Solved

USB restriction for non admin users

Posted on 2009-04-02
13
3,347 Views
Last Modified: 2013-12-04
Greetings experts,

I have been working on a business need to disable some specefic USB devices for users , the case is that we need to prevent users from connecting their personal USB wireless devices / pen drives ,etc.. Except for the ones admin users install for them , we do not need to disable USB devices all in all , I can do that using GPO or by editing the registry without issues, we need to limit the USB devices to only the ones that are already installed, however the issue here is that when users try to connect a USB wireless device of the same brand that the Admin has previously installed, the device will work without issue,since an admin user has already installed the driver previously , my question is :-

- Is there a possible way to deny activating the device if this particular device was not installed before ?
- What exactly are the device driver file names for Wireless USB Connect cards / 3g Wireless devices ?
- Is there any freeware tool that can acheive this as well ? (restrict installing USB devices other than the ones already isntalled based on Device ID or Mac address maybe ?)

I had an idea which is to use NTFS permissions to Deny everyone access on the File USBSTOR.SYS & USBSTOR.PNF located under C:\windows\system32\drivers
I had an idea that windows will try to obtain the driver from that location when a device is connected for the first time, and will use the same driver from Dllcache folder , this did not do the trick, thanks in advance for your time & assistance
0
Comment
Question by:Admin3k
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 4

Expert Comment

by:anuroopkoka2005
Comment Utility
0
 
LVL 40

Expert Comment

by:coolsport00
Comment Utility
There isn't freeware for this...my org uses GFI EndpointSecurity, which is cheap but not free. The only 'free' alternative I can think of is GPP (Group Policy Preferences). You have to have at least 1 Vista SP1 or 2K8 machine on your domain to run it. But, it has port security on it. I myself don't have or run it, but hear it's pretty good. Reason why I put free in quotes is because if you don't have Vista/2K8 you obviously have to purchase that software.
These links should also help:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24114010.html
0
 
LVL 11

Expert Comment

by:bmatumbura
Comment Utility
Not sure if there are free utilities that can do this; but have a look at these:

http://www.centennial-software.com/products/devicewall/
http://www.devicewall.com/
0
 
LVL 4

Expert Comment

by:anuroopkoka2005
Comment Utility
Hi ,

below is the freeware to achieve what u wanted...
I t will stop the USB drvices from accessing..

http://www.netwrix.com/usb_blocker_freeware.html?_kk=usb%20security&_kt=2be0cd79-1f27-4161-aa50-cd3bb56dbbfb&gclid=COmGzcKj0pkCFYh_3godeARmsg

Freeware will block the USB storage devices..
Commercial will block all the devices.. Other devices (iPods, Printers, PDAs, Network adapters, Modems, Imaging devices, etc.) (*)

Refer to the differences,, http://www.netwrix.com/usb_blocker.html

0
 
LVL 4

Expert Comment

by:anuroopkoka2005
Comment Utility
The above application is for the all the machines connected in the domain..
0
 
LVL 4

Expert Comment

by:anuroopkoka2005
Comment Utility
do u want to block the wireless usb devices..??????????
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 23

Author Comment

by:Admin3k
Comment Utility
Yes , what I need to do is to allow only the USB wireless devices that are already installed, I do not want to shut down USB devices for good, achieving this is easy , I want to disallow installing new Wireless usb devices & storage if possible while the previously installed ones keep working.
please let me know if I am not clear.
Thanks for your feedback so far.
0
 
LVL 11

Expert Comment

by:bmatumbura
Comment Utility
From my understanding, you wouldn't want users to connect to your wireless network using any other wireless device other than the one your admins installed. My suggestion then would be to enable filtering by MAC Address on your wireless access point. You'll have to keep track of the MAC addresses that the authorized devices use
0
 
LVL 23

Author Comment

by:Admin3k
Comment Utility
this is not exactly the issue, as we are not talking about a normal wireless 802.11x card, I was referring to Connect card USB devices which use 3G for broadband connectivity, there are no local access points or routers involved here.
some users are assigned those devices , but we do not want them to use their personal ones for compliance purposes.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Wonder if you can just remove all but the Administrators/System user/group from usbstor.inf?
0
 
LVL 23

Accepted Solution

by:
Admin3k earned 0 total points
Comment Utility
@coolsport00 :
I have tried the accepted solution there with a no go
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
there is a logical issue here, as it relies only on device driver which is useless if the  user  will use the exact same device ( they are publicly available for purchase)
as for GPP , I am looking into that, but the time it will take to implement and test  quite sometime, as I do not have access to W2k8 machine atm.
as for GFI endpoint , I know the application will do the trick , but I am afraid this is a bit out of budget, as we are planning to use on a few hundred laptiops.
@johnb6767: same thing , this will work only on the device driver level , devices of the same type already installed or new ones will still work.
I have used a trial version of one tool called "MyUSBOnly" which has a device whitelist feature based on serial number but it is not working as it should
http://www.myusbonly.com/usb/index.php
Since there is currently no known method to do this currently  , I think I will work on developing a small windows service to take care of this requirement using C# , based on this code http://www.cfdan.com/posts/Retrieving_Non-Volatile_USB_Serial_Number_Using_C_Sharp.cfm
will set the logic to "read" all approved devices ids on a test machine from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB ,then deny installation of any USB device not in the approved Serial numbers range .
Will leave the question open for a few days in case someone comes up with any fresh ideas.


0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
Comment Utility
In conjunction with restricting the rights to usbstor.inf, you can try a few other things....

USB devices write to this key when installed....HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Might be able to remove the usb specific entries there.....

Might even try removing the read rights to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR as well....

Please dont try these on a production machine, as I dont know the results!!!!!!!

0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Here's an adm that works great.
CLASS MACHINE

CATEGORY !!category

 CATEGORY !!categoryname

  POLICY !!policynameusb

   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

   EXPLAIN !!explaintextusb

     PART !!labeltextusb DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 3 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

  POLICY !!policynamecd

   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"

   EXPLAIN !!explaintextcd

     PART !!labeltextcd DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 1 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

  POLICY !!policynameflpy

   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"

   EXPLAIN !!explaintextflpy

     PART !!labeltextflpy DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 3 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

  POLICY !!policynamels120

   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"

   EXPLAIN !!explaintextls120

     PART !!labeltextls120 DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 3 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

 END CATEGORY

END CATEGORY

 

[strings]

category="Custom Policy Settings"

categoryname="Restrict Drives"

policynameusb="Disable USB"

policynamecd="Disable CD-ROM"

policynameflpy="Disable Floppy"

policynamels120="Disable High Capacity Floppy"

explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"

explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"

explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"

explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"

labeltextusb="Disable USB Ports"

labeltextcd="Disable CD-ROM Drive"

labeltextflpy="Disable Floppy Drive"

labeltextls120="Disable High Capacity Floppy Drive"

Enabled="Enabled"

Disabled="Disabled"

Open in new window

0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now