| Author | Messages | |
kcnychief
Posts:0
 | | 04/09/2009 8:24 AM |
| I am researching how to restrict the usage of USB ports, to protect against
users connecting USB drives or other devices that we aren't aware of. I was
looking at Removable Device Storage and Hardware Installation Restriction -
wanted to check and see how others are doing it and what some best practices
may be. The second option would assumedly be resource intensive in the
beginning while I fine tune the Class IDs of hardware I want to allow/block.
I also was reading about restricting the .inf files to install any USB
devices, but need to do some testing as to how that would impact keyboards
and mice.
While I know they exist, at this time I'm not interested in any 3rd party
applications to help control this.
Derek Rose | Infrastructure Manager | 413.747.4262 x19236 |
xxxxxxxxxxxxxxxx
| | | |
| Darren
Posts:103
| | 04/09/2009 9:44 AM |
| Derek-
GP Preferences includes support for this as well, though you can only allow
or deny a device by class. I've also seen some folks use custom ADMs to
simply turn off a specific device driver for a specific class of storage
(e.g. USBStor.sys) but I don't find that an especially flexible approach. I
think the .inf approach may be similarly "funky", but I can see where that
would provide some value.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Thursday, April 09, 2009 5:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Restriction of USB Ports based on NT Group and Device
I am researching how to restrict the usage of USB ports, to protect against
users connecting USB drives or other devices that we aren't aware of. I was
looking at Removable Device Storage and Hardware Installation Restriction -
wanted to check and see how others are doing it and what some best practices
may be. The second option would assumedly be resource intensive in the
beginning while I fine tune the Class IDs of hardware I want to allow/block.
I also was reading about restricting the .inf files to install any USB
devices, but need to do some testing as to how that would impact keyboards
and mice.
While I know they exist, at this time I'm not interested in any 3rd party
applications to help control this.
Derek Rose | Infrastructure Manager | 413.747.4262 x19236 |
xxxxxxxxxxxxxxxx
| | | |
| kcnychief
Posts:0
| | 05/15/2009 4:47 PM |
| Basically what I ended up doing is creating an AD group called
USBSTOR_ALLOW, and giving that group the necessary access to usbstor.inf and
usbstor.pnf within the c:\windows\inf folder. I removed all other
permissions, so only users within that group can install new devices. At
this time, we are not concerned about what type of devices, just overall of
enable or disable. This works fine for what is needed.
As far as currently installed devices, I adjusted the HKLM value on any
computer account not in the previously mentioned group. The specific key
and values are from this article -
http://support.microsoft.com/kb/823732/
Setting it to 4 for all users NOT in the group using GPP worked pretty well.
The only flaw in this plan is that a user who is allowed can't really do it
on a machine that is not a member of the group. But, that is not a
requirement at this time so it will suffice.
Just wanted to share with others how I accomplished this, and maybe start a
creative discussion how others may have done so with GPO.
Derek
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, April 09, 2009 9:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Restriction of USB Ports based on NT Group and Device
Derek-
GP Preferences includes support for this as well, though you can only allow
or deny a device by class. I've also seen some folks use custom ADMs to
simply turn off a specific device driver for a specific class of storage
(e.g. USBStor.sys) but I don't find that an especially flexible approach. I
think the .inf approach may be similarly "funky", but I can see where that
would provide some value.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Thursday, April 09, 2009 5:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Restriction of USB Ports based on NT Group and Device
I am researching how to restrict the usage of USB ports, to protect against
users connecting USB drives or other devices that we aren't aware of. I was
looking at Removable Device Storage and Hardware Installation Restriction -
wanted to check and see how others are doing it and what some best practices
may be. The second option would assumedly be resource intensive in the
beginning while I fine tune the Class IDs of hardware I want to allow/block.
I also was reading about restricting the .inf files to install any USB
devices, but need to do some testing as to how that would impact keyboards
and mice.
While I know they exist, at this time I'm not interested in any 3rd party
applications to help control this.
Derek Rose | Infrastructure Manager | 413.747.4262 x19236 |
xxxxxxxxxxxxxxxx
| | | |
| JFinkbiner
Posts:11
| | 05/15/2009 8:48 PM |
| We currently disable these components through this GPO. I actually
borrowed a lot (if not all) of the code from someone although his name
escapes me at the moment. There are 2 versions that I have verified to
work (sorry for the length):
Version 1:
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the
usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the
cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the
flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by
disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
Version 2
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynamewriteprotect
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART !!labeltextwriteprotect DROPDOWNLIST REQUIRED
VALUENAME "WriteProtect"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 0 DEFAULT
NAME !!Enabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Write Protection"
policynamewriteprotect="Write Protect USB Removable Drives"
explaintextwriteprotect="Enforces write protection on all USB Removable
Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write
Protect USB Removable Drives status in the drop-down list. \n\nIn order
to disable write protection on USB Removable Drives select OFF for the
Write Protect USB Removable Drives status in the drop-down list."
labeltextwriteprotect="Write Protect USB Removable Drives status"
Enabled="On"
Disabled="Off"
Jonathan Finkbiner
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Rose
Sent: Friday, May 15, 2009 7:57 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Restriction of USB Ports based on NT Group and
Device
Basically what I ended up doing is creating an AD group called
USBSTOR_ALLOW, and giving that group the necessary access to usbstor.inf
and usbstor.pnf within the c:\windows\inf folder. I removed all other
permissions, so only users within that group can install new devices.
At this time, we are not concerned about what type of devices, just
overall of enable or disable. This works fine for what is needed.
As far as currently installed devices, I adjusted the HKLM value on any
computer account not in the previously mentioned group. The specific
key and values are from this article -
http://support.microsoft.com/kb/823732/
Setting it to 4 for all users NOT in the group using GPP worked pretty
well. The only flaw in this plan is that a user who is allowed can't
really do it on a machine that is not a member of the group. But, that
is not a requirement at this time so it will suffice.
Just wanted to share with others how I accomplished this, and maybe
start a creative discussion how others may have done so with GPO.
Derek
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, April 09, 2009 9:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Restriction of USB Ports based on NT Group and
Device
Derek-
GP Preferences includes support for this as well, though you can only
allow or deny a device by class. I've also seen some folks use custom
ADMs to simply turn off a specific device driver for a specific class of
storage (e.g. USBStor.sys) but I don't find that an especially flexible
approach. I think the .inf approach may be similarly "funky", but I can
see where that would provide some value.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Rose
Sent: Thursday, April 09, 2009 5:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Restriction of USB Ports based on NT Group and Device
I am researching how to restrict the usage of USB ports, to protect
against users connecting USB drives or other devices that we aren't
aware of. I was looking at Removable Device Storage and Hardware
Installation Restriction - wanted to check and see how others are doing
it and what some best practices may be. The second option would
assumedly be resource intensive in the beginning while I fine tune the
Class IDs of hardware I want to allow/block.
I also was reading about restricting the .inf files to install any USB
devices, but need to do some testing as to how that would impact
keyboards and mice.
While I know they exist, at this time I'm not interested in any 3rd
party applications to help control this.
Derek Rose | Infrastructure Manager | 413.747.4262 x19236 |
xxxxxxxxxxxxxxxx
| | | |
|
|