USB restriction for non admin users

Greetings experts,

I have been working on a business need to disable some specefic USB devices for users , the case is that we need to prevent users from connecting their personal USB wireless devices / pen drives ,etc.. Except for the ones admin users install for them , we do not need to disable USB devices all in all , I can do that using GPO or by editing the registry without issues, we need to limit the USB devices to only the ones that are already installed, however the issue here is that when users try to connect a USB wireless device of the same brand that the Admin has previously installed, the device will work without issue,since an admin user has already installed the driver previously , my question is :-

- Is there a possible way to deny activating the device if this particular device was not installed before ?
- What exactly are the device driver file names for Wireless USB Connect cards / 3g Wireless devices ?
- Is there any freeware tool that can acheive this as well ? (restrict installing USB devices other than the ones already isntalled based on Device ID or Mac address maybe ?)

I had an idea which is to use NTFS permissions to Deny everyone access on the File USBSTOR.SYS & USBSTOR.PNF located under C:\windows\system32\drivers
I had an idea that windows will try to obtain the driver from that location when a device is connected for the first time, and will use the same driver from Dllcache folder , this did not do the trick, thanks in advance for your time & assistance
LVL 23
Mohamed OsamaSenior IT ConsultantAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Mohamed OsamaConnect With a Mentor Senior IT ConsultantAuthor Commented:
@coolsport00 :
I have tried the accepted solution there with a no go
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
there is a logical issue here, as it relies only on device driver which is useless if the  user  will use the exact same device ( they are publicly available for purchase)
as for GPP , I am looking into that, but the time it will take to implement and test  quite sometime, as I do not have access to W2k8 machine atm.
as for GFI endpoint , I know the application will do the trick , but I am afraid this is a bit out of budget, as we are planning to use on a few hundred laptiops.
@johnb6767: same thing , this will work only on the device driver level , devices of the same type already installed or new ones will still work.
I have used a trial version of one tool called "MyUSBOnly" which has a device whitelist feature based on serial number but it is not working as it should
http://www.myusbonly.com/usb/index.php
Since there is currently no known method to do this currently  , I think I will work on developing a small windows service to take care of this requirement using C# , based on this code http://www.cfdan.com/posts/Retrieving_Non-Volatile_USB_Serial_Number_Using_C_Sharp.cfm
will set the logic to "read" all approved devices ids on a test machine from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB ,then deny installation of any USB device not in the approved Serial numbers range .
Will leave the question open for a few days in case someone comes up with any fresh ideas.


0
 
anuroopkoka2005Commented:
0
 
coolsport00Commented:
There isn't freeware for this...my org uses GFI EndpointSecurity, which is cheap but not free. The only 'free' alternative I can think of is GPP (Group Policy Preferences). You have to have at least 1 Vista SP1 or 2K8 machine on your domain to run it. But, it has port security on it. I myself don't have or run it, but hear it's pretty good. Reason why I put free in quotes is because if you don't have Vista/2K8 you obviously have to purchase that software.
These links should also help:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24114010.html
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
bmatumburaCommented:
Not sure if there are free utilities that can do this; but have a look at these:

http://www.centennial-software.com/products/devicewall/
http://www.devicewall.com/
0
 
anuroopkoka2005Commented:
Hi ,

below is the freeware to achieve what u wanted...
I t will stop the USB drvices from accessing..

http://www.netwrix.com/usb_blocker_freeware.html?_kk=usb%20security&_kt=2be0cd79-1f27-4161-aa50-cd3bb56dbbfb&gclid=COmGzcKj0pkCFYh_3godeARmsg

Freeware will block the USB storage devices..
Commercial will block all the devices.. Other devices (iPods, Printers, PDAs, Network adapters, Modems, Imaging devices, etc.) (*)

Refer to the differences,, http://www.netwrix.com/usb_blocker.html

0
 
anuroopkoka2005Commented:
The above application is for the all the machines connected in the domain..
0
 
anuroopkoka2005Commented:
do u want to block the wireless usb devices..??????????
0
 
Mohamed OsamaSenior IT ConsultantAuthor Commented:
Yes , what I need to do is to allow only the USB wireless devices that are already installed, I do not want to shut down USB devices for good, achieving this is easy , I want to disallow installing new Wireless usb devices & storage if possible while the previously installed ones keep working.
please let me know if I am not clear.
Thanks for your feedback so far.
0
 
bmatumburaCommented:
From my understanding, you wouldn't want users to connect to your wireless network using any other wireless device other than the one your admins installed. My suggestion then would be to enable filtering by MAC Address on your wireless access point. You'll have to keep track of the MAC addresses that the authorized devices use
0
 
Mohamed OsamaSenior IT ConsultantAuthor Commented:
this is not exactly the issue, as we are not talking about a normal wireless 802.11x card, I was referring to Connect card USB devices which use 3G for broadband connectivity, there are no local access points or routers involved here.
some users are assigned those devices , but we do not want them to use their personal ones for compliance purposes.
0
 
johnb6767Commented:
Wonder if you can just remove all but the Administrators/System user/group from usbstor.inf?
0
 
johnb6767Connect With a Mentor Commented:
In conjunction with restricting the rights to usbstor.inf, you can try a few other things....

USB devices write to this key when installed....HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Might be able to remove the usb specific entries there.....

Might even try removing the read rights to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR as well....

Please dont try these on a production machine, as I dont know the results!!!!!!!

0
 
Donald StewartNetwork AdministratorCommented:
Here's an adm that works great.
CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
     PART !!labeltextusb DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
     PART !!labeltextcd DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
     PART !!labeltextflpy DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

Open in new window

0
All Courses

From novice to tech pro — start learning today.