wires of the mouse, keyboard, and monitor came out of these little openings.
Reminds me of my school when someone booted Ophcrack to recovered cached network passwords - they removed the CD drives. Given the machines didn't support booting from USB (IIRC), it wasn't a terrible solution.
I have not yet seen this implemented anywhere in banks. HID devices are fine, but anything else USB (esp. storage) is locked out completely. One of those banks wouldn't even let temp staff send emails out of the bank from their work account.
(Due to various disability acts they can't really do it either, as the employer must provide their staff with hardware they require, e.g. ergonomic keyboards and mice)
That sounds really the wrong way around - the worst offenders in USB malware surely are flash drives that declare themselves as keyboards and input preprogrammed keyboard events (like the USB Rubber Ducky [0])!
(For your parenthetical I should clarify - it wasn't the case that it was impossible to whitelist other devices, it just had to be done on a case-by-case basis. I.e. you would call IT and say "Jen from accounting at machine foo123 needs her new ergonomic mouse to be recognized" and they would remote in, tell Jen to unplug and replug the device and whitelist that exact USB device id on that exact machine.)
It may be so, but I'm talking from experience - as a keyboard geek I have, over the past ten years, taken all sorts of weird keyboards (and mice) into various big banks with not a hint of trouble. USB storage, on the other hand, qualifies for an instant termination.
They didn't go so far as to cause alarms on unknown device ids, but devices would just not be mounted if they were not whitelisted.