[gptalk] Re: how to block removable USB storage devices

  • From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Sun, 22 Oct 2006 22:12:23 +0530

Hi Ray,

I'll definitely try out your suggestion.

Presently these devices are disable vis Device Manager. But we are getting
USB Pen Tablets, so obviously our present blocking method won't do. I liked
the  *Sanctuary Device Control, suggested by Tim, solution but getting the
finance people to spend on it will take some convincing as this comes
outside budget!

That's why we are looking for a GPO solution.

I'll let you know in a cople of days time...

regards
Ananth.


*On 10/22/06, Ray Lewis <razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: 

 Hi Anth



Depending on how you disabled the devices initially, I would just have the
counteractions within login scripts. I had a similar scenario last year and
I basically created two Login scripts – one for administrators
(unrestricted) and one for Users (restricted)… Each script then points to an
addition .reg file. For additional security, changing the permissions for
the USBSTOR also came in handy although you will need to download
SubInAcl.exe for this.



Here is an example....



*To Restrict *



First of all, create a .reg file and copy the following information:



*REGEDIT4*

* *

*[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]*

*"Start"=dword:00000004*



Now save the file into an accessible location – we'll use *C:\dword4.reg*in 
this example. Once you have obtained the SubInAcl file, I would position
this in the same directory.



Within the logon script, type the following:

*:: *********DISABLE USB MASS STORAGE DEVICE*********

*regedit /s "\\SERVER\C$\dword4.reg" *

*"\\SERVER\C$\\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system*

* *

* *

*To Enable *

* *

Again, create a .reg file and include the following:



*REGEDIT4*

* *

*[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]*

*"Start"=dword:00000003*



Save this file into an accessible location again – we'll use *
C:\dword3.reg* in this example.



*:: *********ENABLE USB MASS STORAGE DEVICE*********

*regedit /s "\\SERVER\C$\dword3.reg" *

*"\\SERVER\C$\\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /grant=system*

* *

* *

Hope this helps



Ray


 ------------------------------

*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Ananth Rajagopal
*Sent:* 17 October 2006 11:58
*To:* gptalk@xxxxxxxxxxxxx
*Subject:* [gptalk] how to block removable USB storage devices



Hi,

This is my first query, won't be the last for sure...

I'm working in an Animation studio, we have a policy here of blocking all
USB drives, along with FDD and CDD.

But we are getting some Pen Tablets, and all are USB devices, so obviously
we will need to allow enable USB ports, is there any way to block users from
connecting their removable drives and copying data using Group Policies?

Kindly advice..in detail :-)

regards
anth

Other related posts:

  1. Home
  2. gptalk
  3. Archive
  4. 10-2006