Ideas on how to prevent users from being able to install hardware

screwdriver??

Now to be annoying
If they ran FreeBSD or linux you could just compile the kernel without USB support :D
 
[killa_bunny] said:
If they ran FreeBSD or linux you could just compile the kernel without USB support :D
Or couldn't you just do this with groups/permissions so root (or wanted users) would still be able to use USB? :)
 
You are all missing the point. Forget it. There is no solution. You can't do it with Windows 2000 without third party software.

And no, you can't do it with CACLS (permissions), read the thread before you post. The reason? Newer USB thumb drives have the drivers on them so they are true PnP meaning they don't need to use the driver.cab file.

Thanks anyway.
 
The best way to provide security is at the Physical layer. Rip the ports out!

If you are too lazy for that (or have 50k machines). The second best method is to put spyware on all machines and the first 5 people caught using an unauthorized device are fired on the spot and walked out the door by security. We use this method where I work. Amazing how quickly the rest straighten up. The really amazing part is that you don't even have to put out a memo saying the 5 have been fired. Anyone who witnesses the act will spread the rumor through the whole plant with 24 hours.
 
There has to be a way if third party software can do the job.

I think on that many machines the answer is in the windows inf file. "c/windows/inf " Most cameras and usb storage devices use native drivers on the system so when the usb hub driver enumerates the device the hardware wizard picks a driver thats on the machine.

I don't have a machine running 2000 to test with. If you have one try locking the "usbstor.inf " file or remove it see what happens?
This is where windows looks when the device gets enumerated.


http://msdn.microsoft.com/library/d..._d17bbed6-5ee4-4d17-86cd-88d240128fef.xml.asp

(Drivers that are installed during the "Installing Devices" portion of GUI-mode Setup have to be found in certain locations. At this point, Setup is installing the devices by using Plug and Play IDs that have been enumerated by Windows Plug and Play. Setup searches a pre-defined path on the drive, looking in .inf files to find the best match for the Plug and Play ID of the device. By default, this path is defined in the following registry location and is set to %SystemRoot%\Inf:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DevicePath: REG_EXPAND_SZ:%SystemRoot%\Inf

Setup uses this path to locate .inf files for device installation. After Setup, this path is also used for any new hardware that is found and installed. If you modify this key during Setup by using the Sysprep.inf or Unattended answer file, the value is saved and is also used after Setup.)

http://www.support.microsoft.com/?kbid=254078

(Non-administrative level users require no additional permissions to install or uninstall device drivers if the device is supported hardware with a Plug and Play device ID to driver match. If you provide a properly-signed OEM driver package when using the "New Hardware Found" wizard in the case of either no match or a compatible-rank match, that signed .inf file and its related files are now present on your computer. Because of this, any subsequent "new hardware" of the same type (such as hardware-rank match in the same .inf file and using the same files) is automatically installed by Plug and Play manager without further user interaction required.)

http://www.support.microsoft.com/?kbid=219435

I'm just thinking outside the box maybe something here will help.
 
I already attempted to lock down the usbstor.* files in \Inf\ and it doesn't work. As we all know 2000 was pre-USB thumb drive. Following the release of these USB thumb drives Microsoft figured there would be a problem and that administrators would want more control over such devices. So they came up with that solution.

It appears W2K doesn't really know but XP does. If that makes sense.

As for the other solutions that you have provided me with and that others have it defeats the purpose. As the administrator of this network I want to be able to go down to these workstations and do as I want without having to reconnect the USB ports, change a reg key, etc.

That's why changing some permissions would have worked the best. But W2KSP4 just doesn't support it that way. Time to purchase a copy of XP and start testing company applications under it. Sounds like a blast.

Thanks for all the help.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back