How do you lock out the USB ports on the desktop PCs so we can prevent usage of USB drives on the desktops.
I should clarify that these are Windows XP desktops.
We should also assume that like most of the new desktops, many are using USB for keyboards and/or mice.
If they're Windows desktops, you can use the local policy (or group policy, if it's Active Directory). There isnt's a default setting for it, but the MS-provided template can be found under MSKB 555324.
There should be a Group Policy Object for this, you can push it through Active Directory. See in gpedit.msc on WinXP Pro.
You should be able to disable the usb ports from the computer's BIOS. You could also, unplug the cables from them to the motherboard.
I don't think disabling ports is really going to do what you seem to want. Not unless these computers use PS2 mice and keyboards. As long as you have available USB ports for the keyboard and mouse, someone can just plug a hub in and plug their USB drive into that. What you really want to do is prevent the computer from recognizing USB storage devices (but not other USB devices) plugged in via USB.
If the users have administrative rights to their PCs, they can override anything you do to prevent this. However, you can follow the below link to Microsoft's recommended solution:
http://support.microsoft.com/kb/823732
You can also prevent booting from a USB stick in the BIOS, as has already been mentioned.
If you are concerned about using a software solution you could buy some hardware locks.
This assumes that you have the budget to get these for each machine. You may also need keep people from unplugging the keyboard and mouse if they are USB as well.
Two solutions that I've seen at customer sites:
In the BIOS, Set the boot device to boot only from hard disk and password protect the BIOS. In the BIOS, disable all USB devices that you can get away with. To prevent USB sticks from even being mounted, you'll need to take other measures. Can you put the computer in a box with only the keyboard and mouse cables coming out? Then there is no available USB port for them to fiddle with.
The bottom line is that as long as you don't trust people who have physical access to the machine, you can only improve security but you cannot get absolute security.
I've had to do this on stand-alone machines as well as on several domain machines. GPO would be a better way to go but I didn't have the luxury of doing it that way. Obviously if someone had admin rights over the machine and a little knowledge they could undo this.
At the time I was using this, we had all XP machines. No users had admin rights. No users are [supposed to be] Power Users. To help keep users from using USB mass storage devices, some other admins deleted USBSTOR.SYS. So if I ever needed to reenable USB mass storage devices, I needed to restore the driver file as well. (So I kept a current copy handy along with the files below). My copy of the "Enable.bat" has a line -- I commented out here -- to restore the file as necessary.
Disable.bat:
(May have to add "BUILTIN\Administrators" to the CACLS commands. I did not have to in my environment)
@echo off
REM *********************************************************************
REM Disabling USB Mass Storage Driver
REM *********************************************************************
echo Disabling USB Mass Storage Driver
CACLS %SYSTEMROOT%\system32\Drivers\USBSTOR.SYS /E /D "BUILTIN\Users" "NT AUTHORITY\SYSTEM" "BUILTIN\Power Users"
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /D "BUILTIN\Users" "NT AUTHORITY\SYSTEM" "BUILTIN\Power Users"
REG.EXE IMPORT "Disable.reg"
Disable.reg:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004
Enable.bat
(May have to add another set of CACLS commands for "BUILTIN\Administrators". I did not have to in my environment)
@echo off
REM *********************************************************************
REM Enabling USB Mass Storage Driver
REM *********************************************************************
echo Enabling USB Mass Storage Driver
REM XCOPY /E /Y /I USBSTOR.SYS %SYSTEMROOT%\system32\Drivers
CACLS %SYSTEMROOT%\system32\Drivers\UsBSTOR.SYS /E /G "BUILTIN\Users":R
CACLS %SYSTEMROOT%\system32\Drivers\UsBSTOR.SYS /E /G "NT AUTHORITY\SYSTEM":R
CACLS %SYSTEMROOT%\system32\Drivers\UsBSTOR.SYS /E /G "BUILTIN\Power Users":R
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /G "BUILTIN\Users":R
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /G "NT AUTHORITY\SYSTEM":R
CACLS %SYSTEMROOT%\INF\UsBSTOR.INF /E /G "BUILTIN\Power Users":R
REG.EXE IMPORT "Enable.reg"
Enable.reg:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000003
Something similar may work for Vista -- BUT I HAVE NOT TRIED IT.
I prefer to train the users as to what is acceptable and what is not acceptable. If you cannot trust your users that far, then take away their PCs and set up a thin client systems connecting back to something like a Citrix server running all your apps. The only other solution I can think of is to place the actual PC in a locked cabinet with just the cables for the keyboard, mouse, and monitor coming out. In all cases I think you will just end up creating more work for your self.
If you are looking to effectively 'remove' those ports from the computer (and you need USB at all), AND if you are willing to modify the computer, may I suggest 2 part epoxy? Cover the connector with epoxy and no one is ever plugging anything in there again. Hot Melt glue is a bit less permanent, but still pretty effective.
Assuming you still need USB ports for keyboard/mouse, you're going to have to leave a port or two uncovered.
Drivelock. Also mirrors files from USB sticks if so desired, and allows whitelisting and blacklisting of devices, file types, and users.
You can disable USB storage via:
http://support.microsoft.com/kb/823732
It's also possible to make USB storage read only. This is often a good compromise, as it allows users to read data off a USB device - like photos from a camera, but prevents them from copying your corporate database onto their memory stick.
http://www.petri.co.il/configure_usb_disks_to_be_read_only_in_xp_sp2.htm
It's probably not advisable to attempt to disable USB entirely, as things like keyboards and mice generally require USB these days. Both of the above can be set via a registry entry or a policy file. The strength of these settings will be as strong as your Windows policy and group settings.
