Complex shared USB devices isolation


If you’re working in an environment that involves computers shared by multiple users, the risk of unauthorized access to remotely connected USB peripheral devices requires some consideration. A USB device that is physically connected to the host machine will be accessible by all users by default unless you specifically
restrict access.

limiting access to USB devices

Regardless of the type of USB device you can restrict access by making use of USB Network Gate. USB Network Gate allows you to isolate the device and grant access either for a selected session or for a specific local or domain user account. Any connected device will simply not be visible to others, thereby making it inaccessible.

Contents

  1. Steps for limiting access to USB devices for Windows
  2. Steps for limiting access to USB devices for Remote Desktop sessions

Steps for limiting access to USB devices for Windows


USB Network Gate is a useful tool to help you resolve the problem of unauthorized access of connected remote USB devices. You can isolate the connected device by implementing Per-user isolation.

If you’re a Remote Desktop user, find instructions for Remote Desktop session setup here

Per-user isolation allows you to isolate a connected device making it inaccessible to other Windows accounts. The isolated device will only appear on the connected machine when an authorized user is logged in. This option is useful for shared machines that might have multiple people logging in and switching accounts.

How to set up device isolation


To set up device isolation, you must install USB Network Gate Device Isolation Components on the USB Network Gate Client. The client is the machine requiring access to the remotely connected USB device.

During the installation process do not forget to check the “Device Isolation Components” option.

Device Isolation Components

Note: You only need to install the Device Isolation Components on the USB Network Gate client.

The USB Network Gate Device Isolation Components is compatible with 32 and 64 bit versions of Windows and it comprises the following files:

  • Device isolation driver (sessapart.sys)
  • Dynamic link libraries (sessapart32.dll and sessapart64.dll)

The steps to configure Per-user isolation is as follows:


  1. Install USB Network Gate on the server machine. The server is the machine to which the USB device is physically connected.
  2. Launch the application and select the “Local USB devices” tab.
  3. Locate the device you wish to share on the list and click the “Share” option next to the device name.
  4. The device is now shared on the server, you can proceed to install the required software on the client machine. The USB Network Gate Client is the computer that requires access to the connected USB device.

    Note: Remember to check the “Device Isolation Components” box during installation.

  5. Open the “Remote USB devices” tab and locate the shared device from the list.
  6. Click the “Connect” drop-down and select the “Connect for this user” option.
Connect for this user

You can also do this from the main menu. Select Connect devices > Connect for this user

Connect devices

Once setup is complete, the name of the authorized user will be displayed alongside the device name in the devices list.

authorized user

Note: If you try to set up the client by selecting either of the “Connect for this session” or “Connect for this user” options but you have not installed the required USB Network Gate Device Isolation Components, you will see a “Connection Error” system message advising you accordingly with the option to install the components. You must install the components to use the functionality.

USB Network Gate Device Isolation Components

Note: USB Network Gate supports a wide variety of USB devices including but not limited to USB flash drives, external hard drives, printers, scanners, cameras etc.

Your setup is now complete. The isolated USB device will now only be accessible to the authorized user account. The device will not appear on the device list when any other user logs in to the shared computer.

Setting up device isolation in a Remote Desktop session


The alternative option provided by USB Network Gate is to isolate devices in the remote desktop sessions.

Per-session isolation lets you assign a USB device to a specific remote desktop session. As long as the authorized session is open, the connected shared device is accessible. Any other sessions will simply not see the connected device.

Steps to enable Per-session USB device isolation:


Follow Steps 1 - 5 listed in above for Per-user isolation

Then click “Connect” and select the “Connect for this session” option from the drop-down list.

Per-session USB device isolation

You can also access the “Connect for this session” option directly from the main menu - Connect devices > Connect for this session

Connect for this session

Note: You’ll notice a “Enable Auto autoconnect” option on the setup screen. This option is not available for a Per-session isolation connection. Once the setup is completed, the authorized session name will be displayed alongside the device name.

Enable Auto autoconnect

When the authorized session is terminated, the device will disconnect from the client machine and will no longer be accessible.

Note: If a user has multiple sessions open concurrently, the device will only be accessible in the authorized session.

Your device is now successfully shared and isolated from unauthorized access.