Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

USB restriction for non admin users

Posted on 2009-04-02
13
Medium Priority
?
3,414 Views
Last Modified: 2013-12-04
Greetings experts,

I have been working on a business need to disable some specefic USB devices for users , the case is that we need to prevent users from connecting their personal USB wireless devices / pen drives ,etc.. Except for the ones admin users install for them , we do not need to disable USB devices all in all , I can do that using GPO or by editing the registry without issues, we need to limit the USB devices to only the ones that are already installed, however the issue here is that when users try to connect a USB wireless device of the same brand that the Admin has previously installed, the device will work without issue,since an admin user has already installed the driver previously , my question is :-

- Is there a possible way to deny activating the device if this particular device was not installed before ?
- What exactly are the device driver file names for Wireless USB Connect cards / 3g Wireless devices ?
- Is there any freeware tool that can acheive this as well ? (restrict installing USB devices other than the ones already isntalled based on Device ID or Mac address maybe ?)

I had an idea which is to use NTFS permissions to Deny everyone access on the File USBSTOR.SYS & USBSTOR.PNF located under C:\windows\system32\drivers
I had an idea that windows will try to obtain the driver from that location when a device is connected for the first time, and will use the same driver from Dllcache folder , this did not do the trick, thanks in advance for your time & assistance
0
Comment
Question by:Mohamed Osama
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24048867
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24048874
There isn't freeware for this...my org uses GFI EndpointSecurity, which is cheap but not free. The only 'free' alternative I can think of is GPP (Group Policy Preferences). You have to have at least 1 Vista SP1 or 2K8 machine on your domain to run it. But, it has port security on it. I myself don't have or run it, but hear it's pretty good. Reason why I put free in quotes is because if you don't have Vista/2K8 you obviously have to purchase that software.
These links should also help:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24114010.html
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24048937
Not sure if there are free utilities that can do this; but have a look at these:

http://www.centennial-software.com/products/devicewall/
http://www.devicewall.com/
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24049428
Hi ,

below is the freeware to achieve what u wanted...
I t will stop the USB drvices from accessing..

http://www.netwrix.com/usb_blocker_freeware.html?_kk=usb%20security&_kt=2be0cd79-1f27-4161-aa50-cd3bb56dbbfb&gclid=COmGzcKj0pkCFYh_3godeARmsg

Freeware will block the USB storage devices..
Commercial will block all the devices.. Other devices (iPods, Printers, PDAs, Network adapters, Modems, Imaging devices, etc.) (*)

Refer to the differences,, http://www.netwrix.com/usb_blocker.html

0
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24049667
The above application is for the all the machines connected in the domain..
0
 
LVL 4

Expert Comment

by:anuroopkoka2005
ID: 24049685
do u want to block the wireless usb devices..??????????
0
 
LVL 23

Author Comment

by:Mohamed Osama
ID: 24049781
Yes , what I need to do is to allow only the USB wireless devices that are already installed, I do not want to shut down USB devices for good, achieving this is easy , I want to disallow installing new Wireless usb devices & storage if possible while the previously installed ones keep working.
please let me know if I am not clear.
Thanks for your feedback so far.
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24049844
From my understanding, you wouldn't want users to connect to your wireless network using any other wireless device other than the one your admins installed. My suggestion then would be to enable filtering by MAC Address on your wireless access point. You'll have to keep track of the MAC addresses that the authorized devices use
0
 
LVL 23

Author Comment

by:Mohamed Osama
ID: 24050019
this is not exactly the issue, as we are not talking about a normal wireless 802.11x card, I was referring to Connect card USB devices which use 3G for broadband connectivity, there are no local access points or routers involved here.
some users are assigned those devices , but we do not want them to use their personal ones for compliance purposes.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24054288
Wonder if you can just remove all but the Administrators/System user/group from usbstor.inf?
0
 
LVL 23

Accepted Solution

by:
Mohamed Osama earned 0 total points
ID: 24076678
@coolsport00 :
I have tried the accepted solution there with a no go
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24054604.html
there is a logical issue here, as it relies only on device driver which is useless if the  user  will use the exact same device ( they are publicly available for purchase)
as for GPP , I am looking into that, but the time it will take to implement and test  quite sometime, as I do not have access to W2k8 machine atm.
as for GFI endpoint , I know the application will do the trick , but I am afraid this is a bit out of budget, as we are planning to use on a few hundred laptiops.
@johnb6767: same thing , this will work only on the device driver level , devices of the same type already installed or new ones will still work.
I have used a trial version of one tool called "MyUSBOnly" which has a device whitelist feature based on serial number but it is not working as it should
http://www.myusbonly.com/usb/index.php
Since there is currently no known method to do this currently  , I think I will work on developing a small windows service to take care of this requirement using C# , based on this code http://www.cfdan.com/posts/Retrieving_Non-Volatile_USB_Serial_Number_Using_C_Sharp.cfm
will set the logic to "read" all approved devices ids on a test machine from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB ,then deny installation of any USB device not in the approved Serial numbers range .
Will leave the question open for a few days in case someone comes up with any fresh ideas.


0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 1000 total points
ID: 24082714
In conjunction with restricting the rights to usbstor.inf, you can try a few other things....

USB devices write to this key when installed....HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Might be able to remove the usb specific entries there.....

Might even try removing the read rights to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR as well....

Please dont try these on a production machine, as I dont know the results!!!!!!!

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24152002
Here's an adm that works great.
CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
     PART !!labeltextusb DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
     PART !!labeltextcd DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
     PART !!labeltextflpy DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

Open in new window

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question