RE: USB ports Network

[DELFOSSE Frédéric <frederic.delfosse () missioneco org>]

Hi you can make a custom .adm file that you can add into your AD.
The purpose is to prevent only the USB mass storage devices to run on the computer, not another device such as a USB 
mouse.

USBSTOR.ADM :

CLASS MACHINE

CATEGORY "Services and Drivers"
    POLICY "USB Storage"
    KEYNAME "System\CurrentControlSet\Services\usbstor"
     PART "Startup type" DROPDOWNLIST
       VALUENAME "Start"
           ITEMLIST
           NAME "Boot" VALUE NUMERIC 0
           NAME "System"   VALUE NUMERIC 1
           NAME "Auto Load"   VALUE NUMERIC 2 DEFAULT
           NAME "Load On Demand"       VALUE NUMERIC 3
           NAME "Disabled"   VALUE NUMERIC 4
           END ITEMLIST
     END PART
    END POLICY
END CATEGORY


1.      preventing the usb mass storage device set up :
When PNP setup a driver, it uses the current users permissions. We just have , using a GPO on the 2 following files : 
USBSTOR.INF et USBSTORE.PNF
*       within the GPO, go to "Computer Configuration - Windows Settings - Security Settings - File System" and create 
a new entry with a right click and selecting "add a file" . Within the explorer that appears then, select USBSTOR.INF 
(%SystemRoot%\Inf\USBSTOR.INF).
*       change the security parameters to only allow full control to  SYSTEM et Administrators. This will replace the 
permissions on every machine in the OU where the GPO is applied.
*       repeat the preevious steps for USBSTOR.PNF. 
2.      prevent USBSTOR to start when a usb mass storage device is connected :
when a usb mass storage device is connected, USBSTOR is automatically executed by the OS, by using the DOS command net 
start usbstor. This command is possible only if the registry key: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start doesn't have the value 4 (disabled). Therefore we 
are going to define this value to 4 to prevent USBSTOR to start, this will prevent the mapping and initialization of 
the USB keys.
*       We use the above : USBSTOR.ADM which we add to the administratives templates, in the desktop configuration of 
our 
GPO. This adds  "Services and Drivers" to our templates.
*       if the entry "Services and Drivers"  is empty, we need to uncheck "only display the strategy parameters that 
can be fully managed", in the menu "display - filter" .
*       Select "USB Storage policy". check "Enabled" and choose "Disabled" in the dropdownlist "Startup Type". 
*       You must enforece the GPO so that the registry key change can be made.

That's it :)


I hope it is going to be helpful



 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Tornado
Envoyé : Wednesday, May 02, 2007 3:41 AM
À : security-basics () securityfocus com
Objet : USB ports Network

Hi All,

We got Windows 2003 AD domain with all the workstations/servers as Windows 2000/XP/2003/Vista. As part of our security 
policy we do not keep the USB ports enabled and disable them from BIOS itself. But we want to make sure that there are 
no machines which have USB port left enabled by mistake.
 Is there any way/software whereby we can check/scan the ports remotely on the domain?

Thanks in advance.

----------------------------------------------------------------------
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com