Solved

disabling USB port through GPO

Posted on 2004-10-13
9
3,166 Views
Last Modified: 2012-06-21
Is there anyway to disable a USB port through GPO?
Thanks,
0
Comment
Question by:Chuckbuchan
9 Comments
 
LVL 18

Expert Comment

by:luv2smile
Comment Utility
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

There's another way.

For ADM Files !!Something is a variable and must be listed in Strings (just so you know).

Anyway, we wrote the ADM below to deal with USB devices. Copy the below into a Text file called USB.adm (or really anything.adm):

CLASS MACHINE

CATEGORY "System"
      CATEGORY "USB Storage Services"
            POLICY "Disable Access to USB Storage Devices""
                  
                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif
            
                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                  #endif                  

                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY

            POLICY "Disable Access to USB Hub Services"

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif

                  #if version >= 3
                        EXPLAIN !!USBHUBCFG_Help
                  #endif
      
                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY
      END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."


A few notes on that...

In order to see the Policy once you've loaded it you must select Administrative Templates, then View and Filtering and remove the Tick from:

Only show policy settings that can be fully managed

It does work though, we use it quite a lot ;)
0
 
LVL 11

Expert Comment

by:gothicbloody
Comment Utility
try this script :
content of killusbdrive.adm

CODE  

CLASS MACHINE

CATEGORY !!categoryname

 POLICY !!policyname

  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

  EXPLAIN !!explaintext

    PART !!labeltext DROPDOWNLIST REQUIRED
 
      VALUENAME "Start"

      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST

    END PART

  END POLICY

END CATEGORY


[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
 ---------------------------
check this out :

http://www.reflex-magnetics.com/products/disknetpro/
http://devicelock.securitybyte.com/
http://support.microsoft.com/defaul...kb;en-us;823732 -- may work for you'

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
I should have explained a bit more really ;)

That makes a couple of Policies appear under Administrative Templates and System called USB Services (or at least it would if I hadn't made a typo above, so USB Storage Services).

It sets two registry values (Start) which determine whether a USB device will start up. Once the policy is applied it will simply stop the USB Devices loading on the Computers you apply the Policy to.

The Fully Managed thing is in the descriptions, but if you set the Policies to Enabled (to disable the device) it won't set back unless you reverse the Policy.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Chuckbuchan
Comment Utility
I will have to try these approaches at a convenient time, for now I will all thank you, I will get back with you soon.
thanks
0
 

Author Comment

by:Chuckbuchan
Comment Utility
I went through the settings of the GPO, and couldn't find anything that talks about  USB . Could you refer me to the location?
thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

None of the settings in the GPO do until you manually add them.

Copy this into a file named USB.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices""
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USB.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

Then, when it's done loading, expand Administrative Templates and you'll have a USB Services folder there. Expanding that will show policies to Disable Storage and Disable Hub devices.
0
 

Author Comment

by:Chuckbuchan
Comment Utility
To Chris-Dent :
the file shows error on line 7
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

D'oh sorry.. slight typo (an extra "). Try this one:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now