Friday, April 3, 2015

windows 8 - Restrict device installation using Registry Editor against BadUSB




In order to take some measures against BadUSB exploit, I want to restrict USB device installations on Windows 8, as suggested here.



However, gpedit.msc to reach Local Group Policy Editor is not available in Windows 8. Price for Pro upgrade (450₺) is not close to being reasonable in my opinion and I wonder if I can change following settings using Registry Editor.




  1. Prevent installation of devices using drivers that match these device setup classes:




    • 4d36e96b-E325-11CE-BFC1-08402BE10318 – this one controls the
      automatic installation of USB keyboards.


    • 4D36E972-E325-11CE-BFC1-08012BE10318 – this one corresponds to the
      NIC (network interface controller)

    • e0cbf06c-cd8b-4647-bb8a-263b45f0f974 – this one is for bluetooth.


  2. Allow administrators to override Device Installation Restrictions policies




I could not find these settings here.



If this is not possible via Registry Editor can you suggest me an alternative solution? ("Not using USB ports at all" is not an option.)



Answer



Local Group Policy Editor is not available in Windows 8



I used the following procedure to successfully install gpedit.msc on Windows 7 64 bit Home Premimum.



It apparently works on Windows 8 and Windows 8.1 as well.




UPDATE: According to some readers, this tool also works fine in Windows 8 and Windows 8.1.




Today we are going to share a simple installer which installs the required system files in Windows so that you can enjoy Group Policy Editor in all Windows 7 editions.




  1. First download the setup file using following link:



    Download Group Policy Editor Installer



    You'll find the download link in right-side section of the above
    mentioned page.


  2. After downloading the ZIP file, extract it using WinRAR or 7-Zip.



  3. Run the extracted setup.exe file.



    It will install the files and you'll be able to access gpedit.msc
    command via RUN or Start Menu search box.




Note:




  • For Windows 7 64-bit (x64) users! You'll also need to go to "SysWOW64" folder present in "C:\Windows" folder and copy

    "GroupPolicy", "GroupPolicyUsers" folders and gpedit.msc file from
    there and paste them in "C:\Windows\System32" folder.



If you are getting "MMC could not create the snap-in" error message
while running gpedit.msc, check out following steps to fix the
problem. Basically it happens when your username in Windows contains
more than one word.





  1. Run the installer and leave it at the last step (do not click on the "Finish" button).


  2. Now go to C:\Windows\Temp\gpedit\ folder.


  3. If you are running 32-bit (x86) edition of Windows 7, right-click on x86.bat file and choose "Open With -> Notepad" option. If you are
    running 64-bit (x64) edition of Windows 7, right-click on x64.bat file
    and choose "Open With -> Notepad" option.


  4. You'll find a total of 6 lines containing the following string in the file:



    %username%:f


  5. Edit those lines and replace %username%:f with "%username%":f





For example:



Original: `icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f`
New: `icacls %WinDir%\SysWOW64\gpedit.dll /grant:r "%username%":f`



  1. Save and run the file (right-click -> Run as Administrator).


  2. That's it. You'll have working gpedit.msc.






Source How to Enable "Group Policy Editor" (gpedit.msc) in Windows 7 Home Premium, Home Basic and Starter Editions?






Could you please provide the content of x64.bat file?



@echo off

echo x64
takeown /f %WinDir%\SysWOW64\gpedit.dll
icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fde.dll
icacls %WinDir%\SysWOW64\fde.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\gptext.dll
icacls %WinDir%\SysWOW64\gptext.dll /grant:r %username%:f
echo.
echo.


takeown /f %WinDir%\SysWOW64\appmgr.dll
icacls %WinDir%\SysWOW64\appmgr.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fdeploy.dll
icacls %WinDir%\SysWOW64\fdeploy.dll /grant:r %username%:f

IF NOT EXIST %WinDir%\SysWOW64\GPBAK\NUL MKDIR %WinDir%\SysWOW64\GPBAK
takeown /f %WinDir%\SysWOW64\GPBAK\*
icacls %WinDir%\SysWOW64\GPBAK\* /grant:r %username%:f

IF EXIST %WinDir%\SysWOW64\gpedit.dll copy %WinDir%\SysWOW64\gpedit.dll %WinDir%\SysWOW64\GPBAK\gpedit.dll

IF EXIST %WinDir%\SysWOW64\fde.dll copy %WinDir%\SysWOW64\fde.dll %WinDir%\SysWOW64\GPBAK\fde.dll
IF EXIST %WinDir%\SysWOW64\gptext.dll copy %WinDir%\SysWOW64\gptext.dll %WinDir%\SysWOW64\GPBAK\gptext.dll
IF EXIST %WinDir%\SysWOW64\appmgr.dll copy %WinDir%\SysWOW64\appmgr.dll %WinDir%\SysWOW64\GPBAK\appmgr.dll
IF EXIST %WinDir%\SysWOW64\fdeploy.dll copy %WinDir%\SysWOW64\fdeploy.dll %WinDir%\SysWOW64\GPBAK\fdeploy.dll
IF EXIST %WinDir%\SysWOW64\gpedit.msc copy %WinDir%\SysWOW64\gpedit.msc %WinDir%\SysWOW64\GPBAK\gpedit.msc

copy gpedit.dll %WinDir%\SysWOW64\gpedit.dll
copy fde.dll %WinDir%\SysWOW64\fde.dll
copy gptext.dll %WinDir%\SysWOW64\gptext.dll
copy appmgr.dll %WinDir%\SysWOW64\appmgr.dll

copy fdeploy.dll %WinDir%\SysWOW64\fdeploy.dll
copy gpedit.msc %WinDir%\SysWOW64\gpedit.msc

IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy
IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\adm\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy\adm

copy system.adm %WinDir%\SysWOW64\GroupPolicy\Adm\system.adm
copy inetres.adm %WinDir%\SysWOW64\GroupPolicy\Adm\inetres.adm
copy conf.adm %WinDir%\SysWOW64\GroupPolicy\Adm\conf.adm
copy wmplayer.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wmplayer.adm

copy wuau.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wuau.adm

regsvr32 /s %WinDir%\SysWOW64\gpedit.dll
regsvr32 /s %WinDir%\SysWOW64\fde.dll
regsvr32 /s %WinDir%\SysWOW64\gptext.dll
regsvr32 /s %WinDir%\SysWOW64\appmgr.dll
regsvr32 /s %WinDir%\SysWOW64\fdeploy.dll

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...