Re: USB port & access protection

[Theodoros Charalabidis <Charalabidis () jcsc nato int>]

In-Reply-To: <20030330202706.31338.qmail () www securityfocus com>

Hi there.....



SECTION A

1.Look for the usbstor.sys file under \winnt\system32\drivers directory.If 

this file exists that means you had installed a USB driver sometime in the 

past and you have to go to section B.Otherwise go to step 2.

2.Right click on the file usbstor.inf under \winnt\inf directory and set 

permissions as follows:

           a.deny all access to Administrators

           b.deny all access to SYSTEM account



SECTION B

These are the steps we have to make in case of the file usbstor.sys file 

exist under \winnt\system32\drivers directory.

1.To perform this task,you need first to connect a USB Mass Storage device 

(e.g memory stick) to the port.The system will automatically respond with 

the recognition of the device and a hot-plug device icon will appear on 

the right corner of the taskbar.By double-clicking this icon the 

Unplug/Eject Hardware window comes up.The press the Properties button and 

select the Driver tab.Click on Uninstall and confirm the device removal by 

pressing OK

2.Right click on the file usbstor.inf under \winnt\inf directory and set 

permissions as follows:

    a.deny all access to Administrators

    b.deny all access to SYSTEM account



3.Right click on the file usbstor.sys under \winnt\system32\drivers 

directory and set permissions as follows:

   a.deny all access to Administrators

   b.deny all access to SYSTEM account



This is a per-workstation/server setting that reguires administrative 

privilege and can be done locally or remotely (if you have a LAN).Of 

course this will make any USB device (including scanners) not to work.



And now comes MY question which is similar to yours....Lets say that you 

have a domain with a Domain Controller running NT.And you have 20 

workstations in that domain running W2K.Is there any way to do all the 

steps I described above so that you can implement USB restriction on the 

domain without doing it per-worstation?In other words can you force USB 

restriction on that NT domain with W2K workstations at ONCE (i.e with 

SMS,Hyena,scripts or 3rd-party tools) ????



You can also take a look at the following URLs:

www.devicelock.com

and http://tinyurl.com/67q3 



Hope that helped you.....



Charalabidis Theodoros
Network Administrator
NATO JCSC HQ

 

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics