Re: Disabling USB mass storage

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 03/04/05

  • Next message: Depp, Dennis M.: "RE: computer account password...."
    Date: Fri, 04 Mar 2005 10:18:00 -0800
    To: Steven Hay <shay@communitysavings.ca>
    
    

    Huh? You use group policy and shove out permissions. You can build
    permission registry keys as a group policy item.

    Set up a USB OU, assign groups of folks, make sure your selected folks
    are in another OU.

    Example here:
    Terminal Services - Quickbooks installation issues:
    http://hem.fyristorg.com/vera/IT/TS_apps_QB.htm

    Steven Hay wrote:

    >Yes, we're looked at that document. There are two problems with the "MS
    >fix" however:
    >
    >1. It's a daunting task to justify the cost in time of logging into over 600
    >systems one at a time to change the registry on each to disable usb drive
    >creation. MS didn't seem to think about this on an enterprise scale. We
    >considered just batching up a large reg change to push out as well; but this
    >would mean we couldn't know if they all worked or failed for sure, as well
    >we were concerned about the potential for systems failure as direct reg
    >edits can be risky. Even if only 2% of the systems failed, it wouldn't be
    >worth it the downtime costs.
    >
    >2. We would like for IT staff and a few select managers and systems to be
    >allowed access. USB keys when properly used can be a powerful tool for our
    >IT staff. This would be an "all or nothing" approach. Something on the
    >network level is much more preferable to the system level, and I'm guessing
    >sysadmins who work on 500+ node decentralized networks are in the same boat.
    >
    >We tried restricting usbstor.sys through the GPO, but I think the file gets
    >local system level access and runs anyways <grumble grumble>.
    >
    >I sincerely appreciate the responses everyone's given so far, we're
    >collecting all the suggestions and are going to review each of them and see
    >if one or more of the recommendations will work best within our
    >infrastructure. This is a great group and there are a lot of good IT people
    >here.
    >
    >Steve
    >
    >-----Original Message-----
    >From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    >[mailto:sbradcpa@pacbell.net]
    >Sent: March 3, 2005 10:14 PM
    >To: Steven Hay
    >Cc: 'focus-ms@securityfocus.com'
    >Subject: Re: Disabling USB mass storage
    >
    >
    >HOW TO: Disable the Use of USB Storage Devices in Windows XP:
    >http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
    >
    >Disable completely?
    >
    >Steven Hay wrote:
    >
    >
    >
    >>Good topic question, one we're having issues with as well, but with XP
    >>SP1.
    >>
    >>We want to disable any removable drives from working on our 400+
    >>workstations without having to visit each one.
    >>
    >>I tried denying access to usbstor.sys in the GPO, and confirmed that
    >>the policy was applied to our test system. But it seems like the
    >>system privliges override the GPO rights (I'm guessing) as the
    >>removable drive letter pops up and is usable when a USB drive is
    >>connected.
    >>
    >>Anyone have any experience with locking these down using GPO?
    >>
    >>Steve
    >>
    >>-----Original Message-----
    >>From: Moser, Scott [mailto:scott.moser@smead.com]
    >>Sent: March 3, 2005 12:40 PM
    >>To: Martin a Marika TYDOROVCI; focus-ms@securityfocus.com
    >>Subject: RE: Disabling USB mass storage
    >>
    >>
    >>Create new key
    >>HKLM\System\CurrentControlSet\Control\StorageDevicePolicies
    >>and then create REG_DWORD called WriteProtect and set to 1. This will
    >>prevent write only (not read) in XP SP2 only.
    >>
    >>-----Original Message-----
    >>From: Martin a Marika TYDOROVCI [mailto:tydy@szm.sk]
    >>Sent: Wednesday, March 02, 2005 2:10 PM
    >>To: focus-ms@securityfocus.com
    >>Subject: Disabling USB mass storage
    >>
    >>Hi list,
    >>
    >>Does anyone knows a way to disable USB mass storage device in Win XP? I
    >>need to disable using devices such as USB flash drive, card readers,
    >>etc.
    >>
    >>Regards
    >>
    >>-----------------------------------------------------------------------
    >>-
    >>---
    >>------------------------------------------------------------------------
    >>---
    >>
    >>
    >>
    >>-----------------------------------------------------------------------
    >>----
    >>---------------------------------------------------------------------------
    >>Please note that Internet email is not always private, secure or reliable.
    >>The sender accepts no liability for any damages caused by any virus
    >>inadvertently transmitted with this email. Any opinion expressed in this
    >>email is solely that of the author, unless clearly indicated otherwise.
    >>This email, and any attachments, may contain confidential and/or
    >>
    >>
    >proprietary
    >
    >
    >>information that is intended only for use by the addressee. If you are not
    >>the intended recipient, any use, dissemination, forwarding, printing, or
    >>copying of this email is strictly prohibited. If you received this email
    >>
    >>
    >in
    >
    >
    >>error, please delete the email and advise the sender of the delivery error.
    >>
    >>-----------------------------------------------------------------------
    >>----
    >>---------------------------------------------------------------------------
    >>
    >>
    >>
    >>
    >>
    >>
    >
    >
    >

    -- 
    Chapter 4 of The Complete Patch Management Book: 
    https://www.ecora.com/ecora/jump/pm149.asp
    So why is it the only book on NT Event Logging is out of print?
    http://tinyurl.com/3kwc2
    And if you don't know about www.eventid.net You should!
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Depp, Dennis M.: "RE: computer account password...."

    Relevant Pages

    • Re: Group Policy loading
      ... It should state the group policy was ... >> workstations can ping the DCs when they connect using the Wireless ... >> connections. ... >>> USB. ...
      (microsoft.public.win2000.group_policy)
    • Re: SMS 2003 3party tool for restricting client access to HW
      ... I haven't heard of a specific SMS tool - I stand to be corrected of course. ... I did recently come across restricting USB usage via group policy, ... Group Policy does not offer a facility to easily disable drives ...
      (microsoft.public.sms.tools)
    • Re: Access to Floppy/CDROM/USB
      ... You can use Group Policy at the domain level to restrict some access to ... configuration/administrative templates/Windows components/Windows Explorer ... floppy and USB drives for certain users. ...
      (microsoft.public.win2000.security)
    • Restrict access to USB devices
      ... I believe there is no group policy for the problem. ... VBScript called usbsecure.vbs. ... list with allowed USB devices. ...
      (microsoft.public.win2000.security)
    • Re: When will MS fix the WinCE USB Mass Storage Problems?
      ... All other keys accept this, ... I think the spec does not say that this is a valid response to this command, ... Strangely enough, when my USB analyzer is aquiring, these ... Attachdevice fails, the sequence of state-transitions there, fails. ...
      (microsoft.public.windowsce.platbuilder)