Re: Selectively disabling USB devices

["Richard Bennison" <richard_bennison () hotmail com>]

Neksus,

I worked on the Beta program of DeviceLock 5.72 with a couple of my clients 
and this version has the ability to lockout administrators (upgrade from 
5.71 to 5.72 if this needs addressing).

Basically it deals with users with local admin rights by including this 
access level into a pollicy and then controlling with a superuser account, 
this is possible due to the level at which DeviceLock allows access to USB. 
This is for clients who do not have the luxury of Group Policy.

Cheers Richard
Richard () dayzerosecurity com


> From: Neksus <neksus () gmail com>
> To: pranav.lal () gmail com
> CC: security-basics () securityfocus com
> Subject: Re: Selectively disabling USB devices
> Date: Wed, 23 Nov 2005 13:49:27 -0500
>
> Pranav,
>
> I am not aware of a free possibility (if you ever do, please let me
> know) but there are many commercial software who can do this by using
> the USB device ID to permit/deny the use.
>
> It only works if the user is not an administrator although I assisted
> a presentation by Verdasys (Digital Guardian) which claimed they could
> bypass this issue by hooking in the kernel at boot time. I'm not a
> Windows engineer so I can't confirm is this is real or bogus but the
> presentation seemed satisfactory for me. Unfortunately, we haven't
> opted for that product.
>
> Instead we used a tool named Device Lock which can do the same thing.
> We don't have a problem with users being administrator so this works
> fine.
>
> Please note that (as far as I know), Firewire doesn't have different
> IDs per device so you can only do "disabled", "read" or "read write".
> USB provides much better managability.
>
> (N)
>
>
> >Is it possible to selectively disable USB devices? For instance, only 
> mice and
> >printers should work when connected to a USB port but flash drives, other 
> mp3
> >players etc should not work when connected to the same USB ports.