USB Hot Plug Disable feature
Original Publication Date: 2000-Dec-23
Included in the Prior Art Database: 2003-Jun-18
In todays secured system, control over the configuration by the system administrator is an important factor. However, with the addition of external USB Ports and the OS software capable of enumerating externally attached USB devices, the systems capability to maintain the same level of integrity is in doubt. This invention will give the system administrator the capability to control the USB configuration by allowing the administrator to define a set of allowable devices and disable any externally hotplugged USB device after the fact not contained in the approved list. The system administrator will be given the capability to command the USB monitoring subsystem to capture all devices currently attached as the allowed device configuration and the ability to disable any USB devices not found in the approved configuration once the feature is enabled. This feature is enabled using a new configuration utility. The administrator will identify those devices which are allowed to function if attached to a system USB port including those already attached. For example, removable media devices such as a floppy diskette,a zip drive or a keyboard. When the administrator is finished, the utility will pass a command to the USB monitoring subsystem, described below, containing the approved device configuration list. In addition, the USB subsystem will be instructed to no longer allow enumeration of any hotplugged USB device. The USB monitoring subsystem retains knowledge of approved device configuration list and the fact that the system is no longer allowed to enumerate any hotplugged USB device by setting fields in non-volatile memory contained within the monitoring subsystem. Any changes to the allowed configuration will require the system administrator to use the new utility to identify the new configuration. The administrator can protect access to the new configuration utility by using the administrator password (privileged access password (PAP)) and placing the system in an enhanced secure mode. Any attempt to invoke the configuration utility will require the user to enter the correct password (PAP). When an USB device is attached to an external USB port, it is enumerated by host software. The device will identify itself in a data packet. This packet will be monitored by the USB monitoring subsystem attached to the USB data signal lines. The subsystem will monitor the signal lines for the device enumeration protocol.