[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 849
  • Last Modified:

USB Port access

Hi,
As a typical situation in many Indian organization, marketing people needs to use laptop and data card to access internet out of office network. To access data card, we need to open USB port. As pen drive are most virus/malware prone device, how we can block access of pen drive at the same port which is open to access data card?

0
KKSINGH-FCRL
Asked:
KKSINGH-FCRL
2 Solutions
 
Tomas ValentaIT ManagerCommented:
# Run Registry Editor (regedit).
# Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
# In the right pane, double click on the Start value name.
# Change the value data to 4 to disable the removable USB mass storage device drive access.
The change will take effect immediately to block any USB mass storage device such as USB flash drive, USB key and portable harddisk from been used in the system, while still allowing hardware components to work properly via USB connection. The hack works in most Windows operating system such as Windows Vista, XP, Windows Server 2008, 2003 and 2000.
0
 
rajivvishwaCommented:
And I assume that users do not have admin access to those laptops, if they do, then they can edit registry and enable USB access back if you implement the method mentioned by Tominov.

You might have to disable at BIOS level as well for additional security coz even admins cannot edit BIOS settings without BIOS password.
0
 
yasserdCommented:
For more security, what I recommend is white-listing instead of black-listing. So, it is better to block everything and just allow data cards. I don't know if it is possible to do through registry but there are a couple of software that enables you to do so like Symantec Endpoint Protection.
0
 
btanExec ConsultantCommented:
This is an good article for Windows VISTA and 7 OS but in particular look out for
@http://msdn.microsoft.com/en-us/library/bb530324.aspx

# Prevent users from installing any device.
# Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
# Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.

Another means is to prevent execution in USB drive. There is SRP (XP) and Applocker (for Win7). Basically SRP is Software Restriction Policies which can be configured to allow users to run only authorized applications via certificate, hash, or path rules. If a user had a default disallowed policy and
paths to say only specific program files folder for allowed applications, and the associated shortcuts in the all users profiles they would not be able to execute a file on a USB drive or copied to their profile folders.

This paper will help to elaborate more and its setting
@ http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf
Similarly for applocker, can see http://beingpc.com/2010/04/lock-your-programs-using-applocker/

But if you ok with product, do check out DeviceLock, it has the neat controls you need (and more)
@ http://www.devicelock.com/dl/index.htm
0
 
Glen KnightCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now