Re: UAC and USB ports - Standard User

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Great input, thanks!

"Andrew McLaren" <Andrew.McLaren@xxxxxxxxxxxxx> wrote in message news:Oa8yQBUuJHA.3928@xxxxxxxxxxxxxxxxxxxxxxx
Mike in Nebraska wrote:

One of our researchers uses a pendrive in a USB port and constantly gets the UAC prompt. I know how to use the Properties of a program to have it run as an Administrator, but is there something comparable for USB drives?

Hi Mike,

Does he get prompted *every* time he inserts the USB Drive? Or just the first time?

By default, standard users on Vista should be able to access removable drives; although this can be disabled in the Local Security policy.

However, standard users cannot install device drivers. The first time you put a USB drive into a Vista machine, the system will install a device driver and create Registry entries for new device (the drivers will usually be pulled from DRIVERS.CAB under the System32 directory, they don't need to be downloaded). And these operations do require Administrative access, by default.

However, you can allow users to install device drivers for specific hardware devices.

To find this policy on the workstation, open a Command Prompt "as Administrator". Then run the command "gpedit.msc". The Local Group Policy editor will appear. Go to Computer Settings -> Administrative Templates -> System -> Driver Installation. You'll see the "Allow non-administrators to install device drivers for these device setup classes" policy. By default, this is not configured. Enable the policy, and then enter the GUID of device class for the specific USB drive. You can find this GUID by looking in Device Manager on a machine which already has the device driver installed (in Device Manager, go to Properties, Details, and select "Device Class GUID" from the drop down list).

After saving these changes, any user on that machine can install a device driver for that class of device. The beauty of this is that users cannot install any other device drivers. Since device drivers are a major path for installing Rootkits and other security breaches, you are not compromising the security of the system; ie, you know exactly which driver can be installed, and no other driver can be installed. If you turned off UAC instead, for example, then all the security goodness disappears, and you're wide open to attack same as you were on XP.


If the device driver for the USB drive has already been installed, and Vista still throws up a UAC prompt every time the user inserts it, then ... ah, sorry, I have no idea! Maybe you have some poilcy configured under the "Removable Storage Access" policy? (perhaps unwittingly).

Other folks may have extra ideas for you - hope this helps a bit.

Regards
Andrew

--
amclar at optusnet dot com dot au

.

Quantcast