How to disable USB memory sticks

Networking/Security Forums -> Exchange 2000 // 2003 // 2007 & Active Directory

Author: wshamroukhLocation: Palestine PostPosted: Wed Oct 27, 2004 8:36 am    Post subject: How to disable USB memory sticks
    ----
Hi all

my manager asked me couple of weeks ago to make security on USB flash memory sticks... after a long and deep search on this issue i found that i may restrict some users and others i can give them the permession to use the USB flash memory stick and that's by making permission on the file WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS now what i am going to do is make a .bat file and in this file i am going to write the following command for the startup script

Code:
echo y | cacls.exe c:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS  /p administrators:f users:n



and for the shutdown script:

Code:
echo y | cacls.exe c:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS  /p everyone:f



now what i am asking is gonna this succeed? the .bat file will run each time on the startup and on the shutdown successfully... and what i am going to for the selected file will permit the admin to use the usb and will prevent the user? please help me in this issue because it is really urgent to do the security for the USB flash memory sticks... thanx in advance

Author: AdamVLocation: Leeds, UK PostPosted: Wed Oct 27, 2004 10:59 am    Post subject:
    ----
just trying to clarify a bit, is it your intention that no normal users can use the USB sticks ever, but that local administrators of the machine can?

If this is so, then I'm not sure what the shutdown script is for. It looks like this would let anyone use a stick if they disconnect from the network and logon using their cached credentials. Maybe this is intentional but it seems a weakness.

Other than that the syntax you have seems fine.

NB: I have no idea if changing this permission will have the desired effect, but you seem to have done some research which implies that it will (it might depend what invokes this file and therefore if it is being run with system priviledges rather than user in any case). Hopefully someone here knows more.

Author: wshamroukhLocation: Palestine PostPosted: Wed Oct 27, 2004 12:13 pm    Post subject:
    ----
Look i am in an organization and we have a domain controller.... and all the machies are under this domain.. and i am going to apply this .bat file on the GPO in the startup/shutdown scripts... that's what i am going to do..

Author: fsb PostPosted: Wed Oct 27, 2004 12:23 pm    Post subject:
    ----
Why don't you limit the drive letters using a GPO?

Author: AdamVLocation: Leeds, UK PostPosted: Wed Oct 27, 2004 12:36 pm    Post subject:
    ----
You asked if what you intend to do will achieve what you want, but the only way for us to guess what it is you want is by seeing what your actions will do.

If you want to lock out everyone except local administrators from using or changing that file, then as far as I can see these lines in startup / shutdown or logon / logoff scripts would do that. Whether that achieves your goal or not I can't tell you because you have not said what your aim is.

If you do use these scripts, make sure you put the script files in a location that users cannot reach, otherwise they could just run the shutdown script themselves to unlock it.

Drive letters might work, but if you have network drives connected and a savvy user they might be able to disconnect a share then use the USB stick on that letter. You could get round this by locking other things down but it might be harder than it's worth.

Author: wshamroukhLocation: Palestine PostPosted: Wed Oct 27, 2004 12:40 pm    Post subject:
    ----
I think this is not a logical solution... secondly, every user in my organization has at least 8 map network drives so how could i disable the drive letters.. it seems a bit difficult and not logical....

Author: wshamroukhLocation: Palestine PostPosted: Wed Oct 27, 2004 12:54 pm    Post subject:
    ----
the issue that i am working with is i am going to block the domain users from using the USB flash memory sticks and the domain admins will have the permission to use it that's what i am trying to do.. most of you told me that the commands are ok and fine.. then can you tell me the file itself USBSTOR.SYS if apply the permission to it, will it achieves the aim?

now regarding the startup/shutdown scripts don't worry about the files and where i am going to keep of course in a place no one can see them...

can u please guys hel me in the issue of blocking the use of USB flash memory sticks to users but not administrators

Author: fsb PostPosted: Wed Oct 27, 2004 12:58 pm    Post subject:
    ----
2 Seconds on google..

Here's the GPO definition for disabling USB storage devices
This involves removing the permissions off a .sys file, not .dll ... Sorry for the mislead. (and for taking so long correcting it).


Name: GP-Org-DisableUSBStorageDevices

-- Computer Configuration
---- Windows Settings
------ Security Settings
-------- File System

Object name:
--- %SystemRoot%\system32\drivers\usbstor.sys
--- Replace Existing Permissions
--- Edit Security
-------- Everyone: Deny

Hope this is clear enough for you to apply in your organization.
If not, you're welcome to send me a message, and I'll try to illustrate it more clearly if I can.

Why are you writing a batch script?

Author: wshamroukhLocation: Palestine PostPosted: Wed Oct 27, 2004 1:37 pm    Post subject:
    ----
ok i will try this option and i will contact you later on

Author: AdamVLocation: Leeds, UK PostPosted: Wed Oct 27, 2004 1:47 pm    Post subject:
    ----
Noooooooooo!

Everyone = deny would mean no-one can use the stick at all, surely?. Now this might be Ok if it was a user policy but not computer.
I suppose you could change the permissions on the GPO so it does not apply to domain admins (if that will even work), but surely it would be neater to change the file security to the right thing in the first place?

Also, if the permissions on the file apply to local administrators, that _ought_ to mean that a domain admin remote controlling the machine would have the necessayr rights and could therefore access the stick. (if that was more expedient than logging off the user, logging back on locally etc.).

Author: fsb PostPosted: Wed Oct 27, 2004 4:11 pm    Post subject:
    ----
It doesn't matter. The point is that using a GPO is cleaner than using a batch file with cacls.

Obviously you would make the necessary adjustments to the GPO depending upon how you want it to work.

Author: AdamVLocation: Leeds, UK PostPosted: Wed Oct 27, 2004 4:56 pm    Post subject:
    ----
understood - I just wanted to make sure we were not confusing our correspondent more in the process of helping

Author: ssonby PostPosted: Tue Jun 29, 2010 7:30 pm    Post subject: Help: How to disable USB memory sticks
    ----
Well, You are right. This will work. It disables the USB drive for all other users, except admins. Did you already implement it. tell me your conclusions.

I need to implement this same thing, but on a sandalone single PC. Do you have any suggestion how to do this?

I tried a lot of places but couldn't get the solution. Hope you can help with your experience (And thats the reason I didn't post this separately)


Note:
If you want to any of these settings you can try a virtual PC systems, vmware, etc.



Networking/Security Forums -> Exchange 2000 // 2003 // 2007 & Active Directory


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group