Saturday, September 11, 2010

How to Enable or Disable Folder Options in Vista or Windows 7

EXAMPLE: Before (Enabled) and After (Disabled)
Name:  Explorer_Before.jpg Views: 16528 Size:  10.9 KBName:  Explorer_After.jpg Views: 16488 Size:  9.0 KB

cp_before.jpgcp_after.jpg

Name:  Explorer2_Before.jpg Views: 16427 Size:  11.5 KBName:  Explorer2_After.jpg Views: 16410 Size:  11.6 KB




METHOD ONE

Through the Local Group Policy Editor
1. Open the Local Group Policy Editor.

2. In the left pane, click on User Configuration, Administrative Templates, Windows Components, and Windows Explorer (See screenshot below)
group_policy.jpg
3. In the right pane, right click on Removes the Folder Options menu from the Tools Menu, and click on Properties. (See screenshot above)

4. To Enable Folder Options -
A) Select (dot) Disabled or Not Configured and click on OK. (See screenshot below step 5A)

B) Go to step 6.
5. To Disable Folder Options -
A) Select (dot) Enabled and click on OK.
properties.jpg
6. Close the Local Group Policy Editor window. Your done.





METHOD TWO

With a REG File Download
1. To Enable Folder Options -
A) Click on the download button below to download the Enable_Folder_Options.reg file.

B) Go to step 3.


2. To Disable Folder Options -
A) Click on the download button below to download the Disable_Folder_Options.reg file.


3. Click on Save, and save the .reg file to the Desktop.

4. Right click on the .reg file (on Desktop) and click on Merge.

5. Click on the Run button for Security Warning pop-up.

6. Click on Continue (UAC), Yes, and then OK when prompted.

7. Log off and log on or restart the computer to apply the changes.

8. When done, you can delete the .reg file (on Desktop).




METHOD THREE

Through Registry Editor
1. Open the Start Menu.

2. In the white line (Start Search) area, type regedit and press Enter.

3. Click on the Continue button in the UAC prompt.

4. In regedit, go to: (See screenshot below)
NOTE: If Explorer is not there, then right click on Policies in the left pane and click on New and Key. Type Explorer and press Enter.

Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer_reg.jpg
5. To Disable Folder Options -
A) In the right pane, right click on a empty area and click on New and DWORD (32-bit) Value. (See screenshot below)

B) Type NoFolderOptions and press Enter.

C) Right click on NoFolderOptions and click on Modify.
nofolderoptions_reg.jpg
D) Type 1 and click on OK. (See screenshot below)
Name:  Modify_NoFolderOptions.jpg Views: 16310 Size:  30.5 KB
E) Go to step 7.
6. To Enable Folder Options -
A) In the right pane, right click on NoFolderOptions and click on Delete. (See screenshot below step 5C)

B) Click on Yes to confirm delete.

C) In regedit, go to: (See screenshot below)

Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
D) In the right pane, repeat steps 6A and 6B if NoFolderOptions is there to.
hklm_reg.jpg
7. Close regedit.

8. Log off and log on or restart the computer to apply the changes.

Thursday, September 2, 2010

How to disable USB Drives (jump/flash/external/etc.) through Batch file (Part2)

continued...

This is what I did to accomplish this method of killing USB drives quickly and easily.

I created 2 batch files, 1 batch to disable and another for administrators(tech support, ie.) that will re-enable USB drives if the need arises.

1: First thing is to get a copy of the tool "subinacl.exe". This tool is included with MS Server 2003 RK.

((What subinacl allows you to due is set specific permissions on the exact group or user, etc.. that you need to, this includes permissions on registry Keys which is what we will be doing.))

2: Once you have a copy of "subinacl.exe" set up a folder for your batch files. In my particular case I wanted these batch files available on the network so I created a shared folder named "DisableUSB" on a server. Next I created a subfolder within "DisableUSB" called "subinacl". Put a copy of "subinacl.exe" in this folder.


3. Next thing to do is create 2 “reg” files in the subfolder “subinacl”. I named the 2 files “dword3.reg” and “dword4.reg”. These files are going to be used to change the value of the dword “start” in the registry key Usbstor.

I assume most probably know how do create reg files, this is what should be in the files:

For “dword3.reg”
******
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USBSTOR]
"Start"=dword:00000003

*change the 3 to a 4 for “dword4.reg”*


4. Now put these 2 files in the “subinacl” folder if they weren’t created there.

OK, all the pieces should now be in place. For this example we have a shared folder (on no particular server) called “disableUSB”. Within this folder is a subfolder “subinacl” that has subinacl.exe, dword3.reg, and dword4.reg within it.

5 . Now to create the 2 batch files. I created these 2 files under the main share folder (disableUSB). One is called “disableUSBdrives.bat” which, you guessed it, disables drives, and the other for re-enabling drives, “enableUSBdrives.bat”. Wow…

This is how disableUSBdrives.bat is set up:

@echo off
cls
regedit /s \\servername\disableUSB\Subinacl\dword4.reg
\\servername\DisableUSB\Subinacl\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system
pause
cls
echo.
echo **USB drives disabled**
echo.
Pause

*the path will differ of course. \\servername is just an example.

for “enableUSBdrives.bat” simply change change “dword4.reg” to “dword3.reg” AND “deny=system” to “grant=system”

Notice that the only real meat to these batch’s is running regedit and running subinacl. Everything else (cls,pause,echo) is optional, for my particular situation it was needed.

6. Go the machines that you want to disable USB drives on and run the disableUSBdrives batch from the network share.

And that’s it. USB drives gone.

Now of course running a batch from each machine is still time consuming, but In my particular situation it had to be done this way, and is obviously much faster than driving through the registry.

The most efficient way to incorporate this would be with logon scripting. Unlike with just using the dword start=4 trick, after this script is run, there is no way for joe blow user to use any of his nifty little Jumpdrives or his hot new hard drives.

Also note that folder names and locations can be set up in any way and anywhere as long as the batch files point to the right place.

Anyway. hope this helps someone.



NOTE: SubInAcl :SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user's files. This gives the user access to the same files from the new domain.

SubInACL enables administrators to do the following:

* Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
* Change the owner of an object.
* Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
* Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.

How to disable USB Drives (jump/flash/external/etc.) through Batch file (Part1)

This explains how to disable ONLY USB storage devices(flash/Jump/external HD's) completely without disabling keyboards, mice, etc.

I decided to go this route after trying every other option I could find on the internet. So far this is the only way I have found to completely kill USB drives without ways to get around restrictions. edit: WITHOUT PURCHASING THIRD PARTY SOFTWARE

First thing to do is this:

1.Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor.

2.Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesnt exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine. ((As most of you know this a Microsoft suggestion, which does work perfectly at disabling previously installed devices, however, this alone will not disable USB storage completely. If a user plugs a new USB storage device into the machine the device will install and the dword value will be reset to 3. Now if you incorporate adding this into a script it alone will disable USB drives, but only after a user plugs a device in, removes it without uninstalling it, logs off then logs back on, thereby running the script. This means that there is a window of opportunity for users to have access to new devices, this may be acceptable for some, but not for others.))

3. The next thing to do is to change the permisions on the USBSTOR key. You need to DENY full control on the "system" group.

((What this does is denies everyone the ability to access the USBStor key, effectively killing the ability for any user (including admins) to install USB storage devices. Now the reason you deny the "system" group is because windows will use this account if no one is logged onto the machine yet. What I mean by this is if say you want to deny a group of users called "staff", you would need to deny them using GP or a logon script. This will work great, but, if a "staff" group user plugs a USB drive in before logging in to Windows the device will be installed using in the backgroud using the "system" group, then when the user logs in the "staff" group policy is applied dening the user access to the USBstor key, but by this point it makes no difference because the devices is already installed and accessible and once a device is installed the usbstor key is no longer used.))

3. So now that these two steps are are done, *NO ONE* will be able to install USB drives.

If a user tries to use a previously installed drive the device will be blocked and nothing will happen, no prompts, nothing. This is accomplished through step 1, the dword value.

What happens if a user plugs in a "New" device that was not previously installed, the hardware wizard will run, asking for the location of drivers. Regardless of whether a user selects the "automatically" search and install or if they attempt to manually install 3rd party drivers, the HW wizard will prompt the user that "access is denied" once the drivers are selected. This is the result of step 2, denying "system".


Now that we know how to disable USB storage devices we need to find an efficient way to do this without driving through the registry on each and every machine.


****** Next continuation in Part2 ***********
Ref

USB HACKS:

How can I prevent users from writing to USB removable disks (USB flash drives)?


How can I prevent users from writing to USB removable disks (USB flash drives) by using Group Policy (GPO)?


How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?


Configure USB Disks to be Read-Only in Windows XP SP2


How to disable USB sticks and limit access to USB storage devices on Windows systems

Autorun any EXE, PDF, PowerPoint Presentation, Music Playlist, Flash Animation, HTML file when a USB Flash Memory device is inserted

How do a particular program to run after pluged it into the computer. Just like a CD Autoruns. How can do this ?

Microsoft Windows does not allow you to autorun USB drives when they are inserted. The Windows Autorun capabilities are restricted to CD-ROM drives and fixed disk drives.

If you need to make a USB Pen storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

It is a too complicated process to add autorun functionality to your USB drive. Fortunately, there are some free software that trigger Autorun on your USB storage device.

APO Usb Autorun 1.5.
APO USB Autorun automatically searches for the standard autorun.inf (as used with CDs) and executes it.

In addition to the autorun functionality, the program also allows you to quickly access the files on the USB drive(s) from the tray icon menu.

AutoRun USB 1.0
AutoRun USB will automatically launch the application or document of your choice on your USB Flash Drive.




One kind of Solution i got by some one.. Try this...

windows xp sp2 allows you to popup an customised autorun line in the autoplay box with the action= definition in autorun.inf.

example

[autorun]
action=Install Bitdefender Standard 9
open=antivirus\insticon.bat
icon=antivirus\bd.ico


same as normal autorun, but when you plug in the drive to winxpsp2 the autoplay box will have a new top line with your customised icon
and text Install Bitdefender Standard 9. When the user clicks it, it will run the same as an autorun.

How can we Disable USB Ports & Enable them again

A desktop computer equipped with a CD writer or a DVD burner is a rare sight is most companies. But a much larger security threat is posed by the open USB ports where mischievous office workers can just plugin the Flash Pen Drive, External Hard Disk or their iPod music player and transfer corporate data or even copy licensed software to their memory sticks in seconds.

Also, USB keys are not just a popular way to sneak data out from companies, unhappy employees may use USB ports for delivering trojans or spyware into the company networks.

Now some smart admins disable usb drive by changing the BIOS settings and then lock the BIOS using passwords. Some not so-smart admins fix tapes over the USB ports to prevent employees from inserting any USB device into their computer.

However, both these approaches can prove to be counter-productives as your staff can no longer use USB keyboards, wireless mouse, digital cameras, camcorders, scanners, printers or even USB microphones to their computers.

So a more reasonable option for sysadmins is to disable write access to USB port so that data files cannot be written to the mass storage device. The USB thumb drive will be read-only.

Open the Windows Registry and open the following key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\StorageDevicePolicies

Now add a new DWORD called WriteProtect and put the value as 0 to disable write privileges to the USB port. To reverse the step, either delete the WriteProtect REG_DWORD or toggle the value to 1 which will enable the port.

Remember that the above trick works only with Windows XP SP2.

If you like to go a step further and disable users from connecting USB storage devices to their computers, here's the trick:

Open registry and navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor

Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3.

No matter how good the protection tricks are, determined people always find workarounds. Here are some of the tricks that may render the above methods unusable:

» Employee may boot computer using a LiveCD like Knoppix or Ubuntu so the USB drives are again available to him for writing.

» They could open the computer chasis, take the battery out to reset the BIOS settings.

» Some may even invest in a PS2 to USB port converter.

» If he manages to get admin access for a temporary period (like installing software), he may undo the registry edits.

The cat-mouse game will never end. USB drives will remain a headache for the sysadmins for some time. However, Windows Vista will make life much simpler for IT administrators. There's a new Policy in Vista that allows USB keyboards or mouse to be used but not any USB devices.

Enable/Disable USB Port on PC



For many IT managers USB port connectivity can still pose a large threat to company security. One quick down-and-dirty method is disabling the read and write from any system USB port. This can be done through a quick registry edit.

Here is the full Microsoft article explaining how to disable a USB port (link). Note: This is a registry edit so be sure to backup your registry first and know how to restore it in case something terrible happens.

To disable the access to USB port, in windows XP and 2000:
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
6. Quit Registry Editor.

To re-enable a disabled port:

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right pane, double-click Start.
5. In the Value data box, type 3, click Hexadecimal (if it is not already selected), and then click OK.
6. Quit Registry Editor.