2
2
In order to take some measures against BadUSB exploit, I want to restrict USB device installations on Windows 8, as suggested here.
However, gpedit.msc to reach Local Group Policy Editor is not available in Windows 8. Price for Pro upgrade (450₺) is not close to being reasonable in my opinion and I wonder if I can change following settings using Registry Editor.
Prevent installation of devices using drivers that match these device setup classes:
- 4d36e96b-E325-11CE-BFC1-08402BE10318 – this one controls the automatic installation of USB keyboards.
- 4D36E972-E325-11CE-BFC1-08012BE10318 – this one corresponds to the NIC (network interface controller)
- e0cbf06c-cd8b-4647-bb8a-263b45f0f974 – this one is for bluetooth.
Allow administrators to override Device Installation Restrictions policies
I could not find these settings here.
If this is not possible via Registry Editor can you suggest me an alternative solution? ("Not using USB ports at all" is not an option.)
1If users are local machine user administrators, then any solution outside of a group policy on a domain, can be overridden by them. Even then the entire point of BadUSB, is that the device reports to the OS what it is, so even the solution you describe is not effective against protecting against it. The best way is to only allow specific USB devices registered by an Administrator, with everyone else, not being an Administrator. This solution can only be done through a group policy though. – Ramhound – 2015-09-03T14:04:53.450
There will only be 1 admin user and 1 standard user. Both will be controlled by me. – Teo – 2015-09-03T14:08:48.377
Still does not change the fact, if you only allow USB keyboards, a BadUSB flash device which reported to be a keyboard, would still infect your system. – Ramhound – 2015-09-03T14:12:40.083
I plan to only allow USB storage devices. I want to disable keyboard and mouse installations. I suppose this will prevent BadUSB. – Teo – 2015-09-03T14:18:31.267
1
I've found an alternative solution, a free program to prevent keyboard installation. It is called "G DATA USB Keyboard Guard". Thanks to this program user is asked to grant access when a new keyboard device is found. I haven't tried it. To download: https://www.gdata.de/de-usb-keyboard-guard#c105387
– Teo – 2015-09-03T15:12:43.043