USB Expert Required!!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Does anyone know what USB devices can be installed on a XP build without any
admin rights? Things like mice, keyboards etc seem to go on ok for all people
but it seems to get more confusing when we start talking about modems and
memory sticks. Is there a definative list of devices or is it too random
becuase of the many different types of devices on the market? At what point
does the machine decide if rights are or are not needed?

No prize for a nice conclusive answer unfortunately but it would as always
be extremely grateful!

D
 
I can't really answer that directly, but you should be able to add just
about any USB device that XP supports natively without having to install
any extra software. Now if you have to install Software for it, that
may be where you are being blocked. It also depends on what kind of
policy the administrator has set up.

Basically, all USB devices use a Vendor ID for the device (this is how
XP recognizeses the devices at the driver level). It may be possible
that some VID's are blocked, but since I have never used a user account
(not an admin account), I have never tried.
 
Troubled with USB installations?

Although XP supports USB devices natively, USB is still problematic
for administrators. The response below from Nathan is clear but
missing important detail. When he says "install software" he groups
at least three things that can happen on the computer. (3) The last
thing you might do is install a software, like a picture viewer for a
USB camera, but that's not really the issue here (2) More to the
point, you need to install a driver if the computer can't find a
"hardware-rank matched" driver(1) And for some even greater
explanation of what is going on... you are asking the computer to
associate your device serial number with the USB port

In Windows XP a user needs ADMINISTRATIVE membership to (1) associate
the device to a USB port, (2) to install drivers, (3) and to install
software.

Why are some drivers "hardware rank matched"? It depends if the
vendor follows Microsoft's rules for hardware and driver development.
The vendor has to join the club so to speak:
http://www.microsoft.com/whdc/device/mf/mfdesign.mspx

KB-2194335 discusses a "properly-signd OEM driver package". This
article explains why standard users have problems with USB devices in
Windows 2000.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;219435

Many users are happy using devices at home that are not signed by
Microsoft. When users plug those devices into school computers with
NON ADMINISTRATIVE ACCESS, they have a harder time accessing their
device than users of devices with signed drivers. But wait... even if
they have a signed device, ADMINISTATIVE ACCESS is required for the
very first installation of the device.

School administrators want to enable students to use USB devices as
easily as floppy disks. Corporate and government administrators often
want to block unapproved USB devices.

The policies that Nathan refered to are limited. "Local Security
Policy" for "unsigned driver installation behavior" only applies to
administrators. The choices are silently suceed, warn, or do not
allow. Standard users will not benefit from these settings.
Administrative membership is required. EVEN WITH THE ADDITION OF XP
SERVICE PACK 2 the policy hasn't changed very much. Here's a
description:

- - - - -
Determines how the system responds when a user tries to install device
driver files that are not digitally signed. This setting establishes
the least secure response permitted on the systems of users in the
group. Users can use System in Control Panel to select a more secure
setting, but when this setting is enabled, the system does not
implement any setting less secure than the one the setting
established. When you enable this setting, use the drop-down box to
specify the desired response. -- Ignore directs the system to
proceed with the installation even if it includes unsigned files. --
Warn notifies the user that files are not digitally signed and lets
the user decide whether to stop or to proceed with the installation
and whether to permit unsigned files to be installed. Warn is the
default. -- Block directs the system to refuse to install unsigned
files. As a result, the installation stops, and none of the files in
the driver package are installed. To change driver file security
without specifying a setting, use System in Control Panel. Right-click
My Computer, click Properties, click the Hardware tab, and then click
the Driver Signing button.
- - - - -

I haven't mentioned "domain policy", but I think the question was
about "local security policy". I think the two are the same in this
case.

There is one alternative. Give students membership to the
Administrators but lock-down the local policies in all other areas.
This would be rather frustrating to implement. The result would not
be the same as a standard user with boosted USB access.

Microsoft is trying to make machines more secure, while the New York
Times and CNet tell us that USB flash devices are a fasion statement
and required in some classes.
http://news.com.com/From+storage,+a+new+fashion/2100-1041_3-5378415.html

School administrators need to allow standard users to install USB
devices.

-Happy Happy Joy Joy
 
Additional local security policy to consider:

http://www.microsoft.com/windows200.../windows2000/techinfo/reskit/en-us/gp/543.asp

Load and unload device drivers
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determines which users can dynamically load and unload device drivers.
This privilege is necessary for installing drivers for Plug and Play
devices.

This user right is defined in the Default Domain Controller Group
Policy object (GPO) and in the local security policy of workstations
and servers.

The default groups that have this right on each platform are:

Workstations and Servers
Administrators
Domain Controllers
Administrators
 
So is the consensus that only admin level accounts can install usb drives?
Making regular users local admins is totally contradictory to basic security
principle of granting least privilege. With Microsoft, and others, finally
looking at security as foundational, are we supposed to throw all the
hard-won security gains out the window so we can allow students to use their
USB drives the way they’re (already) allowed to use floppies and writable
CDs? I find it outrageous that it’s impossible to implement a policy that
allows unprivileged users to add simple memory keys, yet provision was made
for blocking access! There has to be a way...
 
I'm having the same problem.
Tried this local policy, but this does not fix the problem.
When replacing a keyboard, mouse, cardreader, screen,... windows xp prompts
for the administrator password.
 
I have been bashing my head into the wall trying to find something to fix
this. Everytime I find some glimmer of hope, my hopes are shattered by the
same old problem. Nothing seems to fix this! I am a Lab admin at a college
and the students blame ME for this. While I can sit down there and
administratively addeach device, it would stop me from doing any of my other
work. How can I make the Users have the rights to add their own USB devices?
So far, the only word from Microsoft is -- It will be fixed in Vista.
 
Ryen,

I found this in another thread (in dutch) :
Replace the usbstor.inf, volume.inf en flpydisk.inf from a working system.
Seemed to work for them, i will give it a try, the hardest thing will be
finding a working system.

F.
 
I tried it out and still get the same error.

Hows this for stupid:
I copied over the files, verified the security on the files, and verified
that the policies are the same. AND IT STILL DOES NOT WORK!
 
Back
Top