RE: Controlling specific USB devices on Windows XP



I haven't been following this thread closely so I don't know if anyone
has explored this solution. Windows XP and I think 2000 support
disabling USB Mass Storage devices via a registry "hack" for lack of a
better word.
This can be incorporated into a .adm file and added to Group Policy.
Copy the text between the stars but don't include the stars. Paste into
a file called (whatever).adm. Upload to group policy.

You can also read the following text and just manually input these
registry settings.

I chose the group policy method and put in a dev environment. Later it
was cleared for production and has come in handy many times so far.

One caveat is that there is a high likely hood that digital cameras will
break and you will have to manually exclude those computers.

*********************************************
CLASS MACHINE
CATEGORY "Custom Policies"
KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
POLICY "USB Mass Storage Installation"
EXPLAIN "When this policy is enabled, USB mass storage device
permissions can be changed by using the drop down box.

Selecting 'Grant Permission' will allow USB mass storage devices to be
installed. Selecting 'Deny Permission' will prohibit
the installation of USB mass storage devices.

IF REMOVING THIS POLICY: Reset to original setting and let policy
propegate before deleting policy."
PART "Change Settings:" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
NAME "Deny Permission" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
********************************************

Thanks,


Dan Bullock










-----Original Message-----
From: Roman Iwasjuk [mailto:roman@xxxxxxxxxxxxxx]
Sent: Thursday, June 15, 2006 1:06 PM
To: Focus Microsoft
Subject: RE: Controlling specific USB devices on Windows XP


I think that we're missing something in this discussion - namely that
the
usb lockdown is something that we will have no choice BUT to do - up
till
now shutting down usb ports has been the easy work around - via bios,
not
loading the device drivers or just disabling the port.

The problem is that many hardware vendors are moving towards usb as the
be
all and end all - how many new computers are being sold with no ports
other
than usb - parallel, serial, ps2 - all gone...

What about laptops where the internal connection is via usb - either for
the
hard drive or the onboard cd/dvd ... Disabling the usb is no longer an
option.

We've all got privacy legislation that we have to concern ourselves
with,
not to mention corporate data - if we don't do our due diligence and
restrict the kinds of devices that can access the ports, then we have no
guarantee that info isn't leaving the company.

Roman Iwasjuk
Systems Manager
Buduchnist Credit Union Ltd

On 6/15/06, George Njoku <george@xxxxxxxxxxxxx> wrote:

Gentlemen, this USB lock down for certain device is a nice idea, but
just not necessary

George Njoku
Turner Engineering, Inc.
973.263.1000
george@xxxxxxxxxxxxx

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.clearswift.com
**********************************************************************



------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

The information transmitted may contain confidential material and
is intended only for the person or entity to which it is
addressed. Any review, retransmission, dissemination or other use
of or taking of any action by persons or entities other than the
intended recipient is prohibited. If you are not the intended
recipient, please delete the information from your system and
contact the sender.

---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Prevent BlueTooth USB access
    ... > Is it possible to block users from connecting USB devices using GPO. ... > created a GPO to hide drives for usb storage (DOS prompt blocked so not ... POLICY!!policynameusb ... policynamels120="Disable High Capacity Floppy" ...
    (microsoft.public.win2000.group_policy)
  • Re: [Full-disclosure] Fwd: Comment on: USB devices spreading viruses
    ... Disable USB storage via group policy or through ... environment only allows signed scripts to execute): ... // why let anything to execute from root of fixed drives. ...
    (Full-Disclosure)
  • HAL and KDE mounting USB drives
    ... devices, especially USB drives, are not auto-run. ... both flash sticks and actual disk drives on both USB and FireWire. ... I've also confirmed that my policy options are getting set -- ...
    (Debian-User)
  • Global Policy to disable FDD & USB not working
    ... I have created three security group Disable_FDD (where all users floppy ... Drive is disabled), Disable_All (where USB & Floppy is disabled), ... Right clicked the Kill_floppy policy and choose "Security" ... categoryname="Restrict Drives" ...
    (microsoft.public.windows.server.active_directory)
  • RE: Restrict USB Devices.
    ... I didn't test with USB printers. ... POLICY!!policynameusb ... policynamels120="Disable High Capacity Floppy" ... explaintextcd="Disables the computers CD-ROM Drive by disabling the ...
    (microsoft.public.windows.server.active_directory)