Solved

Disable specific USB Ports

Posted on 2006-10-25
27
2,258 Views
Last Modified: 2010-06-22
Hello

We have Dell GX 280s running Windows 2000 that only have USB ports for the Keyboards and Mice.  We want to disable the other USB Ports so our younger patrons won't be able to use USB Ports to play MP3’s from a flash drive.  But we need some of the ports to stay active - does anyone know how to do this?
0
Comment
Question by:starpilot1
  • 5
  • 5
  • 4
  • +9
27 Comments
 
LVL 8

Expert Comment

by:fatalXception
ID: 17805477
You would use the device manager to locate the USB root hubs that the ports are connected to, and disable these...but bear in mind these are not individual ports, they are internal hubs which service a number of ports, so you will be disabing all ports attched to that hub - hopefully they built the system so that the keyboard and mouse usb ports are on a separate hub to the ports you want to disable.

I think a better way of doing this would be to use the Group Policy Editor to disable the use of USB Flash drives instead of turning off hardware, see this link
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

which will walk you through doing this.

let us know if you need more specific instructions.

0
 
LVL 22

Expert Comment

by:Bartender_1
ID: 17805497
You could disable them in the Device Manager, but I don't think that this is a proper solution for you.

Despite your ability to disable these ports, your younger patrons will still be able to bypass you.

They could plug a USB hub into one of the working ports.

the design for USB is for the computer to automatically detect what is plugged in and run it. It also allows daisy chaining the devices.

Ultimately, you're probably better off putting a policy in place, advertizing the policy and strictly enforcing punishments for violations of the policy.

Hope this helps!

:o)

Bartender_1
0
 
LVL 38

Expert Comment

by:younghv
ID: 17805506
Hi starpilot1,
You could disable all but two USB ports in Device Manager, but the twinkies could easily sneak in a 'splitter' or pocket-hub to add in their players next to the mouse or keyboard plug.

I don't think there is any way to configure a USB port for only certain devices/functions.

Maybe someone else will have some ideas.

BTW - I used to run the IT at a Public Library and was always amazed at how many ways a 12-year-old could get around my security protections.


Vic
0
 
LVL 22

Expert Comment

by:Bartender_1
ID: 17805545
sorry fatalXception, didn't mean to duplicate part of your post.

incidentally, using that GPO also has the effect of disabling the ability to download from some cameras. I've also heard some admins say that they've had users bypass it. (I'll have to ask them how though.)

:o)

Bartender_1
0
 

Author Comment

by:starpilot1
ID: 17805606
Response to Younghv

I thought someone whose traveled Libraryland might pickup on "Patrons."  You are so right - it's astonsihing how adaptable and clever these kids really are.  I have two libraries that are consortiums with middel schools.  It's a race to stay ahead of them - I always ask: How'd you do that?
:)
0
 
LVL 38

Expert Comment

by:younghv
ID: 17805743
Funny - look at the posting times.
I think all three of us were typing at the same time.

RE: Library - watch the quiet ones - they are trouble.

Vic
0
 
LVL 13

Expert Comment

by:haim96
ID: 17806485
you can remove permission from the file usbstorage.sys (c:\winnt\system32\drivers\)
and alow it only to administrators.
this will disable all usb storge device but keep others like keyboard,scanner,printer etc.
0
 
LVL 13

Expert Comment

by:haim96
ID: 17806500
sorry,it's "USBSTOR.SYS"
at list on my XP machine and i think it's the same in w2k.
0
 
LVL 32

Expert Comment

by:_
ID: 17809432
The BIOS should have a setting to disable the ports you do not want to work.
If you want to be really sure, Password the BIOS Setup, so they can not change it back.
0
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 17809530
set up group policy and disable device driver installation rights for the users.
0
 
LVL 91

Expert Comment

by:nobus
ID: 17809930
the only way i know is disabling the access by hard ware : glue the connection closed, or put a shield in front
0
 
LVL 1

Expert Comment

by:dandaman32
ID: 17810018
Get a bunch of 200MHz computers and one big, powerful server and put Fedora Core 6 on the server, then set up the 200MHz boxes to be diskless clients and install LTSP (www.ltsp.org) on the server. Make sure you have a DHCP server set up on the Fedora Core 6 box, then disable any built-in DHCP functions your router may have. Finally install 100Mbit NICs *with boot ROM* in all the cheapo client PCs, plug 'em in, turn 'em on, and hopefully they'll boot Linux and log onto your server via XDMCP.

Yeah, it takes a lot of effort, and it requires leaving Microsoft in the dust by migrating your system to Linux. But it will give you ultimate security: you can't hack what isn't there.

-dandaman32
0
 

Expert Comment

by:bentodegier
ID: 17810178
If these are USB Ports which are connected with a cable to the motherboard, just unplug the cable.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Expert Comment

by:dandaman32
ID: 17814825
OK, you're probably thinking that the Terminal Server jazz was a bit too much.

You know, if you're worried about them running programs that are on the disks, just use the RestrictRun registry setting (I found a guide for it at http://www.kellys-korner-xp.com/xp_a.htm) to make a whitelist of programs that can be executed. This would allow people to download stuff to their disks, but they would not be able to execute any hacker tools that might be on their USB drives.

Another thing that you may want to consider is writing a custom shell wrapper that executes Internet Explorer full-screen and launches a password prompt when IE is closed. After the password is typed, you are presented with a menu that allows you to log off the PC, start Task Manager, or start the default Windows shell. I did this, and now my system is truly unhackable! (I had to hit Reset once or twice just because I couldn't break out of my shell.) I can post the source code if you like, the shell is written in NSIS (http://nsis.sourceforge.net), it uses HTML and Javascript for the menu, and an IE hack to execute files from the HTML menu. If you like the idea, I'll write up an installation system for my shell so it will be easy to install.

(Offtopic - @ExpertsExchange admins: I would genuinely appreciate the ability to edit and delete comments, otherwise this site looks like it was hacked up in about five minutes. Believe me, I know. I write and maintain a web content management system that lets you edit comments with an AJAX applet.)

-dandaman32
0
 
LVL 2

Accepted Solution

by:
leontas earned 500 total points
ID: 17816038
I do this all the time to disable usb sticks & ipods to connect to my workstations at work, because people tend to put their own stuff on the companies computers which is not allowed by the management...

Run regedit,
go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

You will see a DWORD value START that says 3 there, change 3 to 4, and thats it! You may need to restart your pc, I dont remember as its been a few months since i last used this method.

USB stuff work just fine, ie printers etc, but no usb storage for your users ! :)

This registry tweak is so simple that you dont really need to backup your registry, however i encourage you to do so because if for whatever reason someone MUST use usb storage and you are not there, there will be a problem! :)
0
 
LVL 13

Expert Comment

by:haim96
ID: 17816148
right!! i forgot the registry set!
it's part of our USB storage disable setting and i mention only the security on the USBSTOR.SYS file.

:(

and that remind my that another part is to remove permission from this key with regedt32
in case of "smart" user.
 
0
 
LVL 38

Expert Comment

by:younghv
ID: 17816168
DON'T YOU LOVE THIS WEBSITE!?

Wish I had been a member when I was chasing all those rug-rats at the library.

Kudos to haim and leontas
0
 

Author Comment

by:starpilot1
ID: 17816175
Hello haim96

Registry set?  not sure what that is.  Also these machines are locked down with Public Web Browser and and tied through a proxy to a white list so even smart users can't get to anythng else on the machine or anyplace else from the white list.

So after modifying the Dword - are there other steps?
We'll try this next week...
0
 

Author Comment

by:starpilot1
ID: 17816188
Hi Vic

Yes this is a TERRIFIC website!!!!!  Although I have tried the patience of many experts here - It's alot better than dealing with the County IT department!  No one on this site judges you...
0
 
LVL 13

Expert Comment

by:haim96
ID: 17820561
i ment registry definition, sorry for bad english.
:)
0
 
LVL 2

Expert Comment

by:leontas
ID: 17824247
No, after you modify the DWORD you just close regedit and you are fine!!
I tried it on my own computer right after I answered your question and it didnt even need restarting, so dont bother! :)
0
 
LVL 13

Expert Comment

by:haim96
ID: 17824936
the registrey key lock the device.
but the permission change came to make sure that other users will not change it back some how.
(if they local admin on the machine they could do that...)
any way you right when you say that it's not necessary.
0
 

Author Comment

by:starpilot1
ID: 17825488
I will try all these modifications on Monday and then let you know.
0
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 17831938
If you disable the device driver installation beheviour, no user can insatll any USB device though its connected to the machine

if you disable all other ports, user may use your mouse's port to connect the USB devices
0
 
LVL 7

Expert Comment

by:jalilthe1
ID: 17872672
Access you administrator account

go to my computer properties

Hardware tab > Device manager > From the list select Universal Serial Bus Controllers >

Select your a USB Port and disable it and check each once for your saticifaction

Good Luck
0
 
LVL 38

Expert Comment

by:younghv
ID: 17873483
leontas - great answer!
I am already using that on our network - thanks.
Vic
0
 

Author Comment

by:starpilot1
ID: 17873515
Thanks very much to everybody - you were a great help and inspiration - Experts Exchange is a terrific service!!!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now