Security Basics mailing list archives
RE: Active Directory device block
From: "Simon Thornton" <simon () thornton info>
Date: Tue, 18 Jan 2011 08:31:46 +0100
Hi Valentin, For device and port protection and control of all removable devices at the enterprise level you can use a commercial product like Sanctuary [8] from SecureWave. This allows granular control over all ports and devices connected to a PC. If you prefer the roll-your-own style you can also do this using two free Microsoft tools; devcon [1] and psexec [2] from the sysinternals [3] set of utilities. Devcon is a command line utility that has many of the functions of the control panel device manager but is scriptable. Psexec is a utility that allows someone with administrator privileges to execute commands on a remote machine. The way I normally setup these utils and file share are as follows: 1. On a fileserver create a share which only admins have access, add a $ to the end of the sharename to hide it, e.g. \\SERVER\ADMTOOLS$ 2. Download the devcon [1] and psexec [2] utils and unpack into a subdirectory on this share i.e. \\SERVER\ADMTOOLS$\UTILS 3. Save the script below into \\SERVER\ADMTOOLS$ 4. Connect the USB storage device to the local/remote machine 5. Exec devcon remove @usbstor\*; devcon rescan, or use something like the script shown below. \\SERVER\ADMTOOL$\UTILS\psexec \\MACHINE -u ADMACCT -p ADMPWD \\SERVER\ADMTOOL$\devcon-usbrefresh.cmd The essence of the techniques is to connect the approved device to the machine then run devcon to remove all usb-storage definitions and then rescan the hardware. It's possible to be add/remove individual devices by specifying the HIDS/VIDS for a device. For more examples see the links [4] - [7] listed below For more info about DevCon open a CMD prompt before you try and execute any of the following Help with the commands devcon help devcon help find devcon help findall devcon help remove devcon help rescan psexec -h Listing all USB devices (including ones not connected): devcon findall @usb\* List only USB storage devices (including ones not connected): devcon findall @usbstor\* Remove all USB storage definitions and then rescan machine: devcon remove @usbstor\* devcon rescan The remove/rescan commands are used to remove all USB storage devices and then scan the h/w again. As long as the approved device is connected it will be added. The script below is intended to be executed by an administrator either locally on the machine or using psexec. Note: You need to change the SHARE and TOOLS variables to match your setup. --- SOF --- @echo off :: :: Name: devcon-usbrefresh.cmd :: :: Function: Insert only approved USB storage devices into machine, it will erases :: all entries for USB storage devices and then rescan the hardware :: :: Assumes: That user does not have admin privs and that adding new USB :: devices is restricted. :: - create and admin-only share on a server \\SERVER\ADMTOOLS$ :: - download/install devcon and psexec from the MS website into \\SERVER\ADMTOOLS$\UTILS :: :: Usage: \\SERVER\ADMTOOL$\devcon-usbrefresh.cmd :: or, \\SERVER\ADMTOOL$\UTILS\psexec \\MACHINE -u ADMACCT -p ADMPWD \\SERVER\ADMTOOL$\devcon-usbrefresh.cmd :: :: Where: MACHINE is the machine name to access :: ADMACCT Administrator account name :: ADMPWD Administrator account password (omit "-p ADMPWD" and you are prompted) :: SERVER Server name where the admin tools share exists :: ADMTOOL$ Admin only share with the devcon/psexec installed on it :: Set these for your network :: Location of admin access only share with tools/scripts set SHARE=\\SERVER\ADMTOOL$ :: Location of psexec/devcon etc in the above share set TOOLS=%SHARE%\UTILS :: Check if DEVCON.EXE is available %TOOLS%\DEVCON.EXE /? >NUL 2>&1 IF ERRORLEVEL 1 ( ECHO This batch file requires Microsoft's DEVCON utility. ECHO Cannot locate this on the share %TOOLS% goto Exit ) :: List all USB storage devices, including ones that are not connected %TOOLS%\devcon findall @usbstor\* 2>nul :: Erase all entries in the registry for USB storage devices %TOOLS%\devcon remove @usbstor\* 2>nul :: Rescan the hardware and detect any connected USB devices %TOOLS%\devcon rescan 2>nul :Exit :: --- EOF --- For more info have a look at the links below. [1] http://support.microsoft.com/kb/311272 [2] http://technet.microsoft.com/en-gb/sysinternals/bb545027.aspx [3] http://technet.microsoft.com/en-gb/sysinternals/default.aspx [4] http://www.robvanderwoude.com/devcon.php [5] http://www.robvanderwoude.com/autodownload.php [6] http://www.windowsreference.com/windows-xp/devcon-an-alternative-to-device-m anager-command-line-utility/ [7] http://stackoverflow.com/questions/23197/find-out-which-process-has-an-exclu sive-lock-on-a-usb-device-handle [8] http://securewave.creativerge.net/products.html Rgds, Simon ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Active Directory device block Valentin Fernandez Bolland (Jan 13)
- Message not available
- Re: Active Directory device block Aamir Niazi (Jan 13)
- Message not available
- Re: Active Directory device block Adrian J Milanoski (Jan 13)
- Re: Active Directory device block Yiannis Koukouras (Jan 18)
- Re: Active Directory device block Felipe Martins (Jan 18)
- RE: Active Directory device block Simon Thornton (Jan 18)