Announcement

Collapse
No announcement yet.

For anyone who has successfully disabled USB devices via GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • For anyone who has successfully disabled USB devices via GPO

    Guys,

    I'd like to disable USB Storage Devices on an OU that contains about 100 computer accounts.

    I've read the Petri guide found here:

    http://www.petri.com/disable_usb_disks_with_gpo.htm

    Ive successfully imported the ADM file. The ONLY thing I havent done is remove the SYSTEM account from the ACL on USBSTOR.INF and USBSTOR.PNF

    Why?

    Well i've read some similiar tutiorials that differ slightly:

    http://diaryproducts.net/about/opera...ble_usb_sticks

    This one has a different ADM file and basically says do no remove the SYSTEM account


    http://www.windowsecurity.com/articl...up-Policy.html

    And this article says leave the SYSTEM account in ACL but add the user group account and deny access to all.

    Can someone please point me in the right direction:

    Do I remove the SYSTEM account altogether as per the Petri article or do I leave and follow on of the other guided suggestions.

    Please help a newb!

    Thanks
    Last edited by Systematic; 12th August 2009, 10:08.

  • #2
    Re: For anyone who has successfully disabled USB devices via GPO

    I followed Daniel's article when we implemented it and it worked fine for us.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: For anyone who has successfully disabled USB devices via GPO

      Originally posted by gforceindustries View Post
      I followed Daniel's article when we implemented it and it worked fine for us.
      Hello matey.

      Im glad it worked for you bud.

      I wanna know one last thing though.

      When you log back in as local admin or domain admin, will the USB still be disabled?

      Comment


      • #4
        Re: For anyone who has successfully disabled USB devices via GPO

        From memory, yes. That's something you should try for yourself before implementing though
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: For anyone who has successfully disabled USB devices via GPO

          Ok dudes an update.

          Ive applied the policy and removed the SYSTEM account from the ACL for USBSTOR.INF and USBSTOR.PNF.

          I've also disabled access to the CD/DVD ROM drive.

          The results:

          1. From a shut down state, powered on XP machine, logged in as a domain user (who has never logged onto the machine before). New profile loads, all GPOs applied except the USB and CD/DVD ROM drive - they both still work. Restarted machine and logged back in with same user and everything works - CD/DVD ROM has dissappeared from My Computer and USB Storage Device does not install

          2. Did exactly the same for a Windows 2000 box and CD/DVD ROM dissappears BUT USB still works. Performed a secedit /refreshpolicy machine_policy and user_policy. Rebooted machine, logged back in as same user. USB policy still DOESNT work.

          3. This policy DOES affect everyone. Local/Domain Admins are also lambs to the slaughter.

          Verdict:

          Not great not bad but a pain in the backside with Windows 2000. The good thing is that all 2000 machines in our place are soon to be upgraded to XP.
          Last edited by Systematic; 12th August 2009, 12:01.

          Comment


          • #6
            Re: For anyone who has successfully disabled USB devices via GPO

            Thanks for posting back with your results . I believe the problem you have with Windows 2000 is that USB storage devices are handled in a slightly different way to how they're treated in XP, which is what I believe Daniel's article was targetted at.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: For anyone who has successfully disabled USB devices via GPO

              If a certain USB device, memory stick etc has already been installed on a computer prior to the policy being applied, users will still be able to use those USB devices.

              Comment

              Working...
              X