Solved

disabling USB port through GPO

Posted on 2004-10-13
9
3,209 Views
Last Modified: 2012-06-21
Is there anyway to disable a USB port through GPO?
Thanks,
0
Comment
Question by:Chuckbuchan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12299175
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12299498

There's another way.

For ADM Files !!Something is a variable and must be listed in Strings (just so you know).

Anyway, we wrote the ADM below to deal with USB devices. Copy the below into a Text file called USB.adm (or really anything.adm):

CLASS MACHINE

CATEGORY "System"
      CATEGORY "USB Storage Services"
            POLICY "Disable Access to USB Storage Devices""
                  
                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif
            
                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                  #endif                  

                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY

            POLICY "Disable Access to USB Hub Services"

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif

                  #if version >= 3
                        EXPLAIN !!USBHUBCFG_Help
                  #endif
      
                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY
      END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."


A few notes on that...

In order to see the Policy once you've loaded it you must select Administrative Templates, then View and Filtering and remove the Tick from:

Only show policy settings that can be fully managed

It does work though, we use it quite a lot ;)
0
 
LVL 11

Expert Comment

by:gothicbloody
ID: 12299560
try this script :
content of killusbdrive.adm

CODE  

CLASS MACHINE

CATEGORY !!categoryname

 POLICY !!policyname

  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

  EXPLAIN !!explaintext

    PART !!labeltext DROPDOWNLIST REQUIRED
 
      VALUENAME "Start"

      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST

    END PART

  END POLICY

END CATEGORY


[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
 ---------------------------
check this out :

http://www.reflex-magnetics.com/products/disknetpro/
http://devicelock.securitybyte.com/
http://support.microsoft.com/defaul...kb;en-us;823732 -- may work for you'

0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12299563
I should have explained a bit more really ;)

That makes a couple of Policies appear under Administrative Templates and System called USB Services (or at least it would if I hadn't made a typo above, so USB Storage Services).

It sets two registry values (Start) which determine whether a USB device will start up. Once the policy is applied it will simply stop the USB Devices loading on the Computers you apply the Policy to.

The Fully Managed thing is in the descriptions, but if you set the Policies to Enabled (to disable the device) it won't set back unless you reverse the Policy.
0
 

Author Comment

by:Chuckbuchan
ID: 12302657
I will have to try these approaches at a convenient time, for now I will all thank you, I will get back with you soon.
thanks
0
 

Author Comment

by:Chuckbuchan
ID: 12371482
I went through the settings of the GPO, and couldn't find anything that talks about  USB . Could you refer me to the location?
thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12372557

None of the settings in the GPO do until you manually add them.

Copy this into a file named USB.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices""
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USB.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

Then, when it's done loading, expand Administrative Templates and you'll have a USB Services folder there. Expanding that will show policies to Disable Storage and Disable Hub devices.
0
 

Author Comment

by:Chuckbuchan
ID: 12382389
To Chris-Dent :
the file shows error on line 7
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 12382845

D'oh sorry.. slight typo (an extra "). Try this one:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question