Announcement

Collapse
No announcement yet.

How can I disable ALL USB sticks not just new ones?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How can I disable ALL USB sticks not just new ones?

    Hi guys,

    Not sure if this should be in this forum or the GPO one but it seemed more OS related.

    I hope someone can help me here. Reading Daniel's tutorial on disabling USB sticks with GPO (http://www.petri.com/disable_usb_disks.htm) he says:
    Note that this will only prevent usage of newly plugged-in USB Removable Drives or flash drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical flash drives made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option.
    Is there a way of getting round this please? By definition, if you can still use a USB stick that's already been inserted after a policy is put in place to disable it, there must be some sort of footprint somewhere that identifies it to the machine - where would it be please? I could just delete them all. Or alternatively I was wondering if deleting all the USB root hubs would work? Any ideas how I could force that remotely at domain policy level please?

    Thanks in advance for any help you can offer.
    Cheers

  • #2
    Re: How can I disable ALL USB sticks not just new ones?

    Sticky thread in the Misc forum:-
    http://forums.petri.com/showthread.php?t=3299
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: How can I disable ALL USB sticks not just new ones?

      Hi Cruachan,

      Thanks for the swift reply.

      I'm confused here. In Jwmac's post he says:
      Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesnt exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine.
      However in Daniel's ADM file he has:
      VALUENAME "Start"
      ITEMLIST
      NAME !!Disabled VALUE NUMERIC 3 DEFAULT
      NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST
      which appears to do exactly that, but then he goes on to say the same quote above, about it not working for already inserted USB sticks.
      Note that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally.
      So does Jwmac's code work for all USB sticks irrespective of whether they have been plugged in previously, as he suggested, or do I need to clear some sort of "cache" on each machine prior to implementing this, as Daniel suggested - and if so, where is it please?

      Thanks again.

      Comment


      • #4
        Re: How can I disable ALL USB sticks not just new ones?

        what i did, though it can be bypased was : mapping drive letters to network connections so the USB-stick dosn't recieve a drive letter.

        Comment


        • #5
          Re: How can I disable ALL USB sticks not just new ones?

          When I've done it I've used the ADMs from the Microsoft Support site:-
          http://support.microsoft.com/default...b;en-us;555324

          They disable access to the drivers used by USB devices, so no USB Storage devices will work regardless of whether or not they have been used previously.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: How can I disable ALL USB sticks not just new ones?

            Originally posted by cruachan View Post
            When I've done it I've used the ADMs from the Microsoft Support site:-
            http://support.microsoft.com/default...b;en-us;555324

            They disable access to the drivers used by USB devices, so no USB Storage devices will work regardless of whether or not they have been used previously.
            Excellent, thanks Cruachan. This is the confirmation I was looking for. The ADM on that link is identical to the one on Daniel's tutorial so I should be good to go using that GPO.

            Have you ever done the subinacl for the SYSTEM account as suggested in JWMAC's tutorial as well or is the GPO enough in and of itself for it to work?

            Thanks again.

            Comment


            • #7
              Re: How can I disable ALL USB sticks not just new ones?

              Hi guys,

              Well first stage testing is looking very positive! I've set the start value from 3 to 4 and checked DENY for System on the key for Full Control and Read - completely ignored me inserting a stick.

              However when I tried to do the subinacl command to change the permissions on the key I got the same response as Kev147 many years ago - from the original thread:
              Originally posted by kev147 View Post
              I have tried the method in this post to no avail. I am having trouble with the subinacl command. Nothing I try seems to work with this utility, I have downloaded the subinacl.exe file from the Server 2003 resource kit.

              In the batch file one of the commands I am typing is:

              ------------------
              SUBINACL /KEYREG \\W20863 \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi c
              es\USBSTOR /DENY=system=R
              ------------------

              I have tried various syntax of this command. ie without the R on the end of the line, with or without the the computername "W20863".

              When I run the above command, this is the output I get:
              ------------------------
              +KEYREG \\W20863\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Services\USBSTOR
              /GRANT=users=R

              Elapsed Time: 00 00:00:00
              Done: 0, Modified 0, Failed 0, Syntax errors 0
              -------------------------

              I don't understand what is happening. I don't get any sucess messages or failures by the look of it, so am finding it hard to know whats going wrong. BTW my PC is Windows XP SP2. Can someone also confirm if Subinacl works on all versions of Windows 2000 and XP?
              I am running the following line on the desktop directly from the command line, as a preliminary test:
              subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system

              All this does is return the following:
              +keyreg \system\currentcontrolset\services\usbstor
              /deny=system

              Elapsed Time: 00 00:00:00
              Done: 0, Modified 0, Failed 0, Syntax errors 0

              It has no effect whatsoever on the key (System doesn't have DENY checked for that key) - the return from the command does say Modified 0. I also tried it stipulating HKLM:
              subinacl.exe /keyreg hkey_local_machine\system\currentcontrolset\servic es\usbstor /deny=system
              However this returns the same and does the same, ie, nothing.
              +keyreg hkey_local_machine\system\currentcontrolset\servic es\usbstor
              /deny=system

              Elapsed Time: 00 00:00:00
              Done: 0, Modified 0, Failed 0, Syntax errors 0

              Anyone know what is going wrong here please?

              Many thanks in advance you guys. I'd really like to get this fixed as this seems to be the perfect solution to what I am trying to achieve!

              PS Not sure why there's a space in "services" in this post but it's not in the command
              Last edited by Diewrecked; 14th January 2010, 12:32. Reason: Noticed a space crept into the word "services" in the HKLM command

              Comment


              • #8
                Re: How can I disable ALL USB sticks not just new ones?

                Scratch that last post I've resolved this.

                Subinacl has clearly been updated since I downloaded the 2k3 resource kit. I've downloaded the current version (from 2004!) from here:
                http://www.microsoft.com/downloads/d...displaylang=en

                The command in JWMac's tutorial now returns the response below:
                I:\>subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system

                system\currentcontrolset\services\usbstor : delete Perm. ACE 3 nt authority\syst
                em
                system\currentcontrolset\services\usbstor : new ace for nt authority\system
                HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\usbstor : 2 change(s)


                Elapsed Time: 00 00:00:00
                Done: 1, Modified 1, Failed 0, Syntax errors 0
                Last Done : HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\usbstor


                And it does indeed change the perms. So thanks again Cruachan!

                Comment


                • #9
                  Re: How can I disable ALL USB sticks not just new ones?

                  Glad you got it working.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment

                  Working...
                  X