How do you lock out the USB ports on the desktop PCs so we can prevent usage of USB drives on the desktops.
I should clarify that these are Windows XP desktops.
We should also assume that like most of the new desktops, many are using USB for keyboards and/or mice.
If they're Windows desktops, you can use the local policy (or group policy, if it's Active Directory). There isnt's a default setting for it, but the MS-provided template can be found under MSKB 555324.
There should be a Group Policy Object for this, you can push it through Active Directory. See in
gpedit.mscon WinXP Pro.You should be able to disable the usb ports from the computer's BIOS. You could also, unplug the cables from them to the motherboard.
I don't think disabling ports is really going to do what you seem to want. Not unless these computers use PS2 mice and keyboards. As long as you have available USB ports for the keyboard and mouse, someone can just plug a hub in and plug their USB drive into that. What you really want to do is prevent the computer from recognizing USB storage devices (but not other USB devices) plugged in via USB.
If the users have administrative rights to their PCs, they can override anything you do to prevent this. However, you can follow the below link to Microsoft's recommended solution:
http://support.microsoft.com/kb/823732
You can also prevent booting from a USB stick in the BIOS, as has already been mentioned.
If you are concerned about using a software solution you could buy some hardware locks.
USB Port Blocker
This assumes that you have the budget to get these for each machine. You may also need keep people from unplugging the keyboard and mouse if they are USB as well.
Two solutions that I've seen at customer sites:
In the BIOS, Set the boot device to boot only from hard disk and password protect the BIOS. In the BIOS, disable all USB devices that you can get away with. To prevent USB sticks from even being mounted, you'll need to take other measures. Can you put the computer in a box with only the keyboard and mouse cables coming out? Then there is no available USB port for them to fiddle with.
The bottom line is that as long as you don't trust people who have physical access to the machine, you can only improve security but you cannot get absolute security.
I've had to do this on stand-alone machines as well as on several domain machines. GPO would be a better way to go but I didn't have the luxury of doing it that way. Obviously if someone had admin rights over the machine and a little knowledge they could undo this.
At the time I was using this, we had all XP machines. No users had admin rights. No users are [supposed to be] Power Users. To help keep users from using USB mass storage devices, some other admins deleted USBSTOR.SYS. So if I ever needed to reenable USB mass storage devices, I needed to restore the driver file as well. (So I kept a current copy handy along with the files below). My copy of the "Enable.bat" has a line -- I commented out here -- to restore the file as necessary.
Disable.bat:
(May have to add "BUILTIN\Administrators" to the CACLS commands. I did not have to in my environment)
Disable.reg:
Enable.bat
(May have to add another set of CACLS commands for "BUILTIN\Administrators". I did not have to in my environment)
Enable.reg:
Something similar may work for Vista -- BUT I HAVE NOT TRIED IT.
I prefer to train the users as to what is acceptable and what is not acceptable. If you cannot trust your users that far, then take away their PCs and set up a thin client systems connecting back to something like a Citrix server running all your apps. The only other solution I can think of is to place the actual PC in a locked cabinet with just the cables for the keyboard, mouse, and monitor coming out. In all cases I think you will just end up creating more work for your self.