http://techrepublic.com.com/5208-6247-0.html?forumID=12&threadID=116436&messageID=701146
Simple, elegant, and flexible: Try It!
The solution to this is actually so simple, yet not as drustic as epoxying the
USB connectors (Whoa!) or as inflexible as disabling the USBPort in the BIOS
and using a pwd (did I hear Paranoia?...).
Here's what we do in our organisation (10K+ users):
Create a GPO, put in it (machine section/startup)a script to remove permissions
to the file USBSTOR.DLL to everyone but the SYSTEM account (and possibly Admins),
and you're done. The file is located in the winnt\system32 dir.
Elegant, no? Plus,you can still use your USB mouse or anything that's not storage-related
(i.e. HD,Flashcards, CD/R/RW, etc).
Enjoy.
From: gziv@hotmail.com Date: 01/16/03
http://www.protect-me.com/ru/dl/
Using DeviceLockR from SmartLine, you can lock out unauthorized users from
USB and FireWire devices, WiFi and Bluetooth adapters, CD-Rom and floppy drives,
serial and parallel ports and many other plug-and-play devices.
http://seclists.org/lists/security-basics/2003/Apr/0028.html
Hi there.....
SECTION A
1.Look for the usbstor.sys file under \winnt\system32\drivers directory.If
this file exists that means you had installed a USB driver sometime in the
past and you have to go to section B.Otherwise go to step 2.
2.Right click on the file usbstor.inf under \winnt\inf directory and set
permissions as follows:
a.deny all access to Administrators
b.deny all access to SYSTEM account
SECTION B
These are the steps we have to make in case of the file usbstor.sys file
exist under \winnt\system32\drivers directory.
1.To perform this task,you need first to connect a USB Mass Storage device
(e.g memory stick) to the port.The system will automatically respond with
the recognition of the device and a hot-plug device icon will appear on
the right corner of the taskbar.By double-clicking this icon the
Unplug/Eject Hardware window comes up.The press the Properties button and
select the Driver tab.Click on Uninstall and confirm the device removal by
pressing OK
2.Right click on the file usbstor.inf under \winnt\inf directory and set
permissions as follows:
a.deny all access to Administrators
b.deny all access to SYSTEM account
3.Right click on the file usbstor.sys under \winnt\system32\drivers
directory and set permissions as follows:
a.deny all access to Administrators
b.deny all access to SYSTEM account
This is a per-workstation/server setting that reguires administrative
privilege and can be done locally or remotely (if you have a LAN).Of
course this will make any USB device (including scanners) not to work.
And now comes MY question which is similar to yours....Lets say that you
have a domain with a Domain Controller running NT.And you have 20
workstations in that domain running W2K.Is there any way to do all the
steps I described above so that you can implement USB restriction on the
domain without doing it per-worstation?In other words can you force USB
restriction on that NT domain with W2K workstations at ONCE (i.e with
SMS,Hyena,scripts or 3rd-party tools) ????
You can also take a look at the following URLs:
www.devicelock.com
and http://tinyurl.com/67q3
Hope that helped you.....
Charalabidis Theodoros
Network Administrator
NATO JCSC HQ