Video Screencast Help

How to block USB access in Safe Mode

Created: 20 Jan 2012 • Updated: 20 Jan 2012 | 9 comments
Language Translations
Sumit G's picture
+33 33 Votes
Login to vote

Solution for blocking complete USB mass storage/USB mass storage write operation/IEEE1394 devices/SD storage/Complete Cd operations/CD burning:

 

Copy paste below provided text to notepad and save with extension .ADM. Import saved ADM file to GPO under computer configuration. These settings are preferences hence once GPO is removed settings will remain on computer and needs to be revoked manually.

 

This solution if implanted using GPO will remain effective in all kind of SAFE MODE operations.

 

If it will be implemented in Symantec then it helpful to block Safe Mode and Safe Mode with N/w

 

; Administrative template file for blocking removable storage devices

; Version: 1.0

 

CLASS MACHINE

 

CATEGORY !!DisableRemovableStorage

 

    POLICY !!WriteProtectUsbStor

        #if version >= 4

            SUPPORTED !!SUPPORTED_WindowsXPSP2

        #endif

        EXPLAIN !!WriteProtectUsbStor_Help

        KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"

        VALUENAME "WriteProtect"

            VALUEON NUMERIC 1

            VALUEOFF NUMERIC 0

    END POLICY

 

    POLICY !!DisableUsbStor

        EXPLAIN !!DisableUsbStor_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\USBStor"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

 

    POLICY !!Disable1394Stor

        EXPLAIN !!Disable1394Stor_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\sbp2port"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 0

    END POLICY

 

    POLICY !!DisableFloppy

        EXPLAIN !!DisableFloppy_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

 

    POLICY !!DisableSDcard

       #if version >= 4

            SUPPORTED !!SUPPORTED_WindowsXPSP2

        #endif

        EXPLAIN !!DisableSDcard_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\sffdisk"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

 

    POLICY !!DisableCDBurning

        #if version >= 4

            SUPPORTED !!SUPPORTED_WindowsXPWindowsNET

        #endif

        EXPLAIN !!DisableCDBurning_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\ImapiService"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

               

     POLICY !!policynamecd

   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"

   EXPLAIN !!explaintextcd

     PART !!labeltextcd DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 1 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY    

 

END CATEGORY ; DisableRemovableStorage

 

[strings]

DisableRemovableStorage="Controlling Removable Storage Device"

WriteProtectUsbStor="Prevent write operations to USB Storage Devices"

WriteProtectUsbStor_Help="Prevents users from writing USB storage devices.\n\nIf you enable this setting, all users using this computer will not be able to write USB storage devices. Read operation is allowed."

DisableUsbStor="Disable USB Storage Devices"

DisableUsbStor_Help="Prevents users from using USB storage devices.\n\nIf you enable this setting, all users using this computer will not be able to read and write USB storage devices."

Disable1394Stor="Disable IEEE 1394 Storage Devices"

Disable1394Stor_Help="Prevents users from using IEEE 1394 storage devices.\n\nIf you enable this setting, all users using this computer will not be able to read and write IEEE 1394 storage devices."

DisableFloppy="Disable Floppy Disk"

DisableFloppy_Help="Prevents users from using floppy disk.\n\nIf you enable this setting, all users using this computer will not be able to read and write floppy disk."

DisableSDcard="Disable SD Storage Card"

DisableSDcard_Help="Prevents users from using SD storage card.\n\nIf you enable this setting, all users using this computer will not be able to read and write SD storage card."

DisableCDBurning="Disable CD Burning Feature"

DisableCDBurning_Help="Prevents users from burning CD.\n\nIf you enable this setting, all users using this computer will not be able to burn CD. Read operation is allowed.\n\nNote: This setting does not prevent users from using third-party applications that don't use IMAPI (Image Mastering Applications Programming Interface) to create or modify CDs using a CD writer.\nIf you want to restrict CD burning feature for each user, use "Remove CD Burning features" policy setting in User Configuration\Administrative Templates\Windows Components\Windows Explorer."

policynamecd="Disable CD-ROM"

explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."

labeltextcd="cdrom.sys driver status"

Enabled="Stopped"

Disabled="Started"

SUPPORTED_WindowsXPSP2="Microsoft Windows XP Professional SP2 or later"

SUPPORTED_WindowsXPWindowsNET="Microsoft Windows XP or Windows Server 2003"

 

Regard

Sumit

Comments 9 CommentsJump to latest comment

Harsh's picture

Dear Sumit,

 

Thank you for this nice article. I want to understand where in the script or the procedure mentioned by you - caters to Safe Mode only?

If we put Deny Permissions to usbstore.inf and usbstore.pnf to Everone then the USB canot be used in Normal or any other Safe mode.

However from your article it appears to block it only in Safe Mode(s)- How?

Thank you

+1
Login to vote
Pawan K Yadav's picture

Hi Sumit,

 It seems that policy will be effective in both safe and normal mode, is it?...but also imp that how to disable the policy if required......

0
Login to vote
Harsh's picture

Dear All,

Here my concern is that since in Safe mode all the SEP services are stopped the Endpoints should be closed.

-1
Login to vote
Sumit G's picture

hi harish,
i know that when system is in safe mode all service stop but i want to show that if symantec will be make some change in coding which be process and effect on Registry threw policy even system will be in safe/normal mode. If u will be assign this coding threw AD. No one can able to change and will be same effect on safe mode also

Regards

Sumit G.

0
Login to vote
Harsh's picture

Hi Sumit,

My Name is Harsh.

Thanks for your reply. I respect the solution you have provided however the issue which i am trying to address here is of a different magnitude altogether.

I hope someone from Symantec can address this and have a solution for this.

-1
Login to vote
Jackie007's picture

this artical can we block Bluetooth

Thanks....

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you

0
Login to vote
rs_cert's picture

I will share the article to my team, if help require then come to you

0
Login to vote
rs_cert's picture

It's helpful but it using through GPO. If it implementec in SEP. It really get a big success.

0
Login to vote
Salim Shaikh786's picture

Is it implemented in new sysmntec version or still awaiting. I think this should be done asap as it is very helpfull

0
Login to vote