hardware key logger

You can disable USB ports by Group Policy.
https://social.technet.microsoft.com/Forums/windows/en-US/0be0c42b-950c-4a16-8be6-3f3a3d22e712/process-for-usb-port-blocking-via-active-directory-group-policy?forum=winserverGP

Make sure no user has Admin Rights to their computer.

Today almost no machine needs a DVD player so remove those.

1) Disable unused USB ports.
2) Physically prevent access to the USB ports.
3) In cases where users don't have any reason to touch the computer itself, lock it in a case or cabinet of some sort.

how would keyboards and mice work if all USB ports were completely disabled.

Today almost no machine needs a DVD player so remove those.

Eh?

Haven't used a DVD player in half a decade.

how would keyboards and mice work if all USB ports were completely disabled.

Use Bluetooth Keyboard and Mouse.

how would keyboards and mice work if all USB ports were completely disabled.

The assumption is you wouldn't disable the ports you actually need.

While DVD drives get used less than they used to, they still have quite a bit of usefulness. And for various reasons. Entertainment being one (not everything is available for streaming, nor would one always been in a place with internet available)... we happen to have use cases of training videos (the vendor charged an arm and a leg for the streaming version)

protect against hardware based key logger devices?

How big is this issue? We do not see it at our clients.

A one off incident hopefully.

how would keyboards and mice work if all USB ports were completely disabled.

Blocking it in GPO will not block these devices.

Use Bluetooth Keyboard and Mouse.

These have their own security risks.

The only solution is physical security

Buy a 5-port USB card (these have an internal slot), use wireless mouse/keyboard and plug the transceiver in the internal socket, squirt glue in all external USB ports or disable them with a policy, padlock the case.

Ironically, one of the most overlooked things is to simply physically secure the box itself or purchase something which is physically hardened against this type of thing. I go into TOO many businesses, see the USB ports staring me in the face (and laughing at the need for physical security) from the customer side of the counter ...

If this is a public facing (or factory) device:
1. Put it in a secure box which adequately addresses the environment  ...
2. (I'm with John, above) Purchase a good keyboard / mouse combo with a Bluetooth receiver and go ...

Note: If you think this is too expensive, what does a single data breach cost? At a minimum, customer(s), possibly employee(s) and marketshare ... if not reputation and your business's future.

If you have an issue with employees and need to secure all computers in all offices, you've got a management / HR / policy issue and not a technology issue.

>Ironically, one of the most overlooked things is to simply physically secure the box itself or purchase something which is physically hardened against this type of thing.

Can you provide any examples of such?

Examples of small vs large are at https://www.globalindustrial.com/p/office/computer-furniture/cabinets/datum-small-hanging-cpu-locker-black?infoParam.campaignId=T9F&gclid=EAIaIQobChMIiu_PweDC3QIVyrrACh0haAV8EAQYAyABEgIrTvD_BwE or https://www.globalindustrial.com/p/office/computer-furniture/cabinets/mobile-security-lcd-computer-cabinet-black-2?infoParam.campaignId=T9F&gclid=EAIaIQobChMIiu_PweDC3QIVyrrACh0haAV8EAQYASABEgJv8vD_BwE.

If it is dusty, make sure it is filtered properly and add it to a regular maintenance / cleaning schedule depending on how much dust the area will have ...

Look at Kensington locks. However many cases have a metal hoop/eye at the back that you can put a padlock through.

Keyboard / mouse combos examples are at https://www.wetkeys.com/SearchResults.asp?Search=wireless or https://techspotsolutions.com/top-5-best-waterproof-bluetooth-foldable-keyboards-in-2017/ (for compact examples).

However, if you are already experiencing "dishonesty" relating to hardware-based keyboard loggers, integrity is already an issue and wireless devices may tend to "walk away" too.

Cheaper, wired USB devices combined with a well-ventilated enclosure may be your most cost-effective alternative.

Don’t use wired keyboard or mice to start.
Physicallly inspect machines on a regular basis.
Good antivirus software should detect software versions.
Check drivers for keyboard and mice regularly as well
If in a company, users should not be Admins to prevent locally added software. (Hopefully admins are trustworthy!)