Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 650
  • Last Modified:

Prevent access to USB Storage devices on a per user basis

Hi,

I'd like to know if it's possible to restrict USB devices on a per user bases, the only users that should be able to access USB Storage devices, are those in the "USB Access" security group.

I'm using both windows server 2000/2003 for this, with group policy management console. I know it can be done per machine, but we do need it per user, as everyone has roaming profiles.

In addition, this needs to be enforced, as im aware that if someone with rights inserts a usb stick, drivers are loaded into memory, thus anyone can use USB devices untill next reboot, any way to unload this or something?

Clients are windows XP based machines.

Thanks
Billy
0
billy_howard
Asked:
billy_howard
  • 4
  • 2
  • 2
  • +1
1 Solution
 
billy_howardAuthor Commented:
Thanks,

But I need this for a network/server client architecture. I manage over 500 machines...

Regards
0
 
samiam41Commented:
billy,

I would recommend making a registry change to your XP clients.  Your clients have to be running at least SP2.

Here is the article where I found the information regarding this procedure (to give proper credit):
http://labnol.blogspot.com/2006/07/how-employers-disable-usb-ports-how.html

Let us know if you have a login script and whether it is a batch file (.bat) or a visual basic script (.vbs).
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
samiam41Commented:
The script will make the following changes:
Open registry and navigate to the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
 
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3.

Open in new window

0
 
samiam41Commented:
oDbA came up with a solution I completely forgot about.  Use group policy to modify the registry based on the user's group assignment.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22733050.html

GPMC is available by download here in the event you don't have it:
http://go.microsoft.com/fwlink/?linkid=21813

Under a group policy (using Group Policy Management Console)
-Computer Configuration\Windows Settings\Security Settings\Registry
0
 
samiam41Commented:
Stick with the script option to import a reg file using startup under computer configuration in GPMC.
0
 
Michael PfisterCommented:
0
 
Michael PfisterCommented:
http://www.lumension.com/usb_security.jsp

(ex SecureWave Sanctuary Device Control)
0
 
billy_howardAuthor Commented:
Cheers for help
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now