Security Basics mailing list archives
Re: USB port & access protection
From: Theodoros Charalabidis <Charalabidis () jcsc nato int>
Date: 2 Apr 2003 13:08:59 -0000
In-Reply-To: <20030330202706.31338.qmail () www securityfocus com> Hi there..... SECTION A 1.Look for the usbstor.sys file under \winnt\system32\drivers directory.If this file exists that means you had installed a USB driver sometime in the past and you have to go to section B.Otherwise go to step 2. 2.Right click on the file usbstor.inf under \winnt\inf directory and set permissions as follows: a.deny all access to Administrators b.deny all access to SYSTEM account SECTION B These are the steps we have to make in case of the file usbstor.sys file exist under \winnt\system32\drivers directory. 1.To perform this task,you need first to connect a USB Mass Storage device (e.g memory stick) to the port.The system will automatically respond with the recognition of the device and a hot-plug device icon will appear on the right corner of the taskbar.By double-clicking this icon the Unplug/Eject Hardware window comes up.The press the Properties button and select the Driver tab.Click on Uninstall and confirm the device removal by pressing OK 2.Right click on the file usbstor.inf under \winnt\inf directory and set permissions as follows: a.deny all access to Administrators b.deny all access to SYSTEM account 3.Right click on the file usbstor.sys under \winnt\system32\drivers directory and set permissions as follows: a.deny all access to Administrators b.deny all access to SYSTEM account This is a per-workstation/server setting that reguires administrative privilege and can be done locally or remotely (if you have a LAN).Of course this will make any USB device (including scanners) not to work. And now comes MY question which is similar to yours....Lets say that you have a domain with a Domain Controller running NT.And you have 20 workstations in that domain running W2K.Is there any way to do all the steps I described above so that you can implement USB restriction on the domain without doing it per-worstation?In other words can you force USB restriction on that NT domain with W2K workstations at ONCE (i.e with SMS,Hyena,scripts or 3rd-party tools) ???? You can also take a look at the following URLs: www.devicelock.com and http://tinyurl.com/67q3 Hope that helped you..... Charalabidis Theodoros Network Administrator NATO JCSC HQ ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- Re: USB port & access protection Theodoros Charalabidis (Apr 02)