Ideas on how to prevent users from being able to install hardware

Discussion in 'Windows Desktop Systems' started by madmatt, Aug 26, 2004.

  1. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Good day folks. As most of us know Windows does not make it easy to prevent users from installing PnP hardware. Since you can just plug a device in and it will automatically install. There are a few solutions out there, however, none of them seem to be bullet proof.

    I have attempted to reset the permissions (ACLS) for the driver.cab (C:\WINNT\Driver Cache\i386\driver.cab) to deny all for SYSTEM, Users (group), and Power Users (group).

    I have also attempted to delete the driver.cab file and the sp4.cab file.

    Lastly, I attempted to modify the registry key that points to the driver cache.

    However, some devices are still able to install themselves because it appears the drivers are kept right on the device itself.

    I really don't want to purchase a license to DeviceLock or similar software applications. So my question: Does anyone have any ideas on how to prevent PnP software (such as Thumb Drives, USB Keys, memory card readers, cameras, PDAs, etc. etc. etc.) from being installed automatically and forcing administrator credentials?

    Microsoft Support Document: http://support.microsoft.com/?kbid=241367
    Other Documents: http://www.windowsdevcenter.com/pub...rverhacks_install.html?page=last&x-maxdepth=0
     
  2. Reg

    Reg eXperienced!

    Messages:
    639
    Location:
    Arlington, TX
    Start-->Run-->gpedit.msc

    Under Computer Configuation-->Administrative Templates-->Windows Components-->Windows Installer, configure the options to your liking.
     
  3. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York

    Okay, this may sound rude. But... Windows Installer has NOTHING to do with hardware (PnP) installation. If you read either one of those documents I provided you would see it's not so simple and that there is no such policy in the Group Policy that allows an administrator to prohibit such installations. WI is for software based installs only; not hardware.

    Nice try.
     
  4. Henyman

    Henyman Secret Goat Fetish Political User

    despite the massive security threats of plugging in an unknown usb device even a guest user can use a 32mb flash drive :eek: , prehaps disabling pnp altogether?


    start >> run >> services.msc


    go down to plug and play service and have a play with it?

    either turn it off, or restict access to it?
     
  5. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Already tried that. Other services are dependent upon it. By disabling the service you generate other problems. Not worth the hassle.
     
  6. Henyman

    Henyman Secret Goat Fetish Political User

  7. bush dogg

    bush dogg OSNN Senior Addict Political User

    Messages:
    433
    Location:
    Kansas
    If it's front usb ports have you thought of opening the case and unhooking them?

    Might check in the bios also, I've had people tell me there is an option in there.
    (I looked before posting on both my systems,I don't have that option in
    either system but worth a look)

    Are there other usb devices in use?

    Something else to look at "device manager/usb controllers/right click each usb root hub select properties/general tab at the bottom it will say device usage "use this device enable" you could set one to disable see if that helps.
    (I have not tried this with the root hub but may work)
     
  8. Lee

    Lee OSNN Proxy

  9. Reg

    Reg eXperienced!

    Messages:
    639
    Location:
    Arlington, TX
    Here's an option for you:

    Disable access to the USB based upon groups. For example, it is possible to disable access for USB Mass Storage devices to only administrators by changing the permissions on:

    %SystemRoot%\INF\Usbstor.pnf
    %SystemRoot%\INF\Usbstor.inf

    To deny non-administrators access. This works assuming that the device has not already been installed. If it has been installed, you can perform some registry edits to unstall it. I have done this with storage only, but I don't see why you can do this to the Port, Printer, Video, and Storage drivers.

    A Microsoft article exists on this and can be found at http://support.microsoft.com/?kbid=823732
     
  10. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    PnP and UPnP are two very different things. [​IMG]
    PnP = seamless installation of hardware device drivers
    UPnP = dynamic opening and closing of network ports as and when requested by applications
     
  11. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    bush dogg: That's not an option for many reasons. The big one is that I would be doing that all day long for a month straight (a lot of workstations).

    Lee, NR said it right.

    Reg, you *might* be onto some thing. Although, the article provided is based on Windows XP so it might not work for Windows 2000. It's worth a shot though. Thank you.
     
  12. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation
    I find that a very large handgun works well.
     
  13. leedogg

    leedogg Gojyone kawaiiiiiiii!

    Messages:
    820
    Here you go:

    http://www.winguardpro.com/index.html

    [font=Arial, Helvetica, sans-serif]FEATURES[/font]
    In-depth feature listing of Winguard Pro 2004:

    • Built-in programs: There are over 25 or the most common programs built-in for locking on the free version. Whilst premium users get over 50 built-in programs.​
    • Lock your own programs (Premium only): You can also add any of your own programs for locking. Though many are built-in.​
    • Fully configurable: The software comes with it's own Configuration tool, which is very user friendly, and if you get stuck there is a Help menu to hand.​
    • Password timer: You can set in seconds how long you want to give users to enter the password to access any locked programs. This can help deter hackers.​
    • Screen blank: You can have the screen blank in emergencies, this prevents any use of the computer, and blacks out the screen only leaving a password box to access the entire system.​
    • Hide access to the configuration tool: You can stop users from accessing the configuration tool by setting your own password on it. You can also stop them trying to guess the password by disabling the icon on the system tray.​
    • Extra Locking: Did will tell you about Extra Locking? This lets you lock even more features down on your PC. Such as the Desktop, My Computer, Internet Access, Internet Downloading, Software Installations and much more.​
    • Stop people installing software (Premium only): This is a must have for those of you who are sick of users installing software on your computers without your consent. With this feature just a simple click is all that's needed and the software will disable Setup programs, Installers, Self Extracting Exe's, Zip files, the lot.​
    • Help prevent viruses: Using the above feature to stop software installs, this will help prevent such viruses that may be contained in program the user is trying to install.​
    • Lock Files & Folders too: Keep users out of files or entire folders using the optional addon.​
    • Online help: Get help fast using the online help feature.​
    • It's easy to use: It will not bite! It is very easy to use, and looks nice too.​
    • 24 hour technical support: You can also email us for help, and our friendly staff will get back to you promptly.​
    • It's free: WinGuard Pro 2004 is as it states FREE! There is no time limits, or restrictions in the free version what so ever.​
    :)
     
  14. devynal

    devynal The Idiot Circus Boy

    Messages:
    114
    Matt is a nerd.

    And stop being rude. :)
     
  15. Ferral_Imp

    Ferral_Imp Moderator

    Messages:
    685
    Location:
    PA
    I don't know how well this would work for you but whenever I don't want my brother to use the internet on my comp I just take out the phone line and tape the jack shut.
     
  16. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Reg, no go. It only works for XP, not 2000.

    Jef, shush.

    Ferral Imp, I don't know think that would work very well. Nice try.
     
  17. Khayman

    Khayman I'm sorry Hal... Political User Folding Team

    Messages:
    5,518
    Location:
    England
    I know it is possible, cause on the network (running w2k) where i work they have disabled usb hardware instaltion for some users.
    Don't know how, though :) just thought it might give you some hope :)
     
  18. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    They are probably running a program such as DeviceLock with runs on client side as a Windows service. I've given up hope.

    Time to start testing the company's applications against XP.
     
  19. Ferral_Imp

    Ferral_Imp Moderator

    Messages:
    685
    Location:
    PA
    If the usb ports are on the front of the computers couldn't you attach a door over them then use a small lock of some sort to secure it closed? (kinda like when some ppl lock their fridge by attaching a lock hasp on it then using a padlock to secure it.)
     
  20. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    I'll hire you. Come and see if you think that's possible. I'll also need a solution for the ports on the back.

    My opinion: LOL. Sorry. Thanks.