• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How to disable USB memory sticks

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
wshamroukh
Just Arrived
Just Arrived


Joined: 21 Sep 2004
Posts: 0
Location: Palestine

Offline

PostPosted: Wed Oct 27, 2004 8:36 am    Post subject: How to disable USB memory sticks Reply with quote

Hi all

my manager asked me couple of weeks ago to make security on USB flash memory sticks... after a long and deep search on this issue i found that i may restrict some users and others i can give them the permession to use the USB flash memory stick and that's by making permission on the file WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS now what i am going to do is make a .bat file and in this file i am going to write the following command for the startup script

Code:
echo y | cacls.exe c:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS  /p administrators:f users:n



and for the shutdown script:

Code:
echo y | cacls.exe c:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS  /p everyone:f



now what i am asking is gonna this succeed? the .bat file will run each time on the startup and on the shutdown successfully... and what i am going to for the selected file will permit the admin to use the usb and will prevent the user? please help me in this issue because it is really urgent to do the security for the USB flash memory sticks... thanx in advance
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Oct 27, 2004 10:59 am    Post subject: Reply with quote

just trying to clarify a bit, is it your intention that no normal users can use the USB sticks ever, but that local administrators of the machine can?

If this is so, then I'm not sure what the shutdown script is for. It looks like this would let anyone use a stick if they disconnect from the network and logon using their cached credentials. Maybe this is intentional but it seems a weakness.

Other than that the syntax you have seems fine.

NB: I have no idea if changing this permission will have the desired effect, but you seem to have done some research which implies that it will (it might depend what invokes this file and therefore if it is being run with system priviledges rather than user in any case). Hopefully someone here knows more.
Back to top
View user's profile Send private message Visit poster's website
wshamroukh
Just Arrived
Just Arrived


Joined: 21 Sep 2004
Posts: 0
Location: Palestine

Offline

PostPosted: Wed Oct 27, 2004 12:13 pm    Post subject: Reply with quote

Look i am in an organization and we have a domain controller.... and all the machies are under this domain.. and i am going to apply this .bat file on the GPO in the startup/shutdown scripts... that's what i am going to do..
Back to top
View user's profile Send private message
fsb
Just Arrived
Just Arrived


Joined: 08 May 2003
Posts: 0


Offline

PostPosted: Wed Oct 27, 2004 12:23 pm    Post subject: Reply with quote

Why don't you limit the drive letters using a GPO?
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Oct 27, 2004 12:36 pm    Post subject: Reply with quote

You asked if what you intend to do will achieve what you want, but the only way for us to guess what it is you want is by seeing what your actions will do.

If you want to lock out everyone except local administrators from using or changing that file, then as far as I can see these lines in startup / shutdown or logon / logoff scripts would do that. Whether that achieves your goal or not I can't tell you because you have not said what your aim is.

If you do use these scripts, make sure you put the script files in a location that users cannot reach, otherwise they could just run the shutdown script themselves to unlock it.

Drive letters might work, but if you have network drives connected and a savvy user they might be able to disconnect a share then use the USB stick on that letter. You could get round this by locking other things down but it might be harder than it's worth.
Back to top
View user's profile Send private message Visit poster's website
wshamroukh
Just Arrived
Just Arrived


Joined: 21 Sep 2004
Posts: 0
Location: Palestine

Offline

PostPosted: Wed Oct 27, 2004 12:40 pm    Post subject: Reply with quote

I think this is not a logical solution... secondly, every user in my organization has at least 8 map network drives so how could i disable the drive letters.. it seems a bit difficult and not logical....
Back to top
View user's profile Send private message
wshamroukh
Just Arrived
Just Arrived


Joined: 21 Sep 2004
Posts: 0
Location: Palestine

Offline

PostPosted: Wed Oct 27, 2004 12:54 pm    Post subject: Reply with quote

the issue that i am working with is i am going to block the domain users from using the USB flash memory sticks and the domain admins will have the permission to use it that's what i am trying to do.. most of you told me that the commands are ok and fine.. then can you tell me the file itself USBSTOR.SYS if apply the permission to it, will it achieves the aim?

now regarding the startup/shutdown scripts don't worry about the files and where i am going to keep of course in a place no one can see them...

can u please guys hel me in the issue of blocking the use of USB flash memory sticks to users but not administrators
Back to top
View user's profile Send private message
fsb
Just Arrived
Just Arrived


Joined: 08 May 2003
Posts: 0


Offline

PostPosted: Wed Oct 27, 2004 12:58 pm    Post subject: Reply with quote

2 Seconds on google..

Here's the GPO definition for disabling USB storage devices
This involves removing the permissions off a .sys file, not .dll ... Sorry for the mislead. (and for taking so long correcting it).


Name: GP-Org-DisableUSBStorageDevices

-- Computer Configuration
---- Windows Settings
------ Security Settings
-------- File System

Object name:
--- %SystemRoot%\system32\drivers\usbstor.sys
--- Replace Existing Permissions
--- Edit Security
-------- Everyone: Deny

Hope this is clear enough for you to apply in your organization.
If not, you're welcome to send me a message, and I'll try to illustrate it more clearly if I can.

Why are you writing a batch script?
Back to top
View user's profile Send private message
wshamroukh
Just Arrived
Just Arrived


Joined: 21 Sep 2004
Posts: 0
Location: Palestine

Offline

PostPosted: Wed Oct 27, 2004 1:37 pm    Post subject: Reply with quote

ok i will try this option and i will contact you later on
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Oct 27, 2004 1:47 pm    Post subject: Reply with quote

Noooooooooo!

Everyone = deny would mean no-one can use the stick at all, surely?. Now this might be Ok if it was a user policy but not computer.
I suppose you could change the permissions on the GPO so it does not apply to domain admins (if that will even work), but surely it would be neater to change the file security to the right thing in the first place?

Also, if the permissions on the file apply to local administrators, that _ought_ to mean that a domain admin remote controlling the machine would have the necessayr rights and could therefore access the stick. (if that was more expedient than logging off the user, logging back on locally etc.).
Back to top
View user's profile Send private message Visit poster's website
fsb
Just Arrived
Just Arrived


Joined: 08 May 2003
Posts: 0


Offline

PostPosted: Wed Oct 27, 2004 4:11 pm    Post subject: Reply with quote

It doesn't matter. The point is that using a GPO is cleaner than using a batch file with cacls.

Obviously you would make the necessary adjustments to the GPO depending upon how you want it to work.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Oct 27, 2004 4:56 pm    Post subject: Reply with quote

understood - I just wanted to make sure we were not confusing our correspondent more in the process of helping
Back to top
View user's profile Send private message Visit poster's website
ssonby
Just Arrived
Just Arrived


Joined: 29 Jun 2010
Posts: 0


Offline

PostPosted: Tue Jun 29, 2010 7:30 pm    Post subject: Help: How to disable USB memory sticks Reply with quote

Well, You are right. This will work. It disables the USB drive for all other users, except admins. Did you already implement it. tell me your conclusions.

I need to implement this same thing, but on a sandalone single PC. Do you have any suggestion how to do this?

I tried a lot of places but couldn't get the solution. Hope you can help with your experience (And thats the reason I didn't post this separately)


Note:
If you want to any of these settings you can try a virtual PC systems, vmware, etc.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register