RE: Disabling USB mass storage

From: Steven Hay (shay_at_communitysavings.ca)
Date: 03/04/05

  • Next message: KL_SecurityFocus_at_spamex.com: "Folder Encryption" 
    To: "'Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'" <sbradcpa@pacbell.net>
Date: Fri, 4 Mar 2005 10:51:47 -0700

    Yes, we're looked at that document. There are two problems with the "MS
    fix" however:

    1. It's a daunting task to justify the cost in time of logging into over 600
    systems one at a time to change the registry on each to disable usb drive
    creation. MS didn't seem to think about this on an enterprise scale. We
    considered just batching up a large reg change to push out as well; but this
    would mean we couldn't know if they all worked or failed for sure, as well
    we were concerned about the potential for systems failure as direct reg
    edits can be risky. Even if only 2% of the systems failed, it wouldn't be
    worth it the downtime costs.

    2. We would like for IT staff and a few select managers and systems to be
    allowed access. USB keys when properly used can be a powerful tool for our
    IT staff. This would be an "all or nothing" approach. Something on the
    network level is much more preferable to the system level, and I'm guessing
    sysadmins who work on 500+ node decentralized networks are in the same boat.

    We tried restricting usbstor.sys through the GPO, but I think the file gets
    local system level access and runs anyways <grumble grumble>.

    I sincerely appreciate the responses everyone's given so far, we're
    collecting all the suggestions and are going to review each of them and see
    if one or more of the recommendations will work best within our
    infrastructure. This is a great group and there are a lot of good IT people
    here.

    Steve

    -----Original Message-----
    From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    [mailto:sbradcpa@pacbell.net]
    Sent: March 3, 2005 10:14 PM
    To: Steven Hay
    Cc: 'focus-ms@securityfocus.com'
    Subject: Re: Disabling USB mass storage

    HOW TO: Disable the Use of USB Storage Devices in Windows XP:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

    Disable completely?

    Steven Hay wrote:

    >Good topic question, one we're having issues with as well, but with XP
    >SP1.
    >
    >We want to disable any removable drives from working on our 400+
    >workstations without having to visit each one.
    >
    >I tried denying access to usbstor.sys in the GPO, and confirmed that
    >the policy was applied to our test system. But it seems like the
    >system privliges override the GPO rights (I'm guessing) as the
    >removable drive letter pops up and is usable when a USB drive is
    >connected.
    >
    >Anyone have any experience with locking these down using GPO?
    >
    >Steve
    >
    >-----Original Message-----
    >From: Moser, Scott [mailto:scott.moser@smead.com]
    >Sent: March 3, 2005 12:40 PM
    >To: Martin a Marika TYDOROVCI; focus-ms@securityfocus.com
    >Subject: RE: Disabling USB mass storage
    >
    >
    >Create new key
    >HKLM\System\CurrentControlSet\Control\StorageDevicePolicies
    >and then create REG_DWORD called WriteProtect and set to 1. This will
    >prevent write only (not read) in XP SP2 only.
    >
    >-----Original Message-----
    >From: Martin a Marika TYDOROVCI [mailto:tydy@szm.sk]
    >Sent: Wednesday, March 02, 2005 2:10 PM
    >To: focus-ms@securityfocus.com
    >Subject: Disabling USB mass storage
    >
    >Hi list,
    >
    >Does anyone knows a way to disable USB mass storage device in Win XP? I
    >need to disable using devices such as USB flash drive, card readers,
    >etc.
    >
    >Regards
    >
    >-----------------------------------------------------------------------
    >-
    >---
    >------------------------------------------------------------------------
    >---
    >
    >
    >
    >-----------------------------------------------------------------------
    >----
    >---------------------------------------------------------------------------
    >Please note that Internet email is not always private, secure or reliable.
    >The sender accepts no liability for any damages caused by any virus
    >inadvertently transmitted with this email. Any opinion expressed in this
    >email is solely that of the author, unless clearly indicated otherwise.
    >This email, and any attachments, may contain confidential and/or
    proprietary
    >information that is intended only for use by the addressee. If you are not
    >the intended recipient, any use, dissemination, forwarding, printing, or
    >copying of this email is strictly prohibited. If you received this email
    in
    >error, please delete the email and advise the sender of the delivery error.
    >
    >-----------------------------------------------------------------------
    >----
    >---------------------------------------------------------------------------
    >
    >
    >
    > 

    -- 
Chapter 4 of The Complete Patch Management Book: 
https://www.ecora.com/ecora/jump/pm149.asp
So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2
And if you don't know about www.eventid.net You should!
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Please note that Internet email is not always private, secure or reliable.
The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email.  Any opinion expressed in this
email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or proprietary
information that is intended only for use by the addressee.  If you are not
the intended recipient, any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited.  If you received this email in
error, please delete the email and advise the sender of the delivery error.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: KL_SecurityFocus_at_spamex.com: "Folder Encryption"