RE: Active Directory device block

["Simon Thornton" <simon () thornton info>]

Hi Valentin, 
  
For device and port protection and control of all removable devices at the
enterprise level you can use a commercial product like Sanctuary [8] from
SecureWave. This allows granular control over all ports and devices
connected to a PC.

  
If you prefer the roll-your-own style you can also do this using two free
Microsoft tools; devcon [1] and psexec [2] from the sysinternals [3] set of
utilities. Devcon is a command line utility that has many of the functions
of the control panel device manager but is scriptable. Psexec is a utility
that allows someone with administrator privileges to execute commands on a
remote machine.

  

The way I normally setup these utils and file share are as follows: 

1.   On a fileserver create a share which only admins have access, add a $
to the end of the sharename to hide it, e.g. \\SERVER\ADMTOOLS$

2.   Download the devcon [1] and psexec [2] utils and unpack into a
subdirectory on this share i.e. 

        \\SERVER\ADMTOOLS$\UTILS 

3.   Save the script below into \\SERVER\ADMTOOLS$ 

4.   Connect the USB storage device to the local/remote machine 

5.   Exec devcon remove @usbstor\*; devcon rescan, or use something like the
script shown below. 

        \\SERVER\ADMTOOL$\UTILS\psexec \\MACHINE -u ADMACCT -p ADMPWD
\\SERVER\ADMTOOL$\devcon-usbrefresh.cmd 

The essence of the techniques is to connect the approved device to the
machine then run devcon to remove all usb-storage definitions and then
rescan the hardware. 

It's possible to be add/remove individual devices by specifying the
HIDS/VIDS for a device. For more examples see the links [4] - [7] listed
below

  

For more info about DevCon open a CMD prompt before you try and execute any
of the following 

  

Help with the commands 

    devcon help 
    devcon help find 
    devcon help findall 
    devcon help remove 
    devcon help rescan 

    psexec -h 

Listing all USB devices (including ones not connected): 
    devcon findall @usb\* 

List only USB storage devices (including ones not connected): 
    devcon findall @usbstor\* 

Remove all USB storage definitions and then rescan machine: 
    devcon remove @usbstor\* 

    devcon rescan 

 The remove/rescan commands are used to remove all USB storage devices and
then scan the h/w again. As long as the approved device is connected it will
be added.

The script below is intended to be executed by an administrator either
locally on the machine or using psexec. 

Note: You need to change the SHARE and TOOLS variables to match your setup. 

--- SOF --- 
@echo off 
:: 
:: Name:      devcon-usbrefresh.cmd 
:: 
:: Function:  Insert only approved USB storage devices into machine, it will
erases 
::            all entries for USB storage devices and then rescan the
hardware 
:: 
:: Assumes:   That user does not have admin privs and that adding new USB 
::            devices is restricted. 
::            - create and admin-only share on a server \\SERVER\ADMTOOLS$ 
::            - download/install devcon and psexec from the MS website into
\\SERVER\ADMTOOLS$\UTILS 
:: 
:: Usage:     \\SERVER\ADMTOOL$\devcon-usbrefresh.cmd 
:: or,        \\SERVER\ADMTOOL$\UTILS\psexec \\MACHINE -u ADMACCT -p ADMPWD
\\SERVER\ADMTOOL$\devcon-usbrefresh.cmd 
:: 
:: Where:     MACHINE  is the machine name to access 
::            ADMACCT  Administrator account name 
::            ADMPWD   Administrator account password (omit "-p ADMPWD" and
you are prompted) 
::            SERVER   Server name where the admin tools share exists 
::            ADMTOOL$ Admin only share with the devcon/psexec installed on
it 
  
:: Set these for your network 
:: Location of admin access only share with tools/scripts 
set SHARE=\\SERVER\ADMTOOL$ 
  
:: Location of psexec/devcon etc in the above share 
set TOOLS=%SHARE%\UTILS 
  
:: Check if DEVCON.EXE is available 
%TOOLS%\DEVCON.EXE /? >NUL 2>&1 
IF ERRORLEVEL 1 ( 
       ECHO This batch file requires Microsoft's DEVCON utility. 
       ECHO Cannot locate this on the share %TOOLS% 
       goto Exit 
) 
  
  
:: List all USB storage devices, including ones that are not connected 
%TOOLS%\devcon findall @usbstor\* 2>nul 
  
:: Erase all entries in the registry for USB storage devices 
%TOOLS%\devcon remove @usbstor\* 2>nul 
  
:: Rescan the hardware and detect any connected USB devices 
%TOOLS%\devcon rescan 2>nul 
  
:Exit 

:: --- EOF --- 


  

For more info have a look at the links below. 

  

  

[1] http://support.microsoft.com/kb/311272 

[2] http://technet.microsoft.com/en-gb/sysinternals/bb545027.aspx 

[3] http://technet.microsoft.com/en-gb/sysinternals/default.aspx 

[4] http://www.robvanderwoude.com/devcon.php 

[5] http://www.robvanderwoude.com/autodownload.php 

[6]
http://www.windowsreference.com/windows-xp/devcon-an-alternative-to-device-m
anager-command-line-utility/ 

[7]
http://stackoverflow.com/questions/23197/find-out-which-process-has-an-exclu
sive-lock-on-a-usb-device-handle 

[8] http://securewave.creativerge.net/products.html 

  



Rgds, 

  
  

Simon 



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------