http://techrepublic.com.com/5208-6247-0.html?forumID=12&threadID=116436&messageID=701146

Simple, elegant, and flexible: Try It!
The solution to this is actually so simple, yet not as drustic as epoxying the USB connectors (Whoa!) or as inflexible as disabling the USBPort in the BIOS and using a pwd (did I hear Paranoia?...).
Here's what we do in our organisation (10K+ users):
Create a GPO, put in it (machine section/startup)a script to remove permissions to the file USBSTOR.DLL to everyone but the SYSTEM account (and possibly Admins), and you're done. The file is located in the winnt\system32 dir.
Elegant, no? Plus,you can still use your USB mouse or anything that's not storage-related (i.e. HD,Flashcards, CD/R/RW, etc).
Enjoy.

From: gziv@hotmail.com Date: 01/16/03


http://www.devicelock.com/

http://www.protect-me.com/ru/dl/

Using DeviceLockR from SmartLine, you can lock out unauthorized users from USB and FireWire devices, WiFi and Bluetooth adapters, CD-Rom and floppy drives, serial and parallel ports and many other plug-and-play devices.


http://seclists.org/lists/security-basics/2003/Apr/0028.html

 

Hi there.....

SECTION A

1.Look for the usbstor.sys file under \winnt\system32\drivers directory.If

this file exists that means you had installed a USB driver sometime in the

past and you have to go to section B.Otherwise go to step 2.

2.Right click on the file usbstor.inf under \winnt\inf directory and set

permissions as follows:

a.deny all access to Administrators

b.deny all access to SYSTEM account

SECTION B

These are the steps we have to make in case of the file usbstor.sys file

exist under \winnt\system32\drivers directory.

1.To perform this task,you need first to connect a USB Mass Storage device

(e.g memory stick) to the port.The system will automatically respond with

the recognition of the device and a hot-plug device icon will appear on

the right corner of the taskbar.By double-clicking this icon the

Unplug/Eject Hardware window comes up.The press the Properties button and

select the Driver tab.Click on Uninstall and confirm the device removal by

pressing OK

2.Right click on the file usbstor.inf under \winnt\inf directory and set

permissions as follows:

a.deny all access to Administrators

b.deny all access to SYSTEM account

3.Right click on the file usbstor.sys under \winnt\system32\drivers

directory and set permissions as follows:

a.deny all access to Administrators

b.deny all access to SYSTEM account

This is a per-workstation/server setting that reguires administrative

privilege and can be done locally or remotely (if you have a LAN).Of

course this will make any USB device (including scanners) not to work.

And now comes MY question which is similar to yours....Lets say that you

have a domain with a Domain Controller running NT.And you have 20

workstations in that domain running W2K.Is there any way to do all the

steps I described above so that you can implement USB restriction on the

domain without doing it per-worstation?In other words can you force USB

restriction on that NT domain with W2K workstations at ONCE (i.e with

SMS,Hyena,scripts or 3rd-party tools) ????

You can also take a look at the following URLs:

www.devicelock.com

and http://tinyurl.com/67q3

Hope that helped you.....

Charalabidis Theodoros
Network Administrator
NATO JCSC HQ