Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2272
  • Last Modified:

Disable specific USB Ports

Hello

We have Dell GX 280s running Windows 2000 that only have USB ports for the Keyboards and Mice.  We want to disable the other USB Ports so our younger patrons won't be able to use USB Ports to play MP3’s from a flash drive.  But we need some of the ports to stay active - does anyone know how to do this?
0
starpilot1
Asked:
starpilot1
  • 5
  • 5
  • 4
  • +9
1 Solution
 
fatalXceptionCommented:
You would use the device manager to locate the USB root hubs that the ports are connected to, and disable these...but bear in mind these are not individual ports, they are internal hubs which service a number of ports, so you will be disabing all ports attched to that hub - hopefully they built the system so that the keyboard and mouse usb ports are on a separate hub to the ports you want to disable.

I think a better way of doing this would be to use the Group Policy Editor to disable the use of USB Flash drives instead of turning off hardware, see this link
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

which will walk you through doing this.

let us know if you need more specific instructions.

0
 
Christopher McKayMicrosoft Network AdministratorCommented:
You could disable them in the Device Manager, but I don't think that this is a proper solution for you.

Despite your ability to disable these ports, your younger patrons will still be able to bypass you.

They could plug a USB hub into one of the working ports.

the design for USB is for the computer to automatically detect what is plugged in and run it. It also allows daisy chaining the devices.

Ultimately, you're probably better off putting a policy in place, advertizing the policy and strictly enforcing punishments for violations of the policy.

Hope this helps!

:o)

Bartender_1
0
 
younghvCommented:
Hi starpilot1,
You could disable all but two USB ports in Device Manager, but the twinkies could easily sneak in a 'splitter' or pocket-hub to add in their players next to the mouse or keyboard plug.

I don't think there is any way to configure a USB port for only certain devices/functions.

Maybe someone else will have some ideas.

BTW - I used to run the IT at a Public Library and was always amazed at how many ways a 12-year-old could get around my security protections.


Vic
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Christopher McKayMicrosoft Network AdministratorCommented:
sorry fatalXception, didn't mean to duplicate part of your post.

incidentally, using that GPO also has the effect of disabling the ability to download from some cameras. I've also heard some admins say that they've had users bypass it. (I'll have to ask them how though.)

:o)

Bartender_1
0
 
starpilot1Author Commented:
Response to Younghv

I thought someone whose traveled Libraryland might pickup on "Patrons."  You are so right - it's astonsihing how adaptable and clever these kids really are.  I have two libraries that are consortiums with middel schools.  It's a race to stay ahead of them - I always ask: How'd you do that?
:)
0
 
younghvCommented:
Funny - look at the posting times.
I think all three of us were typing at the same time.

RE: Library - watch the quiet ones - they are trouble.

Vic
0
 
haim96Commented:
you can remove permission from the file usbstorage.sys (c:\winnt\system32\drivers\)
and alow it only to administrators.
this will disable all usb storge device but keep others like keyboard,scanner,printer etc.
0
 
haim96Commented:
sorry,it's "USBSTOR.SYS"
at list on my XP machine and i think it's the same in w2k.
0
 
_Commented:
The BIOS should have a setting to disable the ports you do not want to work.
If you want to be really sure, Password the BIOS Setup, so they can not change it back.
0
 
Phadke_hemantCommented:
set up group policy and disable device driver installation rights for the users.
0
 
nobusCommented:
the only way i know is disabling the access by hard ware : glue the connection closed, or put a shield in front
0
 
dandaman32Commented:
Get a bunch of 200MHz computers and one big, powerful server and put Fedora Core 6 on the server, then set up the 200MHz boxes to be diskless clients and install LTSP (www.ltsp.org) on the server. Make sure you have a DHCP server set up on the Fedora Core 6 box, then disable any built-in DHCP functions your router may have. Finally install 100Mbit NICs *with boot ROM* in all the cheapo client PCs, plug 'em in, turn 'em on, and hopefully they'll boot Linux and log onto your server via XDMCP.

Yeah, it takes a lot of effort, and it requires leaving Microsoft in the dust by migrating your system to Linux. But it will give you ultimate security: you can't hack what isn't there.

-dandaman32
0
 
bentodegierCommented:
If these are USB Ports which are connected with a cable to the motherboard, just unplug the cable.
0
 
dandaman32Commented:
OK, you're probably thinking that the Terminal Server jazz was a bit too much.

You know, if you're worried about them running programs that are on the disks, just use the RestrictRun registry setting (I found a guide for it at http://www.kellys-korner-xp.com/xp_a.htm) to make a whitelist of programs that can be executed. This would allow people to download stuff to their disks, but they would not be able to execute any hacker tools that might be on their USB drives.

Another thing that you may want to consider is writing a custom shell wrapper that executes Internet Explorer full-screen and launches a password prompt when IE is closed. After the password is typed, you are presented with a menu that allows you to log off the PC, start Task Manager, or start the default Windows shell. I did this, and now my system is truly unhackable! (I had to hit Reset once or twice just because I couldn't break out of my shell.) I can post the source code if you like, the shell is written in NSIS (http://nsis.sourceforge.net), it uses HTML and Javascript for the menu, and an IE hack to execute files from the HTML menu. If you like the idea, I'll write up an installation system for my shell so it will be easy to install.

(Offtopic - @ExpertsExchange admins: I would genuinely appreciate the ability to edit and delete comments, otherwise this site looks like it was hacked up in about five minutes. Believe me, I know. I write and maintain a web content management system that lets you edit comments with an AJAX applet.)

-dandaman32
0
 
leontasCommented:
I do this all the time to disable usb sticks & ipods to connect to my workstations at work, because people tend to put their own stuff on the companies computers which is not allowed by the management...

Run regedit,
go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

You will see a DWORD value START that says 3 there, change 3 to 4, and thats it! You may need to restart your pc, I dont remember as its been a few months since i last used this method.

USB stuff work just fine, ie printers etc, but no usb storage for your users ! :)

This registry tweak is so simple that you dont really need to backup your registry, however i encourage you to do so because if for whatever reason someone MUST use usb storage and you are not there, there will be a problem! :)
0
 
haim96Commented:
right!! i forgot the registry set!
it's part of our USB storage disable setting and i mention only the security on the USBSTOR.SYS file.

:(

and that remind my that another part is to remove permission from this key with regedt32
in case of "smart" user.
 
0
 
younghvCommented:
DON'T YOU LOVE THIS WEBSITE!?

Wish I had been a member when I was chasing all those rug-rats at the library.

Kudos to haim and leontas
0
 
starpilot1Author Commented:
Hello haim96

Registry set?  not sure what that is.  Also these machines are locked down with Public Web Browser and and tied through a proxy to a white list so even smart users can't get to anythng else on the machine or anyplace else from the white list.

So after modifying the Dword - are there other steps?
We'll try this next week...
0
 
starpilot1Author Commented:
Hi Vic

Yes this is a TERRIFIC website!!!!!  Although I have tried the patience of many experts here - It's alot better than dealing with the County IT department!  No one on this site judges you...
0
 
haim96Commented:
i ment registry definition, sorry for bad english.
:)
0
 
leontasCommented:
No, after you modify the DWORD you just close regedit and you are fine!!
I tried it on my own computer right after I answered your question and it didnt even need restarting, so dont bother! :)
0
 
haim96Commented:
the registrey key lock the device.
but the permission change came to make sure that other users will not change it back some how.
(if they local admin on the machine they could do that...)
any way you right when you say that it's not necessary.
0
 
starpilot1Author Commented:
I will try all these modifications on Monday and then let you know.
0
 
Phadke_hemantCommented:
If you disable the device driver installation beheviour, no user can insatll any USB device though its connected to the machine

if you disable all other ports, user may use your mouse's port to connect the USB devices
0
 
jalilthe1Commented:
Access you administrator account

go to my computer properties

Hardware tab > Device manager > From the list select Universal Serial Bus Controllers >

Select your a USB Port and disable it and check each once for your saticifaction

Good Luck
0
 
younghvCommented:
leontas - great answer!
I am already using that on our network - thanks.
Vic
0
 
starpilot1Author Commented:
Thanks very much to everybody - you were a great help and inspiration - Experts Exchange is a terrific service!!!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 4
  • +9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now