?
Solved

USB Port access

Posted on 2010-09-23
6
Medium Priority
?
842 Views
Last Modified: 2012-05-10
Hi,
As a typical situation in many Indian organization, marketing people needs to use laptop and data card to access internet out of office network. To access data card, we need to open USB port. As pen drive are most virus/malware prone device, how we can block access of pen drive at the same port which is open to access data card?

0
Comment
Question by:KKSINGH-FCRL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 252 total points
ID: 33751458
# Run Registry Editor (regedit).
# Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
# In the right pane, double click on the Start value name.
# Change the value data to 4 to disable the removable USB mass storage device drive access.
The change will take effect immediately to block any USB mass storage device such as USB flash drive, USB key and portable harddisk from been used in the system, while still allowing hardware components to work properly via USB connection. The hack works in most Windows operating system such as Windows Vista, XP, Windows Server 2008, 2003 and 2000.
0
 
LVL 4

Expert Comment

by:rajivvishwa
ID: 33756519
And I assume that users do not have admin access to those laptops, if they do, then they can edit registry and enable USB access back if you implement the method mentioned by Tominov.

You might have to disable at BIOS level as well for additional security coz even admins cannot edit BIOS settings without BIOS password.
0
 
LVL 10

Expert Comment

by:yasserd
ID: 33765443
For more security, what I recommend is white-listing instead of black-listing. So, it is better to block everything and just allow data cards. I don't know if it is possible to do through registry but there are a couple of software that enables you to do so like Symantec Endpoint Protection.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 248 total points
ID: 33813299
This is an good article for Windows VISTA and 7 OS but in particular look out for
@http://msdn.microsoft.com/en-us/library/bb530324.aspx

# Prevent users from installing any device.
# Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
# Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.

Another means is to prevent execution in USB drive. There is SRP (XP) and Applocker (for Win7). Basically SRP is Software Restriction Policies which can be configured to allow users to run only authorized applications via certificate, hash, or path rules. If a user had a default disallowed policy and
paths to say only specific program files folder for allowed applications, and the associated shortcuts in the all users profiles they would not be able to execute a file on a USB drive or copied to their profile folders.

This paper will help to elaborate more and its setting
@ http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf
Similarly for applocker, can see http://beingpc.com/2010/04/lock-your-programs-using-applocker/

But if you ok with product, do check out DeviceLock, it has the neat controls you need (and more)
@ http://www.devicelock.com/dl/index.htm
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34740406
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question