Allow only specific devices to be connected to USB
Buy a PS2 to USB adapter for keyboards+mice (important: both need to be in one usb port to make sure it's not a naive straight-through connector).
They have logic and cost about $10 USD at time of writing.
Then buy USB to PS2 adapters for both mice and keyboard (separate adapters).
They have no logic, just internal wiring to each connection and they cost less than $5 USD at time of writing.
Put them altogether. Yes, it looks funky, but the devices will still work as-expected. Now, even if one of the user-reachable cables is spliced, they can't add new hardware other than generic mice and keyboards.
Nice things about this:
- cheap
- simple
- hardware-implemented
- protects against unknown devices
- OS-independent
UPDATE: I manually verified, twice, that there is no continuity between USB's data-/data+ pins and the PS2 data/clk pins (or any other ps2 pins) on a two-in-one adapter. There is continuity on single-port adapters though, but that's not important as long as one of the adapters implements some kind of logic like the two-in-one does. Plugging in the empty adapter to a windows box should cause the "USB insertion ding"; otherwise it's a naive physical adapter.
The dual PS2-USB adapter I specifically tested was an "ez-pu21", available still on amazon.
UPDATE #2, 2 things:
- there are usb keyboard attacks, so you need to lock down the OS properly to maintain security.
- one can get inside bios with a keyboard, and i'm not sure how risky that is to exfiltration, or if all they can do is "break" the computer.
UPDATE#3: After using the double-inline adapters for about 24 hours, I can say they work, but not quite 100%, maybe 99%. When I was doing serious programming (typing) I noticed that keys held down for about 1/3rd of a second repeat. This is before my typematic repeat about 2/3rds a second after press, and it only repeats once; leading to stuff like "biig" instead of "big". I only noticed it a few times, late at night, but I wanted to mention it. I didn't even notice it until after hours of use, but if you were writing a novel, it might be frustrating. It could just be the cheap adapter i used, the really long cables i'm using or something else nobody will experience.
BONUS: (related but OT): I just realized these cheap usb switches don't connect the data pins, they are too cheap to switch all 4 wires, thus making a cheap "USB condom" for those who desire such a thing, thought i'd share. cheap condoms, how can you go wrong?
You are taking the wrong side of the problem. If someone you do not trust can access to a machine, the machine has been compromised. Full stop.
That's the reason why access to server rooms is highly controlled, and why admin normally do not care for the physical security of the connectors: the defense line is not at the connector level but at the room containing the machine.
That being said, you can imagine special USB drivers that only allow specific hardware ids. You simply cannot install them by default when installing a kernel on a new machine because of a chicken and egg problem, but after an initial installation, you can build a custom kernel with those special USB drivers. But as there are plenty other possibilities to compromise a machine when you have physical access to it, it is simply IMHO a waste of time and energy...
And anyway, nothing prevent an evil powerful organization to build a specific USB keyboard that presents itself with the ID and the apparence of a innocent keyboard from a well known hardware manufacturer but that contains a keylogger. If you do not trust your admin, he could replace the keyboard at a system reboot. As I have already said, if an evil guy could touch the machine it is compromised, and if he could not you should not worry about the USB connectors.
On Windows systems, you've been able to block or restrict USB devices through Local or Group Policy since at least Windows Vista. By setting the "Removable Storage Access" policies, you can disable the attachment of USB storage devices (that category includes a lot of nefarious USB devices). These settings block Windows from interacting with the devices because it prevents loading the services.
https://community.spiceworks.com/how_to/25619-blocking-usb-devices-and-removable-media https://technet.microsoft.com/en-us/library/2007.06.grouppolicy.aspx