continued...
This is what I did to accomplish this method of killing USB drives quickly and easily.
I created 2 batch files, 1 batch to disable and another for administrators(tech support, ie.) that will re-enable USB drives if the need arises.
1: First thing is to get a copy of the tool "subinacl.exe". This tool is included with MS Server 2003 RK.
((What subinacl allows you to due is set specific permissions on the exact group or user, etc.. that you need to, this includes permissions on registry Keys which is what we will be doing.))
2: Once you have a copy of "subinacl.exe" set up a folder for your batch files. In my particular case I wanted these batch files available on the network so I created a shared folder named "DisableUSB" on a server. Next I created a subfolder within "DisableUSB" called "subinacl". Put a copy of "subinacl.exe" in this folder.
3. Next thing to do is create 2 “reg” files in the subfolder “subinacl”. I named the 2 files “dword3.reg” and “dword4.reg”. These files are going to be used to change the value of the dword “start” in the registry key Usbstor.
I assume most probably know how do create reg files, this is what should be in the files:
For “dword3.reg”
******
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USBSTOR]
"Start"=dword:00000003
*change the 3 to a 4 for “dword4.reg”*
4. Now put these 2 files in the “subinacl” folder if they weren’t created there.
OK, all the pieces should now be in place. For this example we have a shared folder (on no particular server) called “disableUSB”. Within this folder is a subfolder “subinacl” that has subinacl.exe, dword3.reg, and dword4.reg within it.
5 . Now to create the 2 batch files. I created these 2 files under the main share folder (disableUSB). One is called “disableUSBdrives.bat” which, you guessed it, disables drives, and the other for re-enabling drives, “enableUSBdrives.bat”. Wow…
This is how disableUSBdrives.bat is set up:
@echo off
cls
regedit /s \\servername\disableUSB\Subinacl\dword4.reg
\\servername\DisableUSB\Subinacl\subinacl.exe /keyreg \system\currentcontrolset\services\usbstor /deny=system
pause
cls
echo.
echo **USB drives disabled**
echo.
Pause
*the path will differ of course. \\servername is just an example.
for “enableUSBdrives.bat” simply change change “dword4.reg” to “dword3.reg” AND “deny=system” to “grant=system”
Notice that the only real meat to these batch’s is running regedit and running subinacl. Everything else (cls,pause,echo) is optional, for my particular situation it was needed.
6. Go the machines that you want to disable USB drives on and run the disableUSBdrives batch from the network share.
And that’s it. USB drives gone.
Now of course running a batch from each machine is still time consuming, but In my particular situation it had to be done this way, and is obviously much faster than driving through the registry.
The most efficient way to incorporate this would be with logon scripting. Unlike with just using the dword start=4 trick, after this script is run, there is no way for joe blow user to use any of his nifty little Jumpdrives or his hot new hard drives.
Also note that folder names and locations can be set up in any way and anywhere as long as the batch files point to the right place.
Anyway. hope this helps someone.
NOTE: SubInAcl :SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user's files. This gives the user access to the same files from the new domain.
SubInACL enables administrators to do the following:
* Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
* Change the owner of an object.
* Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
* Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment