Locking Down USB

D

dbryant

Beta member
Messages
2
Hello, everyone
I need to know if there is a way to prevent the use of all USB devices other than interface devices (keyboard, mouse, magnetic strip readers) in Windows XP and Windows 7. No phones, no storage drives, etc. I don't even want Windows to recognize them.

Disabling the physical ports in not an option. I still need to be able to use keyboard and mouse when necessary.
And I'm not filling the ports with glue or anything, either.

I've already disabled USB mass storage by editing the registry entry. Disabled USB scan, print, and video, as well. But it still picks up Android and iPhone devices and prompts me to install drivers.

I know I can disable them in Device Manager, but that can be easily undone, and isn't a very solid solution security-wise. Anyone have any ideas?
 
I agree with kmackinley about using Group Policy (for a variety of things). I personally use it on my PC to block some annoying features which I don't want to be bothered with.

You mentioning customers leads me to believe that this is intended for some enterprise-scale system. I don't really know how well Group Policy scales but it has the word 'group' in it so that must be some part of its function. Are you trying to block USB storage device access for security reasons, or just productivity (or some similar lower-risk concern)?
 
tech.student said:
I agree with kmackinley about using Group Policy (for a variety of things). I personally use it on my PC to block some annoying features which I don't want to be bothered with.

You mentioning customers leads me to believe that this is intended for some enterprise-scale system. I don't really know how well Group Policy scales but it has the word 'group' in it so that must be some part of its function. Are you trying to block USB storage device access for security reasons, or just productivity (or some similar lower-risk concern)?
Click to expand...

Group Policy is intended for Enterprise-level security restrictions ;). It integrates with Active Directory groups that are setup.
 
Group policy was developed for enterprise. People got tired of changing a system setting on dozens of PC's individually - hence group policy was developed with a domain.

Group policy is your best bet. Servers or not, do you log into a domain? Is there an @domain.com behind your login? If so you are part of a domain and there exists at least one domain controller (contactable) in your environment. From that domain controller there is ADDS (Active Directory Domain Services) which will allow you to lock down specific system settings (USB is one of them) using Group Policy Objects and linking Group Policy Objects to specific organizational units.

If that isn't an option for one reason or another, you could also create a login script that would either disable all USB devices except specific ones or completely disable them from device manager. This however is not as manageable because you will have to manually drop this in the startup folder on every single device you want this enabled on. Additionally people will see that batch file (even if you get trick and have a batch pointing to a batch) and have the ability to delete them or edit them to their liking.
 
Lexluethar said:
Group policy was developed for enterprise. People got tired of changing a system setting on dozens of PC's individually - hence group policy was developed with a domain.

Group policy is your best bet. Servers or not, do you log into a domain? Is there an @domain.com behind your login? If so you are part of a domain and there exists at least one domain controller (contactable) in your environment. From that domain controller there is ADDS (Active Directory Domain Services) which will allow you to lock down specific system settings (USB is one of them) using Group Policy Objects and linking Group Policy Objects to specific organizational units.

If that isn't an option for one reason or another, you could also create a login script that would either disable all USB devices except specific ones or completely disable them from device manager. This however is not as manageable because you will have to manually drop this in the startup folder on every single device you want this enabled on. Additionally people will see that batch file (even if you get trick and have a batch pointing to a batch) and have the ability to delete them or edit them to their liking.
Click to expand...

+1 to GP, however you can roll out a script through the group policy, it's call a logon script
 
Correct, but i2D if they don't have a domain setup group policy won't work - which is why i suggested a manual logon script.
 
You must log in or register to reply here.

Similar threads

U
Network problem at home in 5GH - on the computer
Replies
1
Views
853
tehnokraat
T
R
HELIX bt mouse keeps disconnecting
Replies
3
Views
670
pete.i
P
B
Multiple Seagate External Drives Not Working(Windows+Mac)
Replies
2
Views
413
Joe C
Joe C
R
system freezes when usb sticks are plugged in
Replies
9
Views
1K
petergroft29
P
A
What is the best way to customise individual Windows 10 PCs fast?
Replies
1
Views
958
Rohit
Rohit
Back
Top Bottom