[Dshield] Disable USB storage devices?

Eddie Gilmartin Eddie.Gilmartin at aerlingus.com
Wed Oct 13 14:07:14 GMT 2004


HI
WINXP SP2 allow you restrict RIGHTING to USB devices using a reg fix.,
reading remains available.
Alternatively, you might want to try the following

Rgds
eddie



PROBLEM
========
How to disable the USB devices 

RESOLUTION
============
Run the disable script as the computer startup script. The startup
script runs on 
the Local System account. Here are the detailed steps.

1. Create a .bat with the command below. 

REM ;Begin of the commands

devcon remove usb\root_hub

subinacl /regkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub 
/deny=system
subinacl /regkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub 
/deny=users

REM ;End of the commands

2. Save subinacl.exe, devcon.exe, and the .bat file above to the hard
disk on DC

3. Assign the startup script to the needed machine OU or the domain.
To
do this:

? Open the Group Policy snap?in.

? Locate <group policy name> ?> "Computer Configuration" ?> "Windows 
Settings" ?> "Scripts (Startup/Shutdown)"

? Click Scripts, and then double?click Startup in the right pane.

? Click Add. 

Click the Browse button. You will see a Startup folder opened. Copy
and
paste 
subinacl.exe, devcon.exe, and the .bat file to the Startup folder.

? Select the .bat file. Click Open. Click OK. Click OK.


>>> shane.presley at gmail.com 13 October 2004 14:07:32 >>>
Hello,

A colleague recently asked me if it was possible to disable a system
(Windows 2000 & XP) from using USB storage devices?  For example, we
want a system to be able to use USB printers, scanners, etc.  But we
don't want a user to be able to plug in a memory stick or zip drive.

Any thoughts?  Would non-administrator accounts be good enough to
block this?  What about for admin accounts, any third party software
that can block it?

Thanks,
Shane
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS
Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org 
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

Eddie Gilmartin
Technical Manager
NDS-I.T.
Aer Lingus HOB PA6
Dublin Airport
Ireland

0035318862698(w)
0035318863870(f)
00353868527360(m)


For low fares and great deals on hotels, car hire and travel insurance visit http://www.aerlingus.com
*******************************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed.  Any review, dissemination or other use of, or taking
of any action in reliance upon, this information by persons or entities
other than the intended recipient is prohibited.If you have received
this email in error please notify the sender immediately and delete
the material.
*******************************************************************************




More information about the list mailing list