Saturday, September 25, 2004

Configuring USB Devices to be Read/Only - Windows XP SP2 only

There's been quite a bit of talk recently about the security risk posed by portable USB devices. I saw a neat entry over on Jerry Bryant's security blog which describes a new features that was added to SP2. Basically, there's a new registry key that will turn USB storage devices into Read Only! So I thought it would be fun to see if I could write an ADM file to deploy this via group policy. It turned out to be an interesting learning exercise!!

Here's the template file, ControlUSB.ADM:

#if version <= 2 #endif
CLASS MACHINE
CATEGORY !!WindowsSystemCat
 CATEGORY !!USBControlCat
   POLICY !!ConfigureUSBDeviceStatus
     KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
     VALUENAME "WriteProtect"
     VALUEON Numeric "1"
     VALUEOFF Numeric "0"
    #if version >= 3
      EXPLAIN !!USBUpdateCfg_Help
    #endif
  END POLICY
 END CATEGORY ;; USBControlCat
END CATEGORY ;; END CATEGORY ;; WindowsSystemCat
[strings]
WindowsSystemCat="System"
USBControlCat="USB Device Control"
ConfigureUSBDeviceStatus="Set ALL USB Devices on this System to Read Only"
SUPPORTED_WindowXPSP2="Windows XP SP2"
USBUpdateCfg_Help="Specifies whether this system's USB Drives are Read Only or Read Write"

To use this policy - first save it away with your other templates (%systemroot%\inf). Next open up either your local or the group policy editor, import the policy and away you go.

There is one small issue here that caused me to scratch my head. When I first imported the template, I could see the node in the MMC console tree, but the policy did not appear in the results window. I scratched my head for several hours, then got some help from my Greek MCT buddy Dimitris. He pointed out that I had to change the setting in the MMC (View/Filtering and de-select the 'Only show policy settings that can be fully manaThis happens because the registry key that is used for this setting is not part of Policy sub-key. If you apply this setting to a machine, then remove the policy, the setting will remain on your system (unless you reverse it, or take the registry key out). Once you change the view settings, the MMC tool even tells you this!

No comments: