Solved

disabling USB port through GPO

Posted on 2004-10-13
9
3,189 Views
Last Modified: 2012-06-21
Is there anyway to disable a USB port through GPO?
Thanks,
0
Comment
Question by:Chuckbuchan
9 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12299175
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12299498

There's another way.

For ADM Files !!Something is a variable and must be listed in Strings (just so you know).

Anyway, we wrote the ADM below to deal with USB devices. Copy the below into a Text file called USB.adm (or really anything.adm):

CLASS MACHINE

CATEGORY "System"
      CATEGORY "USB Storage Services"
            POLICY "Disable Access to USB Storage Devices""
                  
                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif
            
                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                  #endif                  

                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY

            POLICY "Disable Access to USB Hub Services"

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif

                  #if version >= 3
                        EXPLAIN !!USBHUBCFG_Help
                  #endif
      
                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY
      END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."


A few notes on that...

In order to see the Policy once you've loaded it you must select Administrative Templates, then View and Filtering and remove the Tick from:

Only show policy settings that can be fully managed

It does work though, we use it quite a lot ;)
0
 
LVL 11

Expert Comment

by:gothicbloody
ID: 12299560
try this script :
content of killusbdrive.adm

CODE  

CLASS MACHINE

CATEGORY !!categoryname

 POLICY !!policyname

  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

  EXPLAIN !!explaintext

    PART !!labeltext DROPDOWNLIST REQUIRED
 
      VALUENAME "Start"

      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST

    END PART

  END POLICY

END CATEGORY


[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
 ---------------------------
check this out :

http://www.reflex-magnetics.com/products/disknetpro/
http://devicelock.securitybyte.com/
http://support.microsoft.com/defaul...kb;en-us;823732 -- may work for you'

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 12299563
I should have explained a bit more really ;)

That makes a couple of Policies appear under Administrative Templates and System called USB Services (or at least it would if I hadn't made a typo above, so USB Storage Services).

It sets two registry values (Start) which determine whether a USB device will start up. Once the policy is applied it will simply stop the USB Devices loading on the Computers you apply the Policy to.

The Fully Managed thing is in the descriptions, but if you set the Policies to Enabled (to disable the device) it won't set back unless you reverse the Policy.
0
 

Author Comment

by:Chuckbuchan
ID: 12302657
I will have to try these approaches at a convenient time, for now I will all thank you, I will get back with you soon.
thanks
0
 

Author Comment

by:Chuckbuchan
ID: 12371482
I went through the settings of the GPO, and couldn't find anything that talks about  USB . Could you refer me to the location?
thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12372557

None of the settings in the GPO do until you manually add them.

Copy this into a file named USB.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices""
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USB.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

Then, when it's done loading, expand Administrative Templates and you'll have a USB Services folder there. Expanding that will show policies to Disable Storage and Disable Hub devices.
0
 

Author Comment

by:Chuckbuchan
ID: 12382389
To Chris-Dent :
the file shows error on line 7
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 12382845

D'oh sorry.. slight typo (an extra "). Try this one:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question