Restringir a instalação de dispositivos usando o Editor do Registro contra o BadUSB

2

Para tomar algumas medidas contra a exploração do BadUSB, eu quero restringir instalações de dispositivos USB no Windows 8, como sugerido aqui .

No entanto, gpedit.msc para acessar o Editor de Diretiva de Grupo Local não está disponível no Windows 8. Preço para atualização Pro (450₺) não está perto de ser razoável na minha opinião e gostaria de saber se posso alterar as seguintes configurações usando o Editor do Registro .

  1. Impedir a instalação de dispositivos usando drivers que correspondam a essas classes de configuração de dispositivos:

    • 4d36e96b-E325-11CE-BFC1-08402BE10318 - este controla o instalação automática de teclados USB.
    • 4D36E972-E325-11CE-BFC1-08012BE10318 - este corresponde ao NIC (controlador de interface de rede)
    • e0cbf06c-cd8b-4647-bb8a-263b45f0f974 - este é para bluetooth.
  2. Permitir que os administradores substituam as políticas de Restrições de instalação de dispositivos

Não consegui encontrar estas definições aqui .

Se isso não for possível através do Editor do Registro, você pode me sugerir uma solução alternativa? ("Não usar portas USB" não é uma opção.)

    
por dx486 03.09.2015 / 15:59

1 resposta

2

O Editor de Diretiva de Grupo Local não está disponível no Windows 8

Eu usei o seguinte procedimento para instalar com êxito gpedit.msc no Windows 7 64 bit Home Premimum.

Ele aparentemente funciona no Windows 8 e no Windows 8.1 também.

UPDATE: According to some readers, this tool also works fine in Windows 8 and Windows 8.1.

Today we are going to share a simple installer which installs the required system files in Windows so that you can enjoy Group Policy Editor in all Windows 7 editions.

  1. First download the setup file using following link:

    Download Group Policy Editor Installer

    You'll find the download link in right-side section of the above mentioned page.

  2. After downloading the ZIP file, extract it using WinRAR or 7-Zip.

  3. Run the extracted setup.exe file.

    It will install the files and you'll be able to access gpedit.msc command via RUN or Start Menu search box.

Note:

  • For Windows 7 64-bit (x64) users! You'll also need to go to "SysWOW64" folder present in "C:\Windows" folder and copy "GroupPolicy", "GroupPolicyUsers" folders and gpedit.msc file from there and paste them in "C:\Windows\System32" folder.

If you are getting "MMC could not create the snap-in" error message while running gpedit.msc, check out following steps to fix the problem. Basically it happens when your username in Windows contains more than one word.

  1. Run the installer and leave it at the last step (do not click on the "Finish" button).

  2. Now go to C:\Windows\Temp\gpedit\ folder.

  3. If you are running 32-bit (x86) edition of Windows 7, right-click on x86.bat file and choose "Open With -> Notepad" option. If you are running 64-bit (x64) edition of Windows 7, right-click on x64.bat file and choose "Open With -> Notepad" option.

  4. You'll find a total of 6 lines containing the following string in the file:

    %username%:f

  5. Edit those lines and replace %username%:f with "%username%":f

For example:

Original: 'icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f'
New: 'icacls %WinDir%\SysWOW64\gpedit.dll /grant:r "%username%":f'
  1. Save and run the file (right-click -> Run as Administrator).

  2. That's it. You'll have working gpedit.msc.

Fonte Como habilitar o" Editor de Diretiva de Grupo "(gpedit.msc) no Windows 7 Home Premium, Home Basic e Starter Editions?

Por favor, forneça o conteúdo do arquivo x64.bat?

@echo off
echo x64
takeown /f %WinDir%\SysWOW64\gpedit.dll
icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fde.dll
icacls %WinDir%\SysWOW64\fde.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\gptext.dll
icacls %WinDir%\SysWOW64\gptext.dll /grant:r %username%:f
echo.
echo.

takeown /f %WinDir%\SysWOW64\appmgr.dll
icacls %WinDir%\SysWOW64\appmgr.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fdeploy.dll
icacls %WinDir%\SysWOW64\fdeploy.dll /grant:r %username%:f

IF NOT EXIST %WinDir%\SysWOW64\GPBAK\NUL MKDIR %WinDir%\SysWOW64\GPBAK
takeown /f %WinDir%\SysWOW64\GPBAK\*
icacls %WinDir%\SysWOW64\GPBAK\* /grant:r %username%:f

IF EXIST %WinDir%\SysWOW64\gpedit.dll copy %WinDir%\SysWOW64\gpedit.dll %WinDir%\SysWOW64\GPBAK\gpedit.dll
IF EXIST %WinDir%\SysWOW64\fde.dll copy %WinDir%\SysWOW64\fde.dll %WinDir%\SysWOW64\GPBAK\fde.dll
IF EXIST %WinDir%\SysWOW64\gptext.dll copy %WinDir%\SysWOW64\gptext.dll %WinDir%\SysWOW64\GPBAK\gptext.dll
IF EXIST %WinDir%\SysWOW64\appmgr.dll copy %WinDir%\SysWOW64\appmgr.dll %WinDir%\SysWOW64\GPBAK\appmgr.dll
IF EXIST %WinDir%\SysWOW64\fdeploy.dll copy %WinDir%\SysWOW64\fdeploy.dll %WinDir%\SysWOW64\GPBAK\fdeploy.dll
IF EXIST %WinDir%\SysWOW64\gpedit.msc copy %WinDir%\SysWOW64\gpedit.msc %WinDir%\SysWOW64\GPBAK\gpedit.msc

copy gpedit.dll %WinDir%\SysWOW64\gpedit.dll
copy fde.dll %WinDir%\SysWOW64\fde.dll
copy gptext.dll %WinDir%\SysWOW64\gptext.dll
copy appmgr.dll %WinDir%\SysWOW64\appmgr.dll
copy fdeploy.dll %WinDir%\SysWOW64\fdeploy.dll
copy gpedit.msc %WinDir%\SysWOW64\gpedit.msc

IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy
IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\adm\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy\adm

copy system.adm %WinDir%\SysWOW64\GroupPolicy\Adm\system.adm
copy inetres.adm %WinDir%\SysWOW64\GroupPolicy\Adm\inetres.adm
copy conf.adm %WinDir%\SysWOW64\GroupPolicy\Adm\conf.adm
copy wmplayer.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wmplayer.adm
copy wuau.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wuau.adm

regsvr32 /s %WinDir%\SysWOW64\gpedit.dll
regsvr32 /s %WinDir%\SysWOW64\fde.dll
regsvr32 /s %WinDir%\SysWOW64\gptext.dll
regsvr32 /s %WinDir%\SysWOW64\appmgr.dll
regsvr32 /s %WinDir%\SysWOW64\fdeploy.dll
    
por 03.09.2015 / 16:24