RE: Disabling USB mass storage

From: Sergey V. Gordeychik (gordey_at_itsecurity.ru)
Date: 03/04/05

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Disabling USB mass storage"
    Date: Fri, 4 Mar 2005 10:16:04 +0300
    To: "Martin a Marika TYDOROVCI" <tydy@szm.sk>, <focus-ms@securityfocus.com>
    
    

    It simple
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;823732).

    But you can use scripts in Group policy which disable or enable devices
    or concerned service depended of user account or computer location in AD
    structure. In your case you can disable "USBStor" service to disable
    only mass storage. If you disable "USB root hub" device you disable all
    USB on computer.

    Here two examples:

    (1) http://www.securitylab.ru/_Article_Images/2004/10/devcmcfg.vbs.txt

    (2) http://www.securitylab.ru/_Article_Images/2004/10/devcfg.vbs.txt

    First of them (devcmcfg) started with "devcmcfg disable" switch checks
    membership of computer account in security groups ("Copm Floppy", "Comp
    CDROM") and disable devices, specified in "Devices" array.
    When you start "devcmcfg enable", script try to enable all devices from
    "Devices" array.

    Second (devcfg) uses more complicated techniques. When you start it with
    "devcfg disable" it disables all devices and concerned services
    specified in "Devices" and "Services" arrays accordingly. Furthermore
    script set ACLs on services which permit security groups from "Groups"
    array to enable services.
    Started with "enable" key script try to change services startup from
    "disable" to "demand" and launch device.

    Both scripts uses Microsoft's devcon.exe tool
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;311272). Devcfg
    also uses standard Windows sc.exe tool.

    How to use it:

    Devcmcfg:

    Create security groups and add computers accounts to these groups.
    Specify "devcmcfg.vbs disable" as Startup Script parameter value of GPO,
    "devcmcfg.vbs enable" as Logon Script and "devcmcfg.vbs disable" again
    as Logoff scripts.
    When computer boots it execute Startup Scripts with System privileges
    and can disable devices depended of computer group membership.
    When user logon Startup Script executed. It can enable devices only if
    user have "Load and Unload Device Drivers" (SeLoadDriver) privilege. So,
    only Administrators can use disabled devices. When user logoff, Log off
    starts and try to disable devices again.

    Devcfg:

    Create security groups and add users accounts to these groups.
    Specify "devcfg.vbs disable" as Startup Script parameter value of GPO,
    "devcfg.vbs enable" as Logon Script and "devcfg.vbs disable" again as
    Logoff scripts.
    When computer boots it execute Startup Scripts with System privileges
    and can disable devices depended of group membership. Also scripts
    disable devices services and set ACLS.
    When user log on script try to change service startup type (it will be
    successfully if he is member of the appropriate security group). Also
    user should have SeLoadDriver privilege. If it has been done script
    starts appropriated device.

    Full description (sorry, only in Russian) can be found here:
    http://www.securitylab.ru/49044.html

    Thanks for your attention and sorry for my English.

    Regards,
    Sergey V. Gordeychik,
    MCSE, MCT, CISSP
     

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Disabling USB mass storage"

    Relevant Pages

    • Re: Turing of SP2 Firewall via registry entry?
      ... Group Policy that disables the firewall (see WF_XPSP2.doc ... Disabling the Use of Windows Firewall Across Your Network ... you create a script file that is read by ...
      (microsoft.public.windowsxp.security_admin)
    • Re: lets vote for better security
      ... OE-related security vulnerabilities. ... minor change to their install programs to enable MSHTML during the ... is a lone attacker in, say, Pakistan who writes a brand new script and sends ... XP SP2 disables and ...
      (microsoft.public.security)
    • Re: Enabling "distrbuted COM"
      ... Because we have a few thousand machines which have the Components ... script of some sort....? ... disables DCOM: ... You need to remotely change the value of the following registry setting to ...
      (microsoft.public.scripting.wsh)
    • RE: message and batch file
      ... Tom, Thank you so much for your help. ... I have now created a second script to enable the same application that was ... file I was running has a one line command to disables the application.) ... disable the apps seleted or just run a batch file for the apps selected. ...
      (microsoft.public.windows.server.scripting)
    • Re: User accounts disabled automatically by administrator?!
      ... that disables user account from the domain controller machine. ... "Meinolf Weber" wrote: ... user accounts disabled automatically by administrator. ...
      (microsoft.public.windows.server.active_directory)