Security Basics mailing list archives
RE: USB ports Network
From: DELFOSSE Frédéric <frederic.delfosse () missioneco org>
Date: Wed, 2 May 2007 20:07:54 +0200
Hi you can make a custom .adm file that you can add into your AD. The purpose is to prevent only the USB mass storage devices to run on the computer, not another device such as a USB mouse. USBSTOR.ADM : CLASS MACHINE CATEGORY "Services and Drivers" POLICY "USB Storage" KEYNAME "System\CurrentControlSet\Services\usbstor" PART "Startup type" DROPDOWNLIST VALUENAME "Start" ITEMLIST NAME "Boot" VALUE NUMERIC 0 NAME "System" VALUE NUMERIC 1 NAME "Auto Load" VALUE NUMERIC 2 DEFAULT NAME "Load On Demand" VALUE NUMERIC 3 NAME "Disabled" VALUE NUMERIC 4 END ITEMLIST END PART END POLICY END CATEGORY 1. preventing the usb mass storage device set up : When PNP setup a driver, it uses the current users permissions. We just have , using a GPO on the 2 following files : USBSTOR.INF et USBSTORE.PNF * within the GPO, go to "Computer Configuration - Windows Settings - Security Settings - File System" and create a new entry with a right click and selecting "add a file" . Within the explorer that appears then, select USBSTOR.INF (%SystemRoot%\Inf\USBSTOR.INF). * change the security parameters to only allow full control to SYSTEM et Administrators. This will replace the permissions on every machine in the OU where the GPO is applied. * repeat the preevious steps for USBSTOR.PNF. 2. prevent USBSTOR to start when a usb mass storage device is connected : when a usb mass storage device is connected, USBSTOR is automatically executed by the OS, by using the DOS command net start usbstor. This command is possible only if the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start doesn't have the value 4 (disabled). Therefore we are going to define this value to 4 to prevent USBSTOR to start, this will prevent the mapping and initialization of the USB keys. * We use the above : USBSTOR.ADM which we add to the administratives templates, in the desktop configuration of our GPO. This adds "Services and Drivers" to our templates. * if the entry "Services and Drivers" is empty, we need to uncheck "only display the strategy parameters that can be fully managed", in the menu "display - filter" . * Select "USB Storage policy". check "Enabled" and choose "Disabled" in the dropdownlist "Startup Type". * You must enforece the GPO so that the registry key change can be made. That's it :) I hope it is going to be helpful -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Tornado Envoyé : Wednesday, May 02, 2007 3:41 AM À : security-basics () securityfocus com Objet : USB ports Network Hi All, We got Windows 2003 AD domain with all the workstations/servers as Windows 2000/XP/2003/Vista. As part of our security policy we do not keep the USB ports enabled and disable them from BIOS itself. But we want to make sure that there are no machines which have USB port left enabled by mistake. Is there any way/software whereby we can check/scan the ports remotely on the domain? Thanks in advance. ---------------------------------------------------------------------- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com
Current thread:
- USB ports Network Tornado (May 02)
- RE: USB ports Network Scott Ramsdell (May 02)
- Re: USB ports Network MaddHatter (May 03)
- RE: USB ports Network Nick Vaernhoej (May 02)
- RE: USB ports Network DELFOSSE Frédéric (May 02)
- Re: USB ports Network phillip (May 02)
- Re: USB ports Network Tornado (May 03)
- <Possible follow-ups>
- RE: USB ports Network Andy Cuff (May 03)
- Re: USB ports Network Tornado (May 04)
- RE: USB ports Network Scott Ramsdell (May 02)