Restricting USB storage devices through group policy in Windows Server 2008is a breeze (even on Server 2003). However, it gets a tad challenging when you do it on Windows 2000. Let's play a little scenario:
You need to restrict USB storage access on a shared Windows 2000 PC to prevent users from copying any sensitive information to portable USB storage devices (thumb drives, iPod, MP3 player, mobile phones, etc.). You need to implement a “reversible” solution (this rules out super glue, thanks) and must not cost you an arm and a leg. Here’s a homebrew solution which disables (or enables back) the USB storage function of a PC.
Here's a homebrewn solution (the script uses the resource kit tools Reg.exe and SubinACL.exe):
'variables & constants
Const HKEY_LOCAL_MACHINE = &H80000002
Dim strComputer, strFunction
Dim oShell
Dim oStat
'**** main *****
Set oShell = CreateObject("WScript.Shell")
oStat = False
strComputer = ""
strFunction = ""
'Input ComputerName via an inputbox
strComputer = InputBox("Remote PC's HostName :", _
"USB-Buster Release Candidate (c)", strComputer)
if StrComputer = "" Then
MsgBox ("Null value! Exiting...")
Wscript.Quit
Else
If ping(strComputer) = True Then
'Client is online, do nothing
Else
MsgBox("Error! " & strComputer & " is OFFLINE!")
Wscript.Quit
End If
End if
While strFunction = "" or oStat <> True
strFunction = InputBox("Enable [1] or Disable [2] USB :", _
"USB-Buster Release Candidate (c)", strFunction)
if strFunction = "" Then
MsgBox("Null value! Please enter a valid option ('1' OR '2')")
else
Select case strFunction
case "1"
oStat=True
EnableUSB
case "2"
ostat=True
DisableUSB
case else
MsgBox("Invalid input! Enter a valid option ('1' OR '2')")
oStat=False
end select
end if
Wend
oStat = ""
strComputer = ""
strFunction = ""
'Use Resource Kit Tools (reg.exe and subinacl.exe [latest version]) to
'modify the USBStor start value
'and set deny permissions on the key
'********** Procedures/Subroutines Section *************************
Sub DisableUSB()
oShell.Run "reg add ""\\" & strComputer & _
"\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR""" _
& " /v Start /t REG_DWORD /d 4 /f"
oshell.Run "subinacl /keyreg ""\\" & strComputer & _
"\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR""" & _
" /deny=system /deny=users /deny=administrators"
End Sub
Sub EnableUSB()
oshell.Run "subinacl /keyreg ""\\" & strComputer & _
"\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR""" & _
" /grant=system /grant=users=R /grant=administrators"
oShell.Run "reg add ""\\" & strComputer & _
"\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR""" & _
" /v Start /t REG_DWORD /d 3 /f"
End Sub
'********FUNCTION CALL(S)*********************************
'Ping - to check if computer is connected to the network
Function ping(arg)
With createobject("Wscript.Shell")
'Ping computer
ping = Not CBool(.run("ping " & arg,0,True))
End With
End Function
8 comments:
Alternatively, you can use usb security features of desktop management system called desktop authority.
In our company this way we blocked the use of usb storage, mp3 players and PDAs but allowed corporate blackberries.
This solution is very flexible in settings apply so you can easily block or allow a particular device (even by it's serial number) for particular user or group of users.
Thanks for the links. I'll keep your product in mind should a need comes up in the future or when someone asks for commercially available tools which can block USB devices but offers the flexibility of allowing some based on certain parameters (group membership, device ID, etc).
If you deny an administrator access to the registry key when you disable access how does an administrator have sufficient privledges to reallow access or successfully run the subinacl line in the EnableUSB procedure?
The administrator should still be able to access the registry key although he will not see the contents of that particular registry key. In fact, using the registry editor UI, the administrator can reset the permissions of the key even if his account has been specifically given "Deny" permission (however, he'll be prompted with an access denied window if he tries to create subkeys/values within the key unless the permissions are reset).
hiii.. nice work .. however i havent tried it .. but hope it works .. but plzz also tell me .. will this work only for already installed usb drives?? or for uninstalled once also..
Thanks please tell me!
hey ... nice work buddy:)
but please tell me will this also work for usb drives that are not already installed on the users pc?
if not then please can u tell me how to do that??
Honestly, I haven't really tested this on a system with an already installed USB storage devices. =)
However, it should not be that hard to clear entries or references of previously installed USB storage devices prior to running the script shown in the post.
Salvador HI,
I need to know how to do this you can tell me as I could to do this. Maybe you have someone guide that help me.
Thanks
Best Wishes.
Post a Comment