Endpoint Protection

 View Only
Back to Library

How to block USB access in Safe Mode 

Jan 20, 2012 02:19 AM

Solution for blocking complete USB mass storage/USB mass storage write operation/IEEE1394 devices/SD storage/Complete Cd operations/CD burning:

 

Copy paste below provided text to notepad and save with extension .ADM. Import saved ADM file to GPO under computer configuration. These settings are preferences hence once GPO is removed settings will remain on computer and needs to be revoked manually.

 

This solution if implanted using GPO will remain effective in all kind of SAFE MODE operations.

 

If it will be implemented in Symantec then it helpful to block Safe Mode and Safe Mode with N/w

 

; Administrative template file for blocking removable storage devices

; Version: 1.0

 

CLASS MACHINE

 

CATEGORY !!DisableRemovableStorage

 

    POLICY !!WriteProtectUsbStor

        #if version >= 4

            SUPPORTED !!SUPPORTED_WindowsXPSP2

        #endif

        EXPLAIN !!WriteProtectUsbStor_Help

        KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"

        VALUENAME "WriteProtect"

            VALUEON NUMERIC 1

            VALUEOFF NUMERIC 0

    END POLICY

 

    POLICY !!DisableUsbStor

        EXPLAIN !!DisableUsbStor_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\USBStor"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

 

    POLICY !!Disable1394Stor

        EXPLAIN !!Disable1394Stor_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\sbp2port"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 0

    END POLICY

 

    POLICY !!DisableFloppy

        EXPLAIN !!DisableFloppy_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

 

    POLICY !!DisableSDcard

       #if version >= 4

            SUPPORTED !!SUPPORTED_WindowsXPSP2

        #endif

        EXPLAIN !!DisableSDcard_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\sffdisk"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

 

    POLICY !!DisableCDBurning

        #if version >= 4

            SUPPORTED !!SUPPORTED_WindowsXPWindowsNET

        #endif

        EXPLAIN !!DisableCDBurning_Help

        KEYNAME "SYSTEM\CurrentControlSet\Services\ImapiService"

        VALUENAME "Start"

            VALUEON NUMERIC 4

            VALUEOFF NUMERIC 3

    END POLICY

               

     POLICY !!policynamecd

   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"

   EXPLAIN !!explaintextcd

     PART !!labeltextcd DROPDOWNLIST REQUIRED

 

       VALUENAME "Start"

       ITEMLIST

        NAME !!Disabled VALUE NUMERIC 1 DEFAULT

        NAME !!Enabled VALUE NUMERIC 4

       END ITEMLIST

     END PART

   END POLICY    

 

END CATEGORY ; DisableRemovableStorage

 

[strings]

DisableRemovableStorage="Controlling Removable Storage Device"

WriteProtectUsbStor="Prevent write operations to USB Storage Devices"

WriteProtectUsbStor_Help="Prevents users from writing USB storage devices.\n\nIf you enable this setting, all users using this computer will not be able to write USB storage devices. Read operation is allowed."

DisableUsbStor="Disable USB Storage Devices"

DisableUsbStor_Help="Prevents users from using USB storage devices.\n\nIf you enable this setting, all users using this computer will not be able to read and write USB storage devices."

Disable1394Stor="Disable IEEE 1394 Storage Devices"

Disable1394Stor_Help="Prevents users from using IEEE 1394 storage devices.\n\nIf you enable this setting, all users using this computer will not be able to read and write IEEE 1394 storage devices."

DisableFloppy="Disable Floppy Disk"

DisableFloppy_Help="Prevents users from using floppy disk.\n\nIf you enable this setting, all users using this computer will not be able to read and write floppy disk."

DisableSDcard="Disable SD Storage Card"

DisableSDcard_Help="Prevents users from using SD storage card.\n\nIf you enable this setting, all users using this computer will not be able to read and write SD storage card."

DisableCDBurning="Disable CD Burning Feature"

DisableCDBurning_Help="Prevents users from burning CD.\n\nIf you enable this setting, all users using this computer will not be able to burn CD. Read operation is allowed.\n\nNote: This setting does not prevent users from using third-party applications that don't use IMAPI (Image Mastering Applications Programming Interface) to create or modify CDs using a CD writer.\nIf you want to restrict CD burning feature for each user, use "Remove CD Burning features" policy setting in User Configuration\Administrative Templates\Windows Components\Windows Explorer."

policynamecd="Disable CD-ROM"

explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."

labeltextcd="cdrom.sys driver status"

Enabled="Stopped"

Disabled="Started"

SUPPORTED_WindowsXPSP2="Microsoft Windows XP Professional SP2 or later"

SUPPORTED_WindowsXPWindowsNET="Microsoft Windows XP or Windows Server 2003"

 

Regard

Sumit

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Mar 01, 2013 11:46 AM

Is it implemented in new sysmntec version or still awaiting. I think this should be done asap as it is very helpfull

Migration User
Sep 24, 2012 05:08 PM

It's helpful but it using through GPO. If it implementec in SEP. It really get a big success.

Migration User
Apr 28, 2012 09:35 PM

I will share the article to my team, if help require then come to you

Migration User
Feb 26, 2012 09:04 PM

this artical can we block Bluetooth

Migration User
Jan 30, 2012 12:00 AM

Hi Sumit,

My Name is Harsh.

Thanks for your reply. I respect the solution you have provided however the issue which i am trying to address here is of a different magnitude altogether.

I hope someone from Symantec can address this and have a solution for this.

Migration User
Jan 27, 2012 07:26 AM

hi harish,
i know that when system is in safe mode all service stop but i want to show that if symantec will be make some change in coding which be process and effect on Registry threw policy even system will be in safe/normal mode. If u will be assign this coding threw AD. No one can able to change and will be same effect on safe mode also

Migration User
Jan 27, 2012 03:03 AM

Dear All,

Here my concern is that since in Safe mode all the SEP services are stopped the Endpoints should be closed.

Migration User
Jan 27, 2012 02:47 AM

Hi Sumit,

 It seems that policy will be effective in both safe and normal mode, is it?...but also imp that how to disable the policy if required......

Migration User
Jan 27, 2012 12:36 AM

Dear Sumit,

 

Thank you for this nice article. I want to understand where in the script or the procedure mentioned by you - caters to Safe Mode only?

If we put Deny Permissions to usbstore.inf and usbstore.pnf to Everone then the USB canot be used in Normal or any other Safe mode.

However from your article it appears to block it only in Safe Mode(s)- How?

Thank you

Related Entries and Links

No Related Resource entered.