NetWrix USB Blocker

Version 3.6

Quick Start Guide

 NetWrix USB Blocker Quick Start Guide


Table of Contents
1. Introduction ................................................................................................................................3
1.1. What is NetWrix USB Blocker? ......................................................................................3
1.2. Product Architecture ........................................................................................................3
2. Licensing .....................................................................................................................................3
3. Getting Started ...........................................................................................................................5
3.1. System Requirements ......................................................................................................5
3.1.1. Management Server ............................................................................................5
3.1.2. Managed Computers ...........................................................................................7
3.2. Installing the Product .......................................................................................................5
3.3. Configuring the Product ..................................................................................................8
3.3.1. Starting NetWrix USB Blocker ..........................................................................8
3.3.2. Configuring the Product ...................................................................................10
3.3.3. Monitoring Console and Administrative Portal ...............................................10
3.3.4. Monitoring Console Access Rights .................................................................12
4. Uninstalling the Product..........................................................................................................12
5. Contacting NetWrix Support ..................................................................................................12
6. Additional Software Links ......................................................................................................13
7. About NetWrix Products .........................................................................................................14
8. Disclaimer .................................................................................................................................14

Page | 2

 NetWrix USB Blocker Quick Start Guide


1. Introduction
1.1. What is NetWrix USB Blocker?
NetWrix USB Blocker is a budget-friendly, easy-to-deploy solution that allows you to block USB
devices automatically on computers in a specified domain or domain organizational units.
NetWrix USB Blocker enforces centralized access control to prevent unauthorized use of
removable media that connects to computer USB ports, such as memory sticks, removable hard
disks, PDAs1 and others1. USB port access control is an important aspect of your endpoint
security, regardless of the effectiveness of your antivirus and firewall. The USB device
lockdown protects your network against malware and prevents the theft of sensitive corporate
data.
The product relies on built-in group policy mechanisms and seamlessly integrates into your
existing environment. Another advantage is its simplicity, as it takes only a couple of mouse
clicks to configure the product and get the necessary USB ports blocked. In addition, the
software is free of charge for small networks (i. e., up to 50 computers). However the
commercial version has much more advanced functionality and an unlimited capacity in terms of
network size. It is available for a charge.

Benefits:
• Prevents unauthorized use of removable devices.
• Strengthens endpoint security.
• Enables regulatory compliance, such as SOX, HIPAA and GLBA.
• Saves you money in IT.
Features:
• Seamless integration with Active Directory.
• Simple point-and-click deployment and interface.
• Fully centralized management.
• USB ports status monitoring.

1.2. Product Architecture

Management server is the computer where NetWrix USB Blocker is installed. Thus this
computer is further used to configure NetWrix USB Blocker.
Managed computers are the computers where the NetWrix USB Blocker Agent is installed and
on which USB ports access is monitored and controlled with NetWrix USB Blocker.
The management server and the managed computers must belong to a single domain. NetWrix
USB Blocker should be first installed on the management server and then spread to the managed
computers via the standard group policy mechanism. This is done automatically by NetWrix USB
Blocker to all the specified managed computers. The management server then is used for
centralized USB access control.

1) Only available in commercial version.

Page | 3

 NetWrix USB Blocker Quick Start Guide


2. Licensing
NetWrix USB Blocker is available in two versions: freeware and commercial. The commercial
version has much more advanced functionality and includes full technical support. The following
table shows a feature comparison of these two available product versions.

Feature Freeware Version Commercial Version

Supported devices Storage devices only • Storage devices

• Other devices (Printers, PDAs, Imaging
devices, etc)

Granular access control Computer list to exclude • Computer list to exclude

• Limit the scope of blocking by OU
• Whitelist and blacklist of devices
• List of users explicitly allowed to access
devices

2
User activity logging No Yes, with reporting capabilities

Temporary device access No Yes, using an unlock code

Technical support Support forum Full range of options

Licensing Free of charge for up to 50 Per managed computer, please see our
managed computers pricing information or request a quote

2) Features coming soon

Page | 4

 NetWrix USB Blocker Quick Start Guide


3. Getting Started
Follow the instructions below to install and configure the NetWrix USB Blocker.

3.1. System Requirements

System requirements differ for the management server and the managed computers.

3.1.1. Management Server

• CPU x86 or x64 processor (1 GHz or faster).
• RAM 512 MB or more.
• OS required operating systems and additional software are described in the table below
Operating System Additional Software
Windows XP • Windows Components:
° Internet Information Services (IIS)
• .Net Framework 3.5
• .Net Framework 1.1
• Group Policy Management Console (GPMC)

Windows 2003 Server SP2 • Windows Components:

Windows Vista ° Internet Information Services (IIS)
° ASP.Net3
• .Net Framework 3.5
• .Net Framework 1.1
• Group Policy Management Console (GPMC)

Windows 2008 Server • Windows Components:

° Internet Information services (IIS)
° ASP.Net
° Microsoft Remote Server Administration Tools (RSAT)
• .Net Framework 3.5

Windows Vista SP1 or higher • Windows Components:

° Internet Information services (IIS)
° ASP.Net
• .Net Framework 3.5
• Microsoft Remote Server Administration Tools (RSAT)

Window 7 • Windows Components:

Windows 2008 Server R2 ° Internet Information services (IIS)
° ASP.Net
° .Net Framework 3.5
• Microsoft Remote Server Administration Tools (RSAT)

Note: Links for the additional system components are provided in the “6. Additional Software
Links” subsection. To install Windows components, please follow the instructions below:
Note: A computer used to access the Monitoring Console (see “3.3.4. Monitoring Console and
Administrative Portal”) via the web is required to have Silverlight installed.

3) For 64-bit systems ASP.NET is a part of .Net Framework thus it does not have to be installed separately.
Page | 5

 NetWrix USB Blocker Quick Start Guide

On Windows XP:
• Go to Control Panel > Add or Remove Programs > Add/Remove Windows Components.
• Select Internet Informational Services (IIS) and click on Details... Make sure that
Common Files and Internet Information Services Snap-In are checked. Click OK and let
Windows install the components.
On Windows 2003 Server:
• Go to Control Panel > Add or Remove Programs > Add/Remove Windows Components.
• Please select Application Server and click on Details...
• For 32-bit version only: make sure that ASP.NET is checked.
• Select Internet Informational Services (IIS) and click on Details... Make sure that
Common Files and Internet Information Services Manager are checked. Click OK and let
Windows install the components.
On Windows Vista / Windows 7:
• Go to Control Panel > Programs > Turn Windows Features on or off.
• First check Internet Information Services so that the check box becomes solid green, then
expand the Internet Information Services > Web Management Tools tree node, and verify
that IIS6 Management Compatibility (and all of its insides), IIS Management Console
and IIS Management Service are checked.
• Expand the Internet Information Services > World Wide Web Services > Security tree
node, and verify that Windows Authentication is checked.
• Click OK and let windows install the components.
On Windows 2008 Server / 2008 Server R2:
• Click Start > All Programs > Administrative Tools > Server Manager.
• In the Server Manager window, select Roles.
• Click Add Roles. The Add Roles wizard opens. Click Next to select roles to install and
select Web Server (IIS). Click Add Required Role Services. The Web Server is now
selected for install. The Select Server Roles dialog box opens. Click Next two times. Verify
that ASP.NET, Windows Authentication and IIS6 Compatibility are checked. Click Next
and then click Install.

IIS Note: USB Blocker requires at least one active IIS website to run. The default IIS setting
includes a pre-created website so that normally you do not have to change anything. Although if
you have deleted or disabled the IIS websites, it is necessary to get at least one of them up and
running.

ASP Note: If your system is 64-bit and ASP is not configured yet please follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to disable the 32-bit mode:
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET
W3SVC/AppPools/Enable32bitAppOnWin64 0
3. Type the following command to install the version of ASP.NET 2.0 and to install the script
maps at the IIS root and under:
%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 2.0.50727 is set to Allowed in the Web service
extension list in Internet Information Services Manager.

Page | 6

 NetWrix USB Blocker Quick Start Guide

3.1.2. Managed Computers
• CPU x86 or x64 processor (1 GHz or faster).
• RAM 64 MB or more.
• OS  Windows 2000 SP4 or later, joined to an Active Directory domain.
• .Net Framework 2.0

3.1.3. SQL Server

An SQL 2005 or 2008 server is required for Monitoring Console (see “3.3.3. Monitoring
Console and Administrative Portal”). You can use an existing SQL server or download MS SQL
Express. Download link for MS SQL 2005 Express can be found in “8. Additional Software
Links”.

Note: MS SQL 2005 is free but it only supports databases not greater than 4Gb is size. However
it is sufficient for NetWrix USB Blocker.

Page | 7

 NetWrix USB Blocker Quick Start Guide


3.2. Installing the Product

NetWrix USB Blocker can be installed on any computer in the managed domain. Choose one of
the computers to be the management server.
Note: Before installing the commercial version please uninstall the freeware version.
Before starting the installation process, carefully review all of the system requirements. The
computer on which you install NetWrix USB Blocker must meet the management server
requirements (see “3.1.1. Management server”Error! Reference source not found.). Further,
any computers on the network that you want to audit must meet the managed computers
requirements (see “3.1.2. Managed computers”).
To install NetWrix USB Blocker, run “ubfree_setup.msi” using the freeware version, or
“ubfull_setup.msi” using the commercial version. The installation wizard guides you step-by-
step through the installation process.
Note: The account and password specified on the Computer Management page during NetWrix
USB Blocker setup must have local administrator rights on the managed computers.
When the installation process is complete, click Finish to close the wizard. You may leave the
Start NetWrix USB Blocker check box selected if you want to run the application automatically
when you exit the setup program.

3.3. Configuring the Product

3.3.1. Starting NetWrix USB Blocker and Configuration Window
Layout
° For the free version please go to: Start > All Programs > NetWrix Freeware > USB Blocker
> USB Blocker.
° For the commercial version please go to: Start > All Programs > NetWrix > USB Blocker >
USB Blocker

After doing so you will be presented with the programs main window (see Figure 1).

Page | 8

 NetWrix USB Blocker Quick Start Guide


Figure 1: NetWrix USB Blocker configuration window

See NetWrix USB Blocker Quick Start setup instructions on the next page.

Page | 9

 NetWrix USB Blocker Quick Start Guide

3.3.2. Configuring the Product
1. Enable blocking by selecting the Block USB devices check box.
2. In the field Active Directory domain, specify the name of the managed domain (e.g.
ACME, or ACME.com).
3. Select the All domain computers option.
4. For testing purposes, leave the default values for the rest of the options. For details, please
refer to the “NetWrix USB Blocker Administrator Guide”.
5. Click OK. NetWrix USB Blocker creates a Group Policy Object that will install NetWrix USB
Device Management Agent on managed computers. At this point, the configuration is saved,
and the USB ports of managed computers will be blocked immediately after your restart the
managed computers.

3.3.3. Monitoring Console and Administrative Portal

You can also use the NetWrix USB Blocker Monitoring Console (requires a running SQL
2005 or 2008 server, for a download link please see “6. Additional Software Links”) to monitor
the status of agents installed on managed computers and the USB ports’ blocking status.
Note: Any Internet browser with Silverlight (download link can be found in “6. Additional
Software Links”) support is required to access the Monitoring Console via the web.
When you run the Monitoring Console for the first time, the Monitoring Console
Administrative Portal window will open in your default Internet browser.

Figure 2: Monitoring Console Page | 10

Administrative Portal window

 NetWrix USB Blocker Quick Start Guide

Type the names of the SQL server and database in the corresponding fields. You may use
Integrated authentication or you may unmark this checkbox and enter your MS SQL
administrator credentials.

The NetWrix USB Blocker Monitoring Console window opens (see Figure 3).
• The left panel shows a list of the managed computers, as follows:
° The name of the computer.
° Status of the USB Device Management Agent.
° Whether there are blocked USB devices on the computer or not.
• The right panel includes details about the selected computer:
° The top section shows details about the USB devices attached to the selected
computer, including the device name, type, the user who plugged the device in, state
of access to the device, and the reason for granting or blocking.
° The bottom section shows details about users logged on to the selected computer, the
name and the type of logging.
° If the computers are marked with red icons on the first run, it is most likely that the
USB Device Management Agent is not yet installed on the managed computers
(usually it means that the managed computers have not yet been restarted) or no users
are logged in. To fix this please restart the managed computers.

Figure 3: NetWrix USB Blocker Monitoring Console window

Page | 11

 NetWrix USB Blocker Quick Start Guide

Restart the managed computers if it has not been done. The new Group Policy Object will be
applied to the managed computers and the NetWrix USB Device Management Agent will be
installed. The USB devices on your managed computers will then be blocked according to the
configuration settings you specified.

3.3.4. Monitoring Console Access Rights

In correspondence with IIS designation, there are two groups of users who have privileged
rights:
1. NetWrix USB Blocker Admins – allowed accessing all the parts of the site. It means that
they can access USB Blocker Monitoring Console Administrative Portal and
create/configure USB Blocker SQL database.
2. NetWrix USB Blocker Operators – only allowed accessing USB Blocker Monitoring
Console to watch managed computers statuses.
These groups exist as local if the management server is not DC and as domain in the other case.
By default the person installed the product belongs to the NetWrix USB Blocker Admins group.

4. Uninstalling the Product

You can uninstall the NetWrix USB Blocker using the MS Windows “Add/Remove Programs”
wizard.

Note: Product uninstall will cause the corresponding Group Policy Object to be deleted. Thus
rebooting the managed computers will restore uncontrolled access to their USB ports. Beware,
sometimes software installation policy application may be delayed until the next logon because
of the enabled logon optimization for group policy, in this case it will take two reboots.

5. Contacting NetWrix Support

If you have any questions please feel free to contact the NetWrix support team.

NetWrix provides unlimited phone and email support for customers who purchase the
commercial version (including evaluation). In addition, limited support is provided at no charge
to customers who use the freeware version through the NetWrix Support Forum.

Page | 12

 NetWrix USB Blocker Quick Start Guide


6. Additional Software Links

.Net Framework 3.5 is available at
http://www.microsoft.com/downloads/details.aspx?FamilyId=333325FD-AE52-4E35-
B531-508D977D32A6&displaylang=en

.Net Framework 2.0 is available at

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0856eacb-
4362-4b0d-8edd-aab15c5e04f5 or for 64-bit systems at
http://www.microsoft.com/downloads/details.aspx?FamilyID=B44A0000-ACF8-4FA1-
AFFB-40E78D788B00&displaylang=en

.Net Framework 1.1 is available at

http://www.microsoft.com/downloads/details.aspx?familyid=262D25E3-F589-4842-
8157-034D1E7CF3A3&displaylang=en

Microsoft Silverlight is available at http://www.microsoft.com/silverlight/get-

started/install/default.aspx

Group Policy Management Console (GPMC) is available at

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-
9272-dd3cbfc81887&displaylang=en

Microsoft Remote Server Administration Tools (RSAT) is available for 32-bit systems at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9FF6E897
-23CE-4A36-B7FC-D52065DE9960&displaylang=en, or for 64-bit systems at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=D647A60
B-63FD-4AC5-9243-BD3C497D2BC5

Microsoft SQL Server 2005 is available at

http://www.microsoft.com/Sqlserver/2005/en/us/express.aspx

Page | 13

 NetWrix USB Blocker Quick Start Guide


7. About NetWrix Products

Solutions developed by NetWrix Corporation help organizations to meet compliance standards,
simplify identity management, and reduce IT infrastructure costs. The product line includes
solutions for change management, identity management, virtualization, and Active Directory
troubleshooting.

NetWrix Active Directory Change Reporter reports the changes made to Active Directory and
Group Policy and delivers detailed information on a daily basis. The report includes the 4 “W”s -
Who, What, When, and Where - of all changes and includes “before” and “after” values for each
and every setting. This report lists changes made to AD and Exchange configurations, Group
Policy objects and setting modifications, and many more.

NetWrix Password Manager product gives end users the ability to securely manage their
passwords and resolve account lockout incidents in a self-service fashion without involvement of
help desk personnel.

NetWrix Account Lockout Examiner detects, diagnoses, and resolves account lockouts in real
time to reduce administrative costs associated with manual resolution of account lockouts.

Privileged Account Manager provides a secure facility for provisioning, accessing, automatic
updating, and de-provisioning of shared administrative accounts, to enable centralized control
and auditing of all shared accounts in organizations, from Active Directory and servers to routers
and database systems.

For more information, please visit www.netwrix.com or call our toll-free number: +1-888-638-
9749.

8. Disclaimer
The information in this publication is furnished for information use only, does not constitute a
commitment from NetWrix Corporation of any features or functions discussed and is subject to
change without notice. NetWrix Corporation assumes no responsibility or liability for any errors
or inaccuracies that may appear in this publication.

NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other
NetWrix product or service names and slogans are registered trademarks or trademarks of
NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other
trademarks and registered trademarks are property of their respective owners.

© 2010 NetWrix Corporation. All rights reserved.

www.netwrix.com

Page | 14
