Ideas on how to prevent users from being able to install hardware

madmatt

Awesome is as awesome does.
Political Access
Joined
5 Apr 2002
Messages
13,314
Good day folks. As most of us know Windows does not make it easy to prevent users from installing PnP hardware. Since you can just plug a device in and it will automatically install. There are a few solutions out there, however, none of them seem to be bullet proof.

I have attempted to reset the permissions (ACLS) for the driver.cab (C:\WINNT\Driver Cache\i386\driver.cab) to deny all for SYSTEM, Users (group), and Power Users (group).

I have also attempted to delete the driver.cab file and the sp4.cab file.

Lastly, I attempted to modify the registry key that points to the driver cache.

However, some devices are still able to install themselves because it appears the drivers are kept right on the device itself.

I really don't want to purchase a license to DeviceLock or similar software applications. So my question: Does anyone have any ideas on how to prevent PnP software (such as Thumb Drives, USB Keys, memory card readers, cameras, PDAs, etc. etc. etc.) from being installed automatically and forcing administrator credentials?

Microsoft Support Document: http://support.microsoft.com/?kbid=241367
Other Documents: http://www.windowsdevcenter.com/pub...rverhacks_install.html?page=last&x-maxdepth=0
 
Start-->Run-->gpedit.msc

Under Computer Configuation-->Administrative Templates-->Windows Components-->Windows Installer, configure the options to your liking.
 
Reg said:
Start-->Run-->gpedit.msc

Under Computer Configuation-->Administrative Templates-->Windows Components-->Windows Installer, configure the options to your liking.


Okay, this may sound rude. But... Windows Installer has NOTHING to do with hardware (PnP) installation. If you read either one of those documents I provided you would see it's not so simple and that there is no such policy in the Group Policy that allows an administrator to prohibit such installations. WI is for software based installs only; not hardware.

Nice try.
 
despite the massive security threats of plugging in an unknown usb device even a guest user can use a 32mb flash drive :eek: , prehaps disabling pnp altogether?


start >> run >> services.msc


go down to plug and play service and have a play with it?

either turn it off, or restict access to it?
 
Already tried that. Other services are dependent upon it. By disabling the service you generate other problems. Not worth the hassle.
 
If it's front usb ports have you thought of opening the case and unhooking them?

Might check in the bios also, I've had people tell me there is an option in there.
(I looked before posting on both my systems,I don't have that option in
either system but worth a look)

Are there other usb devices in use?

Something else to look at "device manager/usb controllers/right click each usb root hub select properties/general tab at the bottom it will say device usage "use this device enable" you could set one to disable see if that helps.
(I have not tried this with the root hub but may work)
 
Here's an option for you:

Disable access to the USB based upon groups. For example, it is possible to disable access for USB Mass Storage devices to only administrators by changing the permissions on:

%SystemRoot%\INF\Usbstor.pnf
%SystemRoot%\INF\Usbstor.inf

To deny non-administrators access. This works assuming that the device has not already been installed. If it has been installed, you can perform some registry edits to unstall it. I have done this with storage only, but I don't see why you can do this to the Port, Printer, Video, and Storage drivers.

A Microsoft article exists on this and can be found at http://support.microsoft.com/?kbid=823732
 
Lee said:
What about http://www.grc.com/unpnp/unpnp.htm stand on me if I misunderstood the thread.
PnP and UPnP are two very different things.
smile.gif

PnP = seamless installation of hardware device drivers
UPnP = dynamic opening and closing of network ports as and when requested by applications
 
bush dogg: That's not an option for many reasons. The big one is that I would be doing that all day long for a month straight (a lot of workstations).

Lee, NR said it right.

Reg, you *might* be onto some thing. Although, the article provided is based on Windows XP so it might not work for Windows 2000. It's worth a shot though. Thank you.
 
Here you go:

http://www.winguardpro.com/index.html

[font=Arial, Helvetica, sans-serif]FEATURES[/font]
In-depth feature listing of Winguard Pro 2004:

  • Built-in programs: There are over 25 or the most common programs built-in for locking on the free version. Whilst premium users get over 50 built-in programs.​
  • Lock your own programs (Premium only): You can also add any of your own programs for locking. Though many are built-in.​
  • Fully configurable: The software comes with it's own Configuration tool, which is very user friendly, and if you get stuck there is a Help menu to hand.​
  • Password timer: You can set in seconds how long you want to give users to enter the password to access any locked programs. This can help deter hackers.​
  • Screen blank: You can have the screen blank in emergencies, this prevents any use of the computer, and blacks out the screen only leaving a password box to access the entire system.​
  • Hide access to the configuration tool: You can stop users from accessing the configuration tool by setting your own password on it. You can also stop them trying to guess the password by disabling the icon on the system tray.​
  • Extra Locking: Did will tell you about Extra Locking? This lets you lock even more features down on your PC. Such as the Desktop, My Computer, Internet Access, Internet Downloading, Software Installations and much more.​
  • Stop people installing software (Premium only): This is a must have for those of you who are sick of users installing software on your computers without your consent. With this feature just a simple click is all that's needed and the software will disable Setup programs, Installers, Self Extracting Exe's, Zip files, the lot.​
  • Help prevent viruses: Using the above feature to stop software installs, this will help prevent such viruses that may be contained in program the user is trying to install.​
  • Lock Files & Folders too: Keep users out of files or entire folders using the optional addon.​
  • Online help: Get help fast using the online help feature.​
  • It's easy to use: It will not bite! It is very easy to use, and looks nice too.​
  • 24 hour technical support: You can also email us for help, and our friendly staff will get back to you promptly.​
  • It's free: WinGuard Pro 2004 is as it states FREE! There is no time limits, or restrictions in the free version what so ever.​
:)
 
I don't know how well this would work for you but whenever I don't want my brother to use the internet on my comp I just take out the phone line and tape the jack shut.
 
Reg, no go. It only works for XP, not 2000.

Jef, shush.

Ferral Imp, I don't know think that would work very well. Nice try.
 
I know it is possible, cause on the network (running w2k) where i work they have disabled usb hardware instaltion for some users.
Don't know how, though :) just thought it might give you some hope :)
 
Khayman said:
I know it is possible, cause on the network (running w2k) where i work they have disabled usb hardware instaltion for some users.
Don't know how, though :) just thought it might give you some hope :)

They are probably running a program such as DeviceLock with runs on client side as a Windows service. I've given up hope.

Time to start testing the company's applications against XP.
 
If the usb ports are on the front of the computers couldn't you attach a door over them then use a small lock of some sort to secure it closed? (kinda like when some ppl lock their fridge by attaching a lock hasp on it then using a padlock to secure it.)
 
I'll hire you. Come and see if you think that's possible. I'll also need a solution for the ports on the back.

My opinion: LOL. Sorry. Thanks.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back