Limit USB devices to mouse and keypad?

[Insomniator]

On Windows 7, I need to lock down the USB ports to allow only the use of specific devices. I know I can turn off mass storage support but I'm not sure if that would be secure enough.

Could I possibly only allow a mouse or keypad to be used? Some kind of hardware address perhaps?

 

[ZeroRift]

I don't think there is a setting that would allow you to do this natively in w7. (unless someone out there has some Group Policy Fu they'd like to share?)

Assuming there isn't one, I would consider two alternatives:
1) Setting up a Software Restriction Policy to limit execution paths to known drives only.
2) Disabling Plug and Play

I personally use 1 on all of my machines just to prevent things from executing from my user directory. It wouldn't prevent media from mounting, but it would stop anything from executing.

2 is more of a guess, TBH. I've never tested it personally, and it may cause other windows services to act funky, but it would (in theory) prevent ANY new device from installing unless you re-enable the service or installed the device manually (usually these actions require admin rights, so that may work for you).

I also want to add that if physical security is a concern, consider simply locking the machine in a cabinet. This will protect your USB ports in Windows and also keep anyone without the key from performing boot kit attacks.

**EDIT**
One afterthought: If your hardware supports it, consider using PS2 keyboards/mice and disabling all USB controllers through the BIOS.

 

[bico]

uninstalling usb mass storage driver?

 

[Dryfter]

I'm pretty sure there is software out there that will do this. I can't remember what it's called, but some of the banks I work with have it installed. I'd say throw your question to google and see what comes up.