8

How do you lock out the USB ports on the desktop PCs so we can prevent usage of USB drives on the desktops.

I should clarify that these are Windows XP desktops.

We should also assume that like most of the new desktops, many are using USB for keyboards and/or mice.

David Pashley
  • 23,151
  • 2
  • 41
  • 71
Mike Wills
  • 834
  • 6
  • 19
  • 1
    do they have USB mice/keyboards? – pjz May 06 '09 at 21:41
  • Take a look at the answers to [this question](http://serverfault.com/questions/28276/how-do-you-prevent-users-from-using-usb-drives-which-circumvent-security/56062#56062). – epotter Aug 19 '09 at 13:43

13 Answers13

8

If they're Windows desktops, you can use the local policy (or group policy, if it's Active Directory). There isnt's a default setting for it, but the MS-provided template can be found under MSKB 555324.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
7

There should be a Group Policy Object for this, you can push it through Active Directory. See in gpedit.msc on WinXP Pro.

Lucas Jones
  • 389
  • 2
  • 5
6

You should be able to disable the usb ports from the computer's BIOS. You could also, unplug the cables from them to the motherboard.

RateControl
  • 1,207
  • 9
  • 20
  • 1
    What if the keyboard and/or mouse is USB? That wouldn't work. – Mike Wills May 06 '09 at 18:29
  • 1
    Then you'll have to use a USB to PS/2 converter. – Adam Gibbins May 06 '09 at 18:45
  • 1
    @ Mike Wills, true, however if you don't disable all of the ports like Chris Upchurch (see below) said you will still run into the problem you are trying to avoid. It may all depend on how computer savvy your users are. If you don't want them plugging in 'dirty' usb drives, unplugging the front connecter may be enough. – RateControl May 06 '09 at 19:08
  • 7
    @Adam: lots of computers don't even come with PS/2 ports these days. – Chris Upchurch May 06 '09 at 19:16
  • 2
    The right solution is to disable the use of removable USB storage devices, anything else will have gaping holes you can drive a truck through. Given that this is a security issue, you definitely want to get it right rather than kinda, sorta, mostly right. – Wedge May 07 '09 at 01:04
5

I don't think disabling ports is really going to do what you seem to want. Not unless these computers use PS2 mice and keyboards. As long as you have available USB ports for the keyboard and mouse, someone can just plug a hub in and plug their USB drive into that. What you really want to do is prevent the computer from recognizing USB storage devices (but not other USB devices) plugged in via USB.

Chris Upchurch
  • 619
  • 4
  • 9
5

If the users have administrative rights to their PCs, they can override anything you do to prevent this. However, you can follow the below link to Microsoft's recommended solution:

http://support.microsoft.com/kb/823732

You can also prevent booting from a USB stick in the BIOS, as has already been mentioned.

Marc Reside
  • 151
  • 2
  • 5
4

If you are concerned about using a software solution you could buy some hardware locks.

USB Port Blocker

This assumes that you have the budget to get these for each machine. You may also need keep people from unplugging the keyboard and mouse if they are USB as well.

CanyonR
  • 371
  • 2
  • 3
3

Two solutions that I've seen at customer sites:

  • (Linux) Blacklist the relevant USB kernel modules (usb_storage) in the appropriate /etc/modprobe.conf-type file
  • Hot glue gun
MikeyB
  • 38,725
  • 10
  • 102
  • 186
3

In the BIOS, Set the boot device to boot only from hard disk and password protect the BIOS. In the BIOS, disable all USB devices that you can get away with. To prevent USB sticks from even being mounted, you'll need to take other measures. Can you put the computer in a box with only the keyboard and mouse cables coming out? Then there is no available USB port for them to fiddle with.

The bottom line is that as long as you don't trust people who have physical access to the machine, you can only improve security but you cannot get absolute security.

Eddie
  • 11,332
  • 8
  • 36
  • 48
3

I've had to do this on stand-alone machines as well as on several domain machines. GPO would be a better way to go but I didn't have the luxury of doing it that way. Obviously if someone had admin rights over the machine and a little knowledge they could undo this.

At the time I was using this, we had all XP machines. No users had admin rights. No users are [supposed to be] Power Users. To help keep users from using USB mass storage devices, some other admins deleted USBSTOR.SYS. So if I ever needed to reenable USB mass storage devices, I needed to restore the driver file as well. (So I kept a current copy handy along with the files below). My copy of the "Enable.bat" has a line -- I commented out here -- to restore the file as necessary.

Disable.bat:

(May have to add "BUILTIN\Administrators" to the CACLS commands. I did not have to in my environment)

@echo off
REM *********************************************************************
REM Disabling USB Mass Storage Driver
REM *********************************************************************
echo Disabling USB Mass Storage Driver
CACLS %SYSTEMROOT%\system32\Drivers\USBSTOR.SYS /E /D "BUILTIN\Users" "NT AUTHORITY\SYSTEM" "BUILTIN\Power Users"
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /D "BUILTIN\Users" "NT AUTHORITY\SYSTEM" "BUILTIN\Power Users"
REG.EXE IMPORT "Disable.reg"

Disable.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR] 
"Start"=dword:00000004

Enable.bat

(May have to add another set of CACLS commands for "BUILTIN\Administrators". I did not have to in my environment)

@echo off
REM *********************************************************************
REM Enabling USB Mass Storage Driver
REM *********************************************************************
echo Enabling USB Mass Storage Driver
REM XCOPY /E /Y /I USBSTOR.SYS %SYSTEMROOT%\system32\Drivers
CACLS %SYSTEMROOT%\system32\Drivers\UsBSTOR.SYS /E /G "BUILTIN\Users":R
CACLS %SYSTEMROOT%\system32\Drivers\UsBSTOR.SYS /E /G "NT AUTHORITY\SYSTEM":R
CACLS %SYSTEMROOT%\system32\Drivers\UsBSTOR.SYS /E /G "BUILTIN\Power Users":R
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /G "BUILTIN\Users":R
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /G "NT AUTHORITY\SYSTEM":R
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /G "BUILTIN\Power Users":R
REG.EXE IMPORT "Enable.reg"

Enable.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR] 
"Start"=dword:00000003

Something similar may work for Vista -- BUT I HAVE NOT TRIED IT.

2

I prefer to train the users as to what is acceptable and what is not acceptable. If you cannot trust your users that far, then take away their PCs and set up a thin client systems connecting back to something like a Citrix server running all your apps. The only other solution I can think of is to place the actual PC in a locked cabinet with just the cables for the keyboard, mouse, and monitor coming out. In all cases I think you will just end up creating more work for your self.

Jim C
  • 409
  • 3
  • 3
0

If you are looking to effectively 'remove' those ports from the computer (and you need USB at all), AND if you are willing to modify the computer, may I suggest 2 part epoxy? Cover the connector with epoxy and no one is ever plugging anything in there again. Hot Melt glue is a bit less permanent, but still pretty effective.

Assuming you still need USB ports for keyboard/mouse, you're going to have to leave a port or two uncovered.

Michael Kohne
  • 2,284
  • 1
  • 16
  • 29
0

Drivelock. Also mirrors files from USB sticks if so desired, and allows whitelisting and blacklisting of devices, file types, and users.

0

You can disable USB storage via:

http://support.microsoft.com/kb/823732

It's also possible to make USB storage read only. This is often a good compromise, as it allows users to read data off a USB device - like photos from a camera, but prevents them from copying your corporate database onto their memory stick.

http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm

It's probably not advisable to attempt to disable USB entirely, as things like keyboards and mice generally require USB these days. Both of the above can be set via a registry entry or a policy file. The strength of these settings will be as strong as your Windows policy and group settings.

brianegge
  • 1,054
  • 2
  • 14
  • 23