Solved

USB Port access

Posted on 2010-09-23
6
841 Views
Last Modified: 2012-05-10
Hi,
As a typical situation in many Indian organization, marketing people needs to use laptop and data card to access internet out of office network. To access data card, we need to open USB port. As pen drive are most virus/malware prone device, how we can block access of pen drive at the same port which is open to access data card?

0
Comment
Question by:KKSINGH-FCRL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 63 total points
ID: 33751458
# Run Registry Editor (regedit).
# Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
# In the right pane, double click on the Start value name.
# Change the value data to 4 to disable the removable USB mass storage device drive access.
The change will take effect immediately to block any USB mass storage device such as USB flash drive, USB key and portable harddisk from been used in the system, while still allowing hardware components to work properly via USB connection. The hack works in most Windows operating system such as Windows Vista, XP, Windows Server 2008, 2003 and 2000.
0
 
LVL 4

Expert Comment

by:rajivvishwa
ID: 33756519
And I assume that users do not have admin access to those laptops, if they do, then they can edit registry and enable USB access back if you implement the method mentioned by Tominov.

You might have to disable at BIOS level as well for additional security coz even admins cannot edit BIOS settings without BIOS password.
0
 
LVL 10

Expert Comment

by:yasserd
ID: 33765443
For more security, what I recommend is white-listing instead of black-listing. So, it is better to block everything and just allow data cards. I don't know if it is possible to do through registry but there are a couple of software that enables you to do so like Symantec Endpoint Protection.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 62 total points
ID: 33813299
This is an good article for Windows VISTA and 7 OS but in particular look out for
@http://msdn.microsoft.com/en-us/library/bb530324.aspx

# Prevent users from installing any device.
# Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
# Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.

Another means is to prevent execution in USB drive. There is SRP (XP) and Applocker (for Win7). Basically SRP is Software Restriction Policies which can be configured to allow users to run only authorized applications via certificate, hash, or path rules. If a user had a default disallowed policy and
paths to say only specific program files folder for allowed applications, and the associated shortcuts in the all users profiles they would not be able to execute a file on a USB drive or copied to their profile folders.

This paper will help to elaborate more and its setting
@ http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf
Similarly for applocker, can see http://beingpc.com/2010/04/lock-your-programs-using-applocker/

But if you ok with product, do check out DeviceLock, it has the neat controls you need (and more)
@ http://www.devicelock.com/dl/index.htm
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34740406
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question