Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Disabling USB mass storage

from [Nick Duda] Network Security [Permanent Link]
Subject: RE: Disabling USB mass storage
Date: Fri, 4 Mar 2005 15:28:32 -0500 
You really need to look into the power of GPO I think. There are plenty
of tools (some free) that will do Reg work for you. Check into the free
Reg tool from desktopstandard.com , We use the full package (Policy
Maker) and it works great for tasks like this here. Create a GPO for
restricting over the REG but allow override or disable it for the GPO
your IT staff is in. This is by far the simplest AD/GPO task you can do.
Additionally, you can setup logging to get results of RSOP to see if its
not applying to a system. I'd be curious to see what you come up with.

GPO was designed for doing this stuff like this on the enterprise scale,
IMHO.

- Nick

-----Original Message-----
From: Steven Hay [mailto:shay@communitysavings.ca] 
Sent: Friday, March 04, 2005 12:52 PM
To: 'Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'
Cc: 'focus-ms@securityfocus.com'
Subject: RE: Disabling USB mass storage

Yes, we're looked at that document.  There are two problems with the "MS
fix" however:

1. It's a daunting task to justify the cost in time of logging into over
600
systems one at a time to change the registry on each to disable usb
drive
creation.  MS didn't seem to think about this on an enterprise scale.
We
considered just batching up a large reg change to push out as well; but
this
would mean we couldn't know if they all worked or failed for sure, as
well
we were concerned about the potential for systems failure as direct reg
edits can be risky.  Even if only 2% of the systems failed, it wouldn't
be
worth it the downtime costs.

2. We would like for IT staff and a few select managers and systems to
be
allowed access.  USB keys when properly used can be a powerful tool for
our
IT staff.  This would be an "all or nothing" approach.  Something on the
network level is much more preferable to the system level, and I'm
guessing
sysadmins who work on 500+ node decentralized networks are in the same
boat.

We tried restricting usbstor.sys through the GPO, but I think the file
gets
local system level access and runs anyways <grumble grumble>.

I sincerely appreciate the responses everyone's given so far, we're
collecting all the suggestions and are going to review each of them and
see
if one or more of the recommendations will work best within our
infrastructure.  This is a great group and there are a lot of good IT
people
here.

Steve

-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net] 
Sent: March 3, 2005 10:14 PM
To: Steven Hay
Cc: 'focus-ms@securityfocus.com'
Subject: Re: Disabling USB mass storage


HOW TO: Disable the Use of USB Storage Devices in Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

Disable completely?

Steven Hay wrote:


Good topic question, one we're having issues with as well, but with XP 
SP1.

We want to disable any removable drives from working on our 400+ 
workstations without having to visit each one.

I tried denying access to usbstor.sys in the GPO, and confirmed that 
the policy was applied to our test system.  But it seems like the 
system privliges override the GPO rights (I'm guessing) as the 
removable drive letter pops up and is usable when a USB drive is 
connected.

Anyone have any experience with locking these down using GPO?

Steve

-----Original Message-----
From: Moser, Scott [mailto:scott.moser@smead.com]
Sent: March 3, 2005 12:40 PM
To: Martin a Marika TYDOROVCI; focus-ms@securityfocus.com
Subject: RE: Disabling USB mass storage


Create new key 
HKLM\System\CurrentControlSet\Control\StorageDevicePolicies
and then create REG_DWORD called WriteProtect and set to 1.  This will
prevent write only (not read) in XP SP2 only.

-----Original Message-----
From: Martin a Marika TYDOROVCI [mailto:tydy@szm.sk]
Sent: Wednesday, March 02, 2005 2:10 PM
To: focus-ms@securityfocus.com
Subject: Disabling USB mass storage

Hi list,

Does anyone knows a way to disable USB mass storage device in Win XP? I



need to disable using devices such as USB flash drive, card readers, 
etc.

Regards

-----------------------------------------------------------------------
-
---
-----------------------------------------------------------------------

-

---



-----------------------------------------------------------------------
----
-----------------------------------------------------------------------

----

Please note that Internet email is not always private, secure or

reliable.

The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email.  Any opinion expressed in

this

email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or

proprietary

information that is intended only for use by the addressee.  If you are

not

the intended recipient, any use, dissemination, forwarding, printing,

or

copying of this email is strictly prohibited.  If you received this

email
in

error, please delete the email and advise the sender of the delivery

error.


-----------------------------------------------------------------------
----
-----------------------------------------------------------------------

----



 



-- 
Chapter 4 of The Complete Patch Management Book: 
https://www.ecora.com/ecora/jump/pm149.asp

So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2

And if you don't know about www.eventid.net You should!


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Please note that Internet email is not always private, secure or
reliable.
The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email.  Any opinion expressed in
this
email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or
proprietary
information that is intended only for use by the addressee.  If you are
not
the intended recipient, any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited.  If you received this
email in
error, please delete the email and advise the sender of the delivery
error.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Folder Encryption, Miroslaw Slawek Chorazy
Next by Date:  RE: Disabling USB mass storage, Steven Hay
Previous by Thread:  Re: Disabling USB mass storage, browro
Next by Thread:  RE: Disabling USB mass storage, Steven Hay
Indexes:  [Date] [Thread] [Top] [All Lists]