So is the consensus that only admin level accounts can install usb drives?
Making regular users local admins is totally contradictory to basic security
principle of granting least privilege. With Microsoft, and others, finally
looking at security as foundational, are we supposed to throw all the
hard-won security gains out the window so we can allow students to use their
USB drives the way they’re (already) allowed to use floppies and writable
CDs? I find it outrageous that it’s impossible to implement a policy that
allows unprivileged users to add simple memory keys, yet provision was made
for blocking access! There has to be a way...
--
Time is the quality of nature that keeps events from happening all at once.
Lately it doesn''t seem to be working. —Anonymous
"manual updates" wrote:
> Troubled with USB installations?
>
> Although XP supports USB devices natively, USB is still problematic
> for administrators. The response below from Nathan is clear but
> missing important detail. When he says "install software" he groups
> at least three things that can happen on the computer. (3) The last
> thing you might do is install a software, like a picture viewer for a
> USB camera, but that's not really the issue here (2) More to the
> point, you need to install a driver if the computer can't find a
> "hardware-rank matched" driver(1) And for some even greater
> explanation of what is going on... you are asking the computer to
> associate your device serial number with the USB port
>
> In Windows XP a user needs ADMINISTRATIVE membership to (1) associate
> the device to a USB port, (2) to install drivers, (3) and to install
> software.
>
> Why are some drivers "hardware rank matched"? It depends if the
> vendor follows Microsoft's rules for hardware and driver development.
> The vendor has to join the club so to speak:
> http://www.microsoft.com/whdc/device/mf/mfdesign.mspx
>
> KB-2194335 discusses a "properly-signd OEM driver package". This
> article explains why standard users have problems with USB devices in
> Windows 2000.
> http://support.microsoft.com/default...b;EN-US;219435
>
> Many users are happy using devices at home that are not signed by
> Microsoft. When users plug those devices into school computers with
> NON ADMINISTRATIVE ACCESS, they have a harder time accessing their
> device than users of devices with signed drivers. But wait... even if
> they have a signed device, ADMINISTATIVE ACCESS is required for the
> very first installation of the device.
>
> School administrators want to enable students to use USB devices as
> easily as floppy disks. Corporate and government administrators often
> want to block unapproved USB devices.
>
> The policies that Nathan refered to are limited. "Local Security
> Policy" for "unsigned driver installation behavior" only applies to
> administrators. The choices are silently suceed, warn, or do not
> allow. Standard users will not benefit from these settings.
> Administrative membership is required. EVEN WITH THE ADDITION OF XP
> SERVICE PACK 2 the policy hasn't changed very much. Here's a
> description:
>
> - - - - -
> Determines how the system responds when a user tries to install device
> driver files that are not digitally signed. This setting establishes
> the least secure response permitted on the systems of users in the
> group. Users can use System in Control Panel to select a more secure
> setting, but when this setting is enabled, the system does not
> implement any setting less secure than the one the setting
> established. When you enable this setting, use the drop-down box to
> specify the desired response. -- Ignore directs the system to
> proceed with the installation even if it includes unsigned files. --
> Warn notifies the user that files are not digitally signed and lets
> the user decide whether to stop or to proceed with the installation
> and whether to permit unsigned files to be installed. Warn is the
> default. -- Block directs the system to refuse to install unsigned
> files. As a result, the installation stops, and none of the files in
> the driver package are installed. To change driver file security
> without specifying a setting, use System in Control Panel. Right-click
> My Computer, click Properties, click the Hardware tab, and then click
> the Driver Signing button.
> - - - - -
>
> I haven't mentioned "domain policy", but I think the question was
> about "local security policy". I think the two are the same in this
> case.
>
> There is one alternative. Give students membership to the
> Administrators but lock-down the local policies in all other areas.
> This would be rather frustrating to implement. The result would not
> be the same as a standard user with boosted USB access.
>
> Microsoft is trying to make machines more secure, while the New York
> Times and CNet tell us that USB flash devices are a fasion statement
> and required in some classes.
> http://news.com.com/From+storage,+a+...3-5378415.html
>
> School administrators need to allow standard users to install USB
> devices.
>
> -Happy Happy Joy Joy
>
>
> Nathan McNulty <nospam@msn.com> wrote in message news:<e77bEQaoEHA.2300@TK2MSFTNGP10.phx.gbl>...
> > I can't really answer that directly, but you should be able to add just
> > about any USB device that XP supports natively without having to install
> > any extra software. Now if you have to install Software for it, that
> > may be where you are being blocked. It also depends on what kind of
> > policy the administrator has set up.
> >
> > Basically, all USB devices use a Vendor ID for the device (this is how
> > XP recognizeses the devices at the driver level). It may be possible
> > that some VID's are blocked, but since I have never used a user account
> > (not an admin account), I have never tried.
> >
> > ----
> > Nathan McNulty
> >
> >
> > Darran wrote:
> > > Does anyone know what USB devices can be installed on a XP build without any
> > > admin rights? Things like mice, keyboards etc seem to go on ok for all people
> > > but it seems to get more confusing when we start talking about modems and
> > > memory sticks. Is there a definative list of devices or is it too random
> > > becuase of the many different types of devices on the market? At what point
> > > does the machine decide if rights are or are not needed?
> > >
> > > No prize for a nice conclusive answer unfortunately but it would as always
> > > be extremely grateful!
> > >
> > > D
>
