OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Disabling USB mass storage

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpapacbell.net)
Date: Fri Mar 04 2005 - 12:18:00 CST

Huh? You use group policy and shove out permissions. You can build
permission registry keys as a group policy item.

Set up a USB OU, assign groups of folks, make sure your selected folks
are in another OU.

Example here:
Terminal Services - Quickbooks installation issues:
http://hem.fyristorg.com/vera/IT/TS_apps_QB.htm

Steven Hay wrote:

>Yes, we're looked at that document. There are two problems with the "MS
>fix" however:
>
>1. It's a daunting task to justify the cost in time of logging into over 600
>systems one at a time to change the registry on each to disable usb drive
>creation. MS didn't seem to think about this on an enterprise scale. We
>considered just batching up a large reg change to push out as well; but this
>would mean we couldn't know if they all worked or failed for sure, as well
>we were concerned about the potential for systems failure as direct reg
>edits can be risky. Even if only 2% of the systems failed, it wouldn't be
>worth it the downtime costs.
>
>2. We would like for IT staff and a few select managers and systems to be
>allowed access. USB keys when properly used can be a powerful tool for our
>IT staff. This would be an "all or nothing" approach. Something on the
>network level is much more preferable to the system level, and I'm guessing
>sysadmins who work on 500+ node decentralized networks are in the same boat.
>
>We tried restricting usbstor.sys through the GPO, but I think the file gets
>local system level access and runs anyways <grumble grumble>.
>
>I sincerely appreciate the responses everyone's given so far, we're
>collecting all the suggestions and are going to review each of them and see
>if one or more of the recommendations will work best within our
>infrastructure. This is a great group and there are a lot of good IT people
>here.
>
>Steve
>
>-----Original Message-----
>From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>[mailto:sbradcpapacbell.net]
>Sent: March 3, 2005 10:14 PM
>To: Steven Hay
>Cc: 'focus-mssecurityfocus.com'
>Subject: Re: Disabling USB mass storage
>
>
>HOW TO: Disable the Use of USB Storage Devices in Windows XP:
>http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
>
>Disable completely?
>
>Steven Hay wrote:
>
>
>
>>Good topic question, one we're having issues with as well, but with XP
>>SP1.
>>
>>We want to disable any removable drives from working on our 400+
>>workstations without having to visit each one.
>>
>>I tried denying access to usbstor.sys in the GPO, and confirmed that
>>the policy was applied to our test system. But it seems like the
>>system privliges override the GPO rights (I'm guessing) as the
>>removable drive letter pops up and is usable when a USB drive is
>>connected.
>>
>>Anyone have any experience with locking these down using GPO?
>>
>>Steve
>>
>>-----Original Message-----
>>From: Moser, Scott [mailto:scott.mosersmead.com]
>>Sent: March 3, 2005 12:40 PM
>>To: Martin a Marika TYDOROVCI; focus-mssecurityfocus.com
>>Subject: RE: Disabling USB mass storage
>>
>>
>>Create new key
>>HKLM\System\CurrentControlSet\Control\StorageDevicePolicies
>>and then create REG_DWORD called WriteProtect and set to 1. This will
>>prevent write only (not read) in XP SP2 only.
>>
>>-----Original Message-----
>>From: Martin a Marika TYDOROVCI [mailto:tydyszm.sk]
>>Sent: Wednesday, March 02, 2005 2:10 PM
>>To: focus-mssecurityfocus.com
>>Subject: Disabling USB mass storage
>>
>>Hi list,
>>
>>Does anyone knows a way to disable USB mass storage device in Win XP? I
>>need to disable using devices such as USB flash drive, card readers,
>>etc.
>>
>>Regards
>>
>>-----------------------------------------------------------------------
>>-
>>---
>>------------------------------------------------------------------------
>>---
>>
>>
>>
>>-----------------------------------------------------------------------
>>----
>>---------------------------------------------------------------------------
>>Please note that Internet email is not always private, secure or reliable.
>>The sender accepts no liability for any damages caused by any virus
>>inadvertently transmitted with this email. Any opinion expressed in this
>>email is solely that of the author, unless clearly indicated otherwise.
>>This email, and any attachments, may contain confidential and/or
>>
>>
>proprietary
>
>
>>information that is intended only for use by the addressee. If you are not
>>the intended recipient, any use, dissemination, forwarding, printing, or
>>copying of this email is strictly prohibited. If you received this email
>>
>>
>in
>
>
>>error, please delete the email and advise the sender of the delivery error.
>>
>>-----------------------------------------------------------------------
>>----
>>---------------------------------------------------------------------------
>>
>>
>>
>>
>>
>>
>
>
>

--
Chapter 4 of The Complete Patch Management Book:
https://www.ecora.com/ecora/jump/pm149.asp

So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2

And if you don't know about www.eventid.net You should!

---------------------------------------------------------------------------
---------------------------------------------------------------------------