madmatt

Good day folks. As most of us know Windows does not make it easy to prevent users from installing PnP hardware. Since you can just plug a device in and it will automatically install. There are a few solutions out there, however, none of them seem to be bullet proof.

I have attempted to reset the permissions (ACLS) for the driver.cab (C:\WINNT\Driver Cache\i386\driver.cab) to deny all for SYSTEM, Users (group), and Power Users (group).

I have also attempted to delete the driver.cab file and the sp4.cab file.

Lastly, I attempted to modify the registry key that points to the driver cache.

However, some devices are still able to install themselves because it appears the drivers are kept right on the device itself.

I really don't want to purchase a license to DeviceLock or similar software applications. So my question: Does anyone have any ideas on how to prevent PnP software (such as Thumb Drives, USB Keys, memory card readers, cameras, PDAs, etc. etc. etc.) from being installed automatically and forcing administrator credentials?

Microsoft Support Document: http://support.microsoft.com/?kbid=241367
Other Documents: http://www.windowsdevcenter.com/pub/...t&x-maxdepth=0

---

Reg

Start-->Run-->gpedit.msc

Under Computer Configuation-->Administrative Templates-->Windows Components-->Windows Installer, configure the options to your liking.

---

madmatt

Okay, this may sound rude. But... Windows Installer has NOTHING to do with hardware (PnP) installation. If you read either one of those documents I provided you would see it's not so simple and that there is no such policy in the Group Policy that allows an administrator to prohibit such installations. WI is for software based installs only; not hardware.

Nice try.

---

Henyman

despite the massive security threats of plugging in an unknown usb device even a guest user can use a 32mb flash drive , prehaps disabling pnp altogether?


start >> run >> services.msc


go down to plug and play service and have a play with it?

either turn it off, or restict access to it?

---

madmatt

Already tried that. Other services are dependent upon it. By disabling the service you generate other problems. Not worth the hassle.

---

Henyman

dam

---

bush dogg

If it's front usb ports have you thought of opening the case and unhooking them?

Might check in the bios also, I've had people tell me there is an option in there.
(I looked before posting on both my systems,I don't have that option in
either system but worth a look)

Are there other usb devices in use?

Something else to look at "device manager/usb controllers/right click each usb root hub select properties/general tab at the bottom it will say device usage "use this device enable" you could set one to disable see if that helps.
(I have not tried this with the root hub but may work)

Lee

What about http://www.grc.com/unpnp/unpnp.htm stand on me if I misunderstood the thread.

Reg

Here's an option for you:

Disable access to the USB based upon groups. For example, it is possible to disable access for USB Mass Storage devices to only administrators by changing the permissions on:

%SystemRoot%\INF\Usbstor.pnf
%SystemRoot%\INF\Usbstor.inf

To deny non-administrators access. This works assuming that the device has not already been installed. If it has been installed, you can perform some registry edits to unstall it. I have done this with storage only, but I don't see why you can do this to the Port, Printer, Video, and Storage drivers.

A Microsoft article exists on this and can be found at http://support.microsoft.com/?kbid=823732

---

NetRyder

PnP and UPnP are two very different things.
PnP = seamless installation of hardware device drivers
UPnP = dynamic opening and closing of network ports as and when requested by applications

---

madmatt

bush dogg: That's not an option for many reasons. The big one is that I would be doing that all day long for a month straight (a lot of workstations).

Lee, NR said it right.

Reg, you *might* be onto some thing. Although, the article provided is based on Windows XP so it might not work for Windows 2000. It's worth a shot though. Thank you.

---

dreamliner77

I find that a very large handgun works well.

---

leedogg

Here you go:

http://www.winguardpro.com/index.html

FEATURES
In-depth feature listing of Winguard Pro 2004:

• Built-in programs: There are over 25 or the most common programs built-in for locking on the free version. Whilst premium users get over 50 built-in programs.
• Lock your own programs (Premium only): You can also add any of your own programs for locking. Though many are built-in.
• Fully configurable: The software comes with it's own Configuration tool, which is very user friendly, and if you get stuck there is a Help menu to hand.
• Password timer: You can set in seconds how long you want to give users to enter the password to access any locked programs. This can help deter hackers.
• Screen blank: You can have the screen blank in emergencies, this prevents any use of the computer, and blacks out the screen only leaving a password box to access the entire system.
• Hide access to the configuration tool: You can stop users from accessing the configuration tool by setting your own password on it. You can also stop them trying to guess the password by disabling the icon on the system tray.
• Extra Locking: Did will tell you about Extra Locking? This lets you lock even more features down on your PC. Such as the Desktop, My Computer, Internet Access, Internet Downloading, Software Installations and much more.
• Stop people installing software (Premium only): This is a must have for those of you who are sick of users installing software on your computers without your consent. With this feature just a simple click is all that's needed and the software will disable Setup programs, Installers, Self Extracting Exe's, Zip files, the lot.
• Help prevent viruses: Using the above feature to stop software installs, this will help prevent such viruses that may be contained in program the user is trying to install.
• Lock Files & Folders too: Keep users out of files or entire folders using the optional addon.
• Online help: Get help fast using the online help feature.
• It's easy to use: It will not bite! It is very easy to use, and looks nice too.
• 24 hour technical support: You can also email us for help, and our friendly staff will get back to you promptly.
• It's free: WinGuard Pro 2004 is as it states FREE! There is no time limits, or restrictions in the free version what so ever.

---

devynal

Matt is a nerd.

And stop being rude.

---

Ferral_Imp

I don't know how well this would work for you but whenever I don't want my brother to use the internet on my comp I just take out the phone line and tape the jack shut.

---

madmatt

Reg, no go. It only works for XP, not 2000.

Jef, shush.

Ferral Imp, I don't know think that would work very well. Nice try.

---

Khayman

I know it is possible, cause on the network (running w2k) where i work they have disabled usb hardware instaltion for some users.
Don't know how, though just thought it might give you some hope

---

madmatt

They are probably running a program such as DeviceLock with runs on client side as a Windows service. I've given up hope.

Time to start testing the company's applications against XP.

---

Ferral_Imp

If the usb ports are on the front of the computers couldn't you attach a door over them then use a small lock of some sort to secure it closed? (kinda like when some ppl lock their fridge by attaching a lock hasp on it then using a padlock to secure it.)

---

madmatt

I'll hire you. Come and see if you think that's possible. I'll also need a solution for the ports on the back.

My opinion: LOL. Sorry. Thanks.

---