插入后批准 USB 设备
在 Windows 上,是否有任何方法可以在插入后以编程方式批准 USB 设备,如果它属于某种类型(例如可移动驱动器)则允许其使用,否则不允许使用? 也不允许运行驱动程序,只允许以批准的方式使用设备?
IE 我们希望允许插入USB驱动器,但不必担心病毒被安装。
编辑抱歉,我对这个问题的发布不太清楚。 是的,这是Windows,但我并不担心自动运行程序,那当然是关闭的。 用户将无法访问任何可执行文件,只能从驱动器中读取数据。 他们无法访问除我们允许的用户界面(信息亭)之外的任何用户界面。 我关心的是运行和安装软件的设备驱动程序(ala U3 和其他在插入 USB 驱动器时自动安装的 USB 软件)。 有许多病毒可以通过将 USB 驱动器插入系统来运行。 我们已经将组策略限制到我们可以做到的水平,但我找不到一种方法来不允许安装驱动程序,而不创建预安装的 USB 驱动器的基本白名单,其他任何方法都不起作用(即. 不允许安装驱动程序)。
On Windows, is there any way to programatically approve a USB device after insertion, if it is of a certain type (say Removable Drive) allow its use, otherwise not? Also not to allow running of drivers, only allow usage of the device in an approved way?
I.E. We want to allow the insertion of USB drives, but not have to worry about virus's being installed.
EDIT Sorry, I wasn't very clear on the posting of this question. Yes this is Windows, but I am not worried about auto-run programs, that is of course turned off. Users will not be able to access any executables, just data will be read off of the drive. They will not have access to any UI other than what we allow (it's a Kiosk). What I am concerned about is device drivers running and installing software (ala U3, and other USB software that installs itself when you insert a USB drive). There are a bunch of virus's in the wild that can be run just by inserting a USB drive into a system. We have restricted things with group-policy to the level that we can, but I can't find a way to not allow the installation of drivers without creating a base whitelist of USB drives that come pre-installed and nothing else would work (ie. Do not allow installation of drivers).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
另外,在 Windows 上,禁用 USB 驱动器上的自动播放/自动运行。
使用组策略:
http://www.howtogeek .com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/
TweakUI 实用程序中还有一些选项:
http://www.microsoft.com/windowsxp/Downloads/powertoys/Xppowertoys。 mspx
Also, on Windows, disable Autoplay/Autorun on the USB drives.
With Group Policy:
http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/
There are also options in the TweakUI utility:
http://www.microsoft.com/windowsxp/Downloads/powertoys/Xppowertoys.mspx
如果是您自己的自助服务终端应用程序,请确保您的自助服务终端已分配驱动器号 AZ。 要访问 USB 驱动器,您需要一个格式为 \??\Volume{GUID}\Filename 的路径。 但是,通过将其排除在正常文件系统之外,您可以安全地抵御大多数攻击。
你永远不会完全安全。 正如 Raymond Chen 所指出的,如果你不赞成分叉,那也没有多大帮助。 (物理)损害已经造成。
If it's your own kiosk application, make sure your kiosk has drive letters A-Z assigned. To access the USB drive, you'll need a path of the form \??\Volume{GUID}\Filename. But by keeping it out of the normal file system, you're safe against most attacks.
You're never entirely safe. As Raymond Chen would point out, it doesn't help a lot if you disapprove forks. The (physical) damage is already done.
不可以。您可以使用 GPO 限制对可移动媒体的访问,但无法指定可移动媒体上允许的文件类型或它们是否可以执行。
编辑:支持托马斯。 比我的答案更好。
No. You can restrict access to removable media using GPO, but you can't specify what kind of files are allowed on the removable media or if they can execute or not.
EDIT: upvoting thomas. better answer than mine.
(既然您担心病毒,我就假设我们正在谈论 Windows。)
这样限制用户是没有意义的。 确保用户没有管理员权限。 并安装最新的病毒扫描程序。
理由:如果您甚至不允许读取文件,那么允许 USB 驱动器无论如何都是无用的。 因此您将允许从 USB 驱动器读取文件。 但随后有人可能已经通过将病毒复制到本地硬盘驱动器并从那里运行来安装病毒。
(Since you're worried about viruses I'll assume that we're talking about Windows.)
There is no point in restricting the user like that. Make sure the user does not have Administrator privileges. And install an up-to-date virus scanner.
Rationale: If you're not going to permit even reading files, then allowing a USB drive would be useless anyway. So you are going to permit reading files from a USB drive. But then someone could already install a virus by copying it to the local hard drive and run it from there.