NetWrix USB Blocker is a freeware which is able to lockdown USB port remotely across a network to prevent unauthorized use of removable media that connects to computer via USB ports like iPods, thumb drives, memory sticks, SD cards and can perform the USB Port lockdown on the client either locally or remotely via the windows Group Policy Mechanism.
Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start - Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking as well as executing net stop usbstor. If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732 , we get a more reliable solution. Firstly, we need to prevent USBSTOR from being installed unless the currently logged on user is allowed to use USB storage. We do that by restricting access to and in a GPO such that PNP can't automatically install the driver. This is possible because when PNP installs a driver, the installation is performed using the priviledges of the currently logged on user. Secondly, we need to make sure that USBSTOR is not started when a USB storage device is plugged in. For that we use Mark's ADM template. The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices. The connection of an untrusted USB device to dom0 is a security risk since dom0, like almost every OS, reads partition tables automatically and since the whole USB stack is put to work to parse the data block usb presented by the USB device in order to determine if it is a USB mass storage device, to read its configuration, etc. This happens even if the drive is then assigned and mounted in another qube. It's worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.
0 Comments
Leave a Reply. |
Details
ArchivesCategories |