Solved

USB restriction for non admin users

Posted on 2009-04-02
13
3,359 Views
Last Modified: 2013-12-04
Greetings experts,

I have been working on a business need to disable some specefic USB devices for users , the case is that we need to prevent users from connecting their personal USB wireless devices / pen drives ,etc.. Except for the ones admin users install for them , we do not need to disable USB devices all in all , I can do that using GPO or by editing the registry without issues, we need to limit the USB devices to only the ones that are already installed, however the issue here is that when users try to connect a USB wireless device of the same brand that the Admin has previously installed, the device will work without issue,since an admin user has already installed the driver previously , my question is :-

- Is there a possible way to deny activating the device if this particular device was not installed before ?
- What exactly are the device driver file names for Wireless USB Connect cards / 3g Wireless devices ?
- Is there any freeware tool that can acheive this as well ? (restrict installing USB devices other than the ones already isntalled based on Device ID or Mac address maybe ?)

I had an idea which is to use NTFS permissions to Deny everyone access on the File USBSTOR.SYS & USBSTOR.PNF located under C:\windows\system32\drivers
I had an idea that windows will try to obtain the driver from that location when a device is connected for the first time, and will use the same driver from Dllcache folder , this did not do the trick, thanks in advance for your time & assistance
0
Comment
Question by:Admin3k
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24048867
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24048874
There isn't freeware for this...my org uses GFI EndpointSecurity, which is cheap but not free. The only 'free' alternative I can think of is GPP (Group Policy Preferences). You have to have at least 1 Vista SP1 or 2K8 machine on your domain to run it. But, it has port security on it. I myself don't have or run it, but hear it's pretty good. Reason why I put free in quotes is because if you don't have Vista/2K8 you obviously have to purchase that software.
These links should also help:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24114010.html
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24048937
Not sure if there are free utilities that can do this; but have a look at these:

http://www.centennial-software.com/products/devicewall/
http://www.devicewall.com/
0
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24049428
Hi ,

below is the freeware to achieve what u wanted...
I t will stop the USB drvices from accessing..

http://www.netwrix.com/usb_blocker_freeware.html?_kk=usb%20security&_kt=2be0cd79-1f27-4161-aa50-cd3bb56dbbfb&gclid=COmGzcKj0pkCFYh_3godeARmsg

Freeware will block the USB storage devices..
Commercial will block all the devices.. Other devices (iPods, Printers, PDAs, Network adapters, Modems, Imaging devices, etc.) (*)

Refer to the differences,, http://www.netwrix.com/usb_blocker.html

0
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24049667
The above application is for the all the machines connected in the domain..
0
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24049685
do u want to block the wireless usb devices..??????????
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 23

Author Comment

by:Admin3k
ID: 24049781
Yes , what I need to do is to allow only the USB wireless devices that are already installed, I do not want to shut down USB devices for good, achieving this is easy , I want to disallow installing new Wireless usb devices & storage if possible while the previously installed ones keep working.
please let me know if I am not clear.
Thanks for your feedback so far.
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24049844
From my understanding, you wouldn't want users to connect to your wireless network using any other wireless device other than the one your admins installed. My suggestion then would be to enable filtering by MAC Address on your wireless access point. You'll have to keep track of the MAC addresses that the authorized devices use
0
 
LVL 23

Author Comment

by:Admin3k
ID: 24050019
this is not exactly the issue, as we are not talking about a normal wireless 802.11x card, I was referring to Connect card USB devices which use 3G for broadband connectivity, there are no local access points or routers involved here.
some users are assigned those devices , but we do not want them to use their personal ones for compliance purposes.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24054288
Wonder if you can just remove all but the Administrators/System user/group from usbstor.inf?
0
 
LVL 23

Accepted Solution

by:
Admin3k earned 0 total points
ID: 24076678
@coolsport00 :
I have tried the accepted solution there with a no go
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
there is a logical issue here, as it relies only on device driver which is useless if the  user  will use the exact same device ( they are publicly available for purchase)
as for GPP , I am looking into that, but the time it will take to implement and test  quite sometime, as I do not have access to W2k8 machine atm.
as for GFI endpoint , I know the application will do the trick , but I am afraid this is a bit out of budget, as we are planning to use on a few hundred laptiops.
@johnb6767: same thing , this will work only on the device driver level , devices of the same type already installed or new ones will still work.
I have used a trial version of one tool called "MyUSBOnly" which has a device whitelist feature based on serial number but it is not working as it should
http://www.myusbonly.com/usb/index.php
Since there is currently no known method to do this currently  , I think I will work on developing a small windows service to take care of this requirement using C# , based on this code http://www.cfdan.com/posts/Retrieving_Non-Volatile_USB_Serial_Number_Using_C_Sharp.cfm
will set the logic to "read" all approved devices ids on a test machine from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB ,then deny installation of any USB device not in the approved Serial numbers range .
Will leave the question open for a few days in case someone comes up with any fresh ideas.


0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
ID: 24082714
In conjunction with restricting the rights to usbstor.inf, you can try a few other things....

USB devices write to this key when installed....HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Might be able to remove the usb specific entries there.....

Might even try removing the read rights to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR as well....

Please dont try these on a production machine, as I dont know the results!!!!!!!

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24152002
Here's an adm that works great.
CLASS MACHINE

CATEGORY !!category

 CATEGORY !!categoryname

  POLICY !!policynameusb

   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

   EXPLAIN !!explaintextusb

     PART !!labeltextusb DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 3 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

  POLICY !!policynamecd

   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"

   EXPLAIN !!explaintextcd

     PART !!labeltextcd DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 1 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

  POLICY !!policynameflpy

   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"

   EXPLAIN !!explaintextflpy

     PART !!labeltextflpy DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 3 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

  POLICY !!policynamels120

   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"

   EXPLAIN !!explaintextls120

     PART !!labeltextls120 DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 3 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY

 END CATEGORY

END CATEGORY

 

[strings]

category="Custom Policy Settings"

categoryname="Restrict Drives"

policynameusb="Disable USB"

policynamecd="Disable CD-ROM"

policynameflpy="Disable Floppy"

policynamels120="Disable High Capacity Floppy"

explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"

explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"

explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"

explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"

labeltextusb="Disable USB Ports"

labeltextcd="Disable CD-ROM Drive"

labeltextflpy="Disable Floppy Drive"

labeltextls120="Disable High Capacity Floppy Drive"

Enabled="Enabled"

Disabled="Disabled"

Open in new window

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now