From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC
Sent: Monday, October 25, 2004
3:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disable
USB
Was there ever any input on this?
Don’t you just love those hey I need
you to do this today.. like an hour ago.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of George Arezina
Sent: Saturday, July 17, 2004 5:45
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disable USB
Dear all,
I was forwarded the following adm script or as some refer to adm
file. The adm file is great for those that wish to disable usb drivers through
gpo. However, I found this not to work even after I move the computer to the
specific gpo. I would appreciate some help from those who are curious as to
disable the usb drives in their network.
Cheers,
Cheers,
George
Hi!
When I started working as junior Network-Administrator I got in touch with
Group Policies for the first time.
We wanted to have all our clients (~130) updated regularily and because of that
we chose SUS.
As the SUS Server was set up and running, my manager came to me and asked me if
there was a possibility to block the access to floppy drives/cd roms/usb-sticks
company-wide on a centralized basis without having to remove the hardware.
There should be a possibility to exclude some workstations and USB-Scanners,
mice and printers should still work.
This is something I worked out with the help of some BugTraq-Infos and my own
research. And I want to give it away here because there might be interest in it
for you and your company, too...
..::How does it work
Drives are started at system startup using "Services" registry keys.
Basically we just tell the service to not start the device at Windows-Boot.
This removes the drives access completely, although it still can be used to
boot the machine before Windows has been started.
The Setting can be reverted by manually editing a registry key to the default
startup value.
The registry code can be found at the end of this post.
..::The „Disable Floppy“ GPO
& Security Groups
This GPO has the ability to disable three kinds of drives (even more if you
want to get into it):
o) Floppy drives
o) CD-Roms
o) USB-Sticks
I _strongly_ advise you to try this in a non-productive environment since I am
not very deep into Group Policies and therefor take no responsibility for any
errors or problems that might occur. Try/use at your own risk.
Using groups allows to apply these settings to a smaller group of testers or a
test environment.
I created two Security Groups:
o) SG_Drives_Disable - which bears all Computers that should be locked
o) SG_Drives_Enable - this one has a "Deny" on this Group Policy
which means that members of this group will never have this policy applied.
..::Getting Started
> First we create an Administrative Template that enables us to change
settings.
In Explorer on a Domain Controller:
o) Choose New>Text Document
o) Paste the appropriate code at the end of this post into this file
o) Choose File>Save as>(pick a name according to the code)
o) Add the extension .adm or rename the .txt file
> Create two Security Groups
o) Launch Active Directory Users & Comuters
o) Add a new SG by right-clicking on your AD and choose "New Group"
o) Make up a name - let's pick SG_Drives_Disable (this will be our
floppy-locked group)
o) Repeat the creation and add a group called SG_Drives_Enable (this will be
our floppy-users group)
> Now we set up a new Policy - let's call it "Disable_Drives"
o) Right click your AD and choose Properties
o) Pick "Group Policy" and choose "New..."
o) Add a Policy called "Disable_Drives"
o) Right click the new policy and choose "Security"
o) Remove the check at "Authenticated Users"
o) "Add" the two new SG Groups
o) Check "Apply" for SG_Drives_Disable
o) Check "Deny" for SG_Drives_Enable
Now we are almost done. We have the policy and the groups.
The test-workstations are still missing, also the Administrative Templates have
to be added.
Take a sip from your favourite beverage - we're almost there...
> Let's import the Administrative Templates
o) Right click your AD and choose Properties
o) Pick "Group Policy" and choose the "Disable_Drives"
policy
o) Hit the "Edit" button
o) Choose "Computer Configuration"
o) Right click "Administrative Templates" and choose "Add/Remove
Templates"
o) Add our new .adm file/s
> A new sub-Folder is being added called "Restrict Drives" (unless
the code was changed to a different name)
If you can't see any policies make a right click in the white area and uncheck
"Show Policies Only" and "Show Configured Policies Only".
You should see the added policies now. If you have added all three (floppy.adm,
cdrom.adm, usbstick.adm) you should see three policies.
> Configuration
o) Double click the policy you want to configure - let's pick "Disable the
Floppy Drive"
o) Choose the "Enabled" setting > this marks this policy as
"Enabled"
o) Where it says "Disable Floppy Drive" set it on "Enabled"
too > this activates the registry
key
o) Hit "OK"
Add one or two computers for testing as members to the
"SG_Drives_Disable" group, start the computer and log on,
restart the computer again and log on again. Now the floppy drive should be gone.
Take another sip from your beverage and relax - we're done :-)
> Removal prodecure
If you want to return all computers in the "SG_Drives_Disable" group
to the original state
o) Set "Disable Floppy Drive" to "Disabled" > this sets
the registry key to the default value
o) Leave the policy itselfs as "Enabled" (do not pick "Not
defined" or "Disabled")
After two restarts of the computer the floppy should be back.
If this doesn't help you can return it to the original state manually.
> Manual removal
This might apply to you if you accidently locked the wrong workstation or want
to bring it back to original state.
o) Remove the computer from the SG_Drives_Disable group
o) Restart the computer
o) Log on as administrator
o) Use the enable_floppy.reg file to reanable the drive (this file only changes
the registry startup key)
o) Restart again and verify if it worked
Please bear in mind that this was one of my first attempts to work with a group
policy.
The code may contain serious bugs or cause malfunction.
Use at your own risk!
(It works flawlessly here at my company though)
Here is the code for all files (three .adm's and three .reg's to reenable the
drives:
o) content of killfloppy.adm
|
CODE
|
|
CLASS MACHINE
CATEGORY !!categoryname
POLICY !!policyname
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintext
PART !!labeltext DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
[strings]
categoryname="Restrict Drives"
policyname="Disable the Floppy Drive"
explaintext="Disables the computers Floppy Drive completely"
labeltext="Disable Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
|
o) content of killcdrom.adm
|
CODE
|
|
CLASS MACHINE
CATEGORY !!categoryname
POLICY !!policyname
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintext
PART !!labeltext DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
[strings]
categoryname="Restrict Drives"
policyname="Disable the CDROM
Drive"
explaintext="Disables the computers CDROM Drive completely"
labeltext="Disable CDROM
Drive"
Enabled="Enabled"
Disabled="Disabled"
|
o) content of killusbdrive.adm
|
CODE
|
|
CLASS MACHINE
CATEGORY !!categoryname
POLICY !!policyname
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintext
PART !!labeltext DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
[strings]
categoryname="Restrict Drives"
policyname="Disable the USB
Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB
Drive"
Enabled="Enabled"
Disabled="Disabled"
|
o) content of enable_floppy.reg
|
CODE
|
|
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk]
"Start"=dword:00000003
|
o) content of enable_cdrom.reg
|
CODE
|
|
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Start"=dword:00000001
|
o) content of enable_usbdrive.reg
|
CODE
|
|
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000003
|
George Arezina
Opportunity International
Branimira Cosica 13, 21000 Novi
Sad
* E-mail: [EMAIL PROTECTED]
( Phone & Fax:+381 (21) 530-111
( GSM: +381 (63) 342-321
Informacija sa Opportunity International Serbia putem e-maila je bez garancije.
Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail
moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail
primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje,
distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja
strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a
zatim ga izbrisite iz vaseg sistema.
____________________________________________________________
____________________________________________________________
The exchange of messages with Opportunity International Serbia via e-mail is
not binding. Declarations regarding legal transactions must not be exchanged
via this medium. The information contained in this e-mail message is
confidential and intended exclusively for the addressee. Persons receiving this
e-mail message who are not the named addressee (or his/her co-workers, or
persons authorized to take delivery) must not use, forward or reproduce its
contents. If you have received this e-mail message by mistake, please contact
us immediately and delete this email message beyond retrieval.
