UAC and USB ports - Standard User

[Mike in Nebraska]

Std user is running Vista Business with 4 GB RAM installed in an HP xw4400
workstation.
==================
I recently upgraded our small staff (10 employees) from WinXP Pro to Vista
Business. I am handling all the griping about UAC, but had one question
about USB ports I don't know the answer to.

One of our researchers uses a pendrive in a USB port and constantly gets the
UAC prompt. I know how to use the Properties of a program to have it run as
an Administrator, but is there something comparable for USB drives?

 

[Lester Stiefel]

Std user is running Vista Business with 4 GB RAM installed in an HP
xw4400 workstation.
==================
I recently upgraded our small staff (10 employees) from WinXP Pro to
Vista Business. I am handling all the griping about UAC, but had one
question about USB ports I don't know the answer to.

One of our researchers uses a pendrive in a USB port and constantly gets
the UAC prompt. I know how to use the Properties of a program to have
it run as an Administrator, but is there something comparable for USB
drives?

Is there custom access software for the device. If this is
the case, then you might try to check with the company for
updated software. An alternative is use use the access
software in XP compatibility mode. The main file of any
software would require adjustment on a right-click context
access menu. Compatibility = XP pro SP2 (or SP1), Run as
Admin. Special permissions> effective> username (invoke
check). Other than this will require help from manufacturer.

 

[Mike in Nebraska]

Nothing custom. Just his files. I'll see what I can do with the WinXP
Compatibility.

Thanks

 

[Andrew McLaren]

One of our researchers uses a pendrive in a USB port and constantly gets
the UAC prompt. I know how to use the Properties of a program to have
it run as an Administrator, but is there something comparable for USB
drives?

Hi Mike,

Does he get prompted *every* time he inserts the USB Drive? Or just the
first time?

By default, standard users on Vista should be able to access removable
drives; although this can be disabled in the Local Security policy.

However, standard users cannot install device drivers. The first time
you put a USB drive into a Vista machine, the system will install a
device driver and create Registry entries for new device (the drivers
will usually be pulled from DRIVERS.CAB under the System32 directory,
they don't need to be downloaded). And these operations do require
Administrative access, by default.

However, you can allow users to install device drivers for specific
hardware devices.

To find this policy on the workstation, open a Command Prompt "as
Administrator". Then run the command "gpedit.msc". The Local Group
Policy editor will appear. Go to Computer Settings -> Administrative
Templates -> System -> Driver Installation. You'll see the "Allow
non-administrators to install device drivers for these device setup
classes" policy. By default, this is not configured. Enable the policy,
and then enter the GUID of device class for the specific USB drive. You
can find this GUID by looking in Device Manager on a machine which
already has the device driver installed (in Device Manager, go to
Properties, Details, and select "Device Class GUID" from the drop down
list).

After saving these changes, any user on that machine can install a
device driver for that class of device. The beauty of this is that users
cannot install any other device drivers. Since device drivers are a
major path for installing Rootkits and other security breaches, you are
not compromising the security of the system; ie, you know exactly which
driver can be installed, and no other driver can be installed. If you
turned off UAC instead, for example, then all the security goodness
disappears, and you're wide open to attack same as you were on XP.


If the device driver for the USB drive has already been installed, and
Vista still throws up a UAC prompt every time the user inserts it, then
.... ah, sorry, I have no idea! Maybe you have some poilcy configured
under the "Removable Storage Access" policy? (perhaps unwittingly).

Other folks may have extra ideas for you - hope this helps a bit.

Regards
Andrew

 

[Mike in Nebraska]

Great input, thanks!

Hi Mike,

Does he get prompted *every* time he inserts the USB Drive? Or just the
first time?

By default, standard users on Vista should be able to access removable
drives; although this can be disabled in the Local Security policy.

However, standard users cannot install device drivers. The first time you
put a USB drive into a Vista machine, the system will install a device
driver and create Registry entries for new device (the drivers will
usually be pulled from DRIVERS.CAB under the System32 directory, they
don't need to be downloaded). And these operations do require
Administrative access, by default.

However, you can allow users to install device drivers for specific
hardware devices.

To find this policy on the workstation, open a Command Prompt "as
Administrator". Then run the command "gpedit.msc". The Local Group Policy
editor will appear. Go to Computer Settings -> Administrative Templates ->
System -> Driver Installation. You'll see the "Allow non-administrators to
install device drivers for these device setup classes" policy. By default,
this is not configured. Enable the policy, and then enter the GUID of
device class for the specific USB drive. You can find this GUID by looking
in Device Manager on a machine which already has the device driver
installed (in Device Manager, go to Properties, Details, and select
"Device Class GUID" from the drop down list).

After saving these changes, any user on that machine can install a device
driver for that class of device. The beauty of this is that users cannot
install any other device drivers. Since device drivers are a major path
for installing Rootkits and other security breaches, you are not
compromising the security of the system; ie, you know exactly which driver
can be installed, and no other driver can be installed. If you turned off
UAC instead, for example, then all the security goodness disappears, and
you're wide open to attack same as you were on XP.


If the device driver for the USB drive has already been installed, and
Vista still throws up a UAC prompt every time the user inserts it, then
... ah, sorry, I have no idea! Maybe you have some poilcy configured under
the "Removable Storage Access" policy? (perhaps unwittingly).

Other folks may have extra ideas for you - hope this helps a bit.

Regards
Andrew