GP to lock down ports on clients

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

skc - 31 Oct 2003 12:57 GMT

I want to create a GP that allows me as an Administrator
from the SBS to apply Policies that disables the plugging
in of USB devices (such as Pen Drives)!

I also want to disable the CD-ROM and Floppy disk drives
in case someone brings in a virus from home.

Can someone tell me how I do this and what entries in GP
Editior I need to tweak?

Thanks,

skc

Reply to this Message

Henry Craven - 31 Oct 2003 13:42 GMT

Just Hide all drives except their base HDD Partitions.

Signature

Henry Craven.

========= Post It Appropriately: ============
SBS 4/4.5 : microsoft.public.backoffice.smallbiz
SBS 2000 : microsoft.public.backoffice.smallbiz2000
SBS 2003 : microsoft.public.windows.server.sbs
=====================================

> I want to create a GP that allows me as an Administrator
> from the SBS to apply Policies that disables the plugging
[quoted text clipped - 9 lines]
>
> skc

Reply to this Message

skc - 31 Oct 2003 15:11 GMT

I have seen some machines on domain secured by Group
Policies, where you insert a USB cable/Pen drive and it
tells you to bugger off and call the Administrator.

How do they do that??

>-----Original Message-----
>Just Hide all drives except their base HDD Partitions.
[quoted text clipped - 14 lines]
>
>.

Reply to this Message

Henry Craven - 31 Oct 2003 15:21 GMT

Don't know.
I'm sure if you spend enough time on Google you'll find out though.

Signature

> I have seen some machines on domain secured by Group
> Policies, where you insert a USB cable/Pen drive and it
[quoted text clipped - 23 lines]
> >
> >.

Reply to this Message

Jeff Middleton [SBS-MVP] - 31 Oct 2003 19:16 GMT

I think you guys may have missed the post I did (do to timing) that offers
the regkey and information on securing the registry key in question. It's
actually easier to do than it appears from those KBs.

> Don't know.
> I'm sure if you spend enough time on Google you'll find out though.
[quoted text clipped - 44 lines]
> > >
> > >.

Reply to this Message

Henry Craven - 31 Oct 2003 20:17 GMT

I saw your post, and in fact I was aware of the KB when I initially
posted my reply to skc. I was leaving the finding of the KB up to skc as
"an exercise for the student" under the old adage of "teach a man to
fish...."

As disabling the drive letters does not create an event message that:
"tells you to bugger off and call the Administrator", it left me with the
perfect opening.

Me bad.
:-)

Signature

> I think you guys may have missed the post I did (do to timing) that offers
> the regkey and information on securing the registry key in question. It's
[quoted text clipped - 48 lines]
> > > >
> > > >.

Reply to this Message

Jeff Middleton [SBS-MVP] - 31 Oct 2003 14:43 GMT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

I believe that this is the regkey you want to secure, denying permission to
access this key for users you want disabled for USB storage device plugin.

Some of the technical means are described below.

Using Group Policy Objects to Hide Specified Drives in My Computer for
Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;231289&Product=win20
00

Note that the above KB has a sister policy item that includes "show only"
specific drives.

How to Add Custom Registry Settings to Security Configuration Editor
http://support.microsoft.com/default.aspx?scid=kb;EN-US;214752

HOW TO: Define Security Templates in the Security Templates Snap-in in
Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;313434&Product=win20
00

> I want to create a GP that allows me as an Administrator
> from the SBS to apply Policies that disables the plugging
[quoted text clipped - 9 lines]
>
> skc

Reply to this Message