It simple
(http://support.microsoft.com/default.aspx?scid=kb;en-us;823732).
But you can use scripts in Group policy which disable or enable devices
or concerned service depended of user account or computer location in AD
structure. In your case you can disable "USBStor" service to disable
only mass storage. If you disable "USB root hub" device you disable all
USB on computer.
Here two examples:
(1) http://www.securitylab.ru/_Article_Images/2004/10/devcmcfg.vbs.txt
(2) http://www.securitylab.ru/_Article_Images/2004/10/devcfg.vbs.txt
First of them (devcmcfg) started with "devcmcfg disable" switch checks
membership of computer account in security groups ("Copm Floppy", "Comp
CDROM") and disable devices, specified in "Devices" array.
When you start "devcmcfg enable", script try to enable all devices from
"Devices" array.
Second (devcfg) uses more complicated techniques. When you start it with
"devcfg disable" it disables all devices and concerned services
specified in "Devices" and "Services" arrays accordingly. Furthermore
script set ACLs on services which permit security groups from "Groups"
array to enable services.
Started with "enable" key script try to change services startup from
"disable" to "demand" and launch device.
Both scripts uses Microsoft's devcon.exe tool
(http://support.microsoft.com/default.aspx?scid=kb;en-us;311272). Devcfg
also uses standard Windows sc.exe tool.
How to use it:
Devcmcfg:
Create security groups and add computers accounts to these groups.
Specify "devcmcfg.vbs disable" as Startup Script parameter value of GPO,
"devcmcfg.vbs enable" as Logon Script and "devcmcfg.vbs disable" again
as Logoff scripts.
When computer boots it execute Startup Scripts with System privileges
and can disable devices depended of computer group membership.
When user logon Startup Script executed. It can enable devices only if
user have "Load and Unload Device Drivers" (SeLoadDriver) privilege. So,
only Administrators can use disabled devices. When user logoff, Log off
starts and try to disable devices again.
Devcfg:
Create security groups and add users accounts to these groups.
Specify "devcfg.vbs disable" as Startup Script parameter value of GPO,
"devcfg.vbs enable" as Logon Script and "devcfg.vbs disable" again as
Logoff scripts.
When computer boots it execute Startup Scripts with System privileges
and can disable devices depended of group membership. Also scripts
disable devices services and set ACLS.
When user log on script try to change service startup type (it will be
successfully if he is member of the appropriate security group). Also
user should have SeLoadDriver privilege. If it has been done script
starts appropriated device.
Full description (sorry, only in Russian) can be found here:
http://www.securitylab.ru/49044.html
Thanks for your attention and sorry for my English.
Regards,
Sergey V. Gordeychik,
MCSE, MCT, CISSP
---------------------------------------------------------------------------
---------------------------------------------------------------------------
