Disable USB Ports
Disable USB Ports
Here is a way to disable USB ports in an Active Directory Domain
In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects.
In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage.
Repeat the above two steps for USBSTOR.PNF.
Download USBSTOR.ADM.
Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog.
You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled.
Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick.
Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor.
Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
Here is a way to disable USB ports in an Active Directory Domain
In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects.
In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage.
Repeat the above two steps for USBSTOR.PNF.
Download USBSTOR.ADM.
Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog.
You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled.
Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick.
Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor.
Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
0 comments:
Post a Comment