You can prevent users from using any portable USB removable disk or flash drive by using a custom .ADM file that can be imported into the Local Group Policy (thus effecting only the local computer) or by using Active Directory-based Group Policy Objects (also known as GPOs).
Note: This tip will allow you to restrict usage of USB removable disks, but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk. I am assuming that AD based GPs would be used. The same result can be achieved by changing the location of adm template file and using Local Group Policy instead.
It's worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.
Step 1: Create a simple text file named removable_storage.adm with the following content and save it to "%systemroot%\inf\" directory on the domain controller you would be creating the GP.
********** Start of File **********
CLASS MACHINE
CATEGORY "Custom Policy Settings"
CATEGORY "Resrtict Removable Drives"
POLICY "Disable USB Removable Drives"
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART "usbstore.sys driver status" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Started" VALUE NUMERIC 3 DEFAULT
NAME "Stopped" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY "Disable CD-ROM"
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART "cdrom.sys driver status" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Started" VALUE NUMERIC 1 DEFAULT
NAME "Stopped" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY "Disable Floppy"
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART "flpydisk.sys driver status" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Started" VALUE NUMERIC 3 DEFAULT
NAME "Stopped" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY "Disable High Capacity Floppy"
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART "sfloppy.sys driver status" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Started" VALUE NUMERIC 3 DEFAULT
NAME "Stopped" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY "Write Protect USB Removable Drives"
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART "Write Protect USB Removable Drives status" DROPDOWNLIST REQUIRED
VALUENAME "WriteProtect"
ITEMLIST
NAME "Off" VALUE NUMERIC 0 DEFAULT
NAME "On" VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
explaintextwriteprotect="Enforces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."
*********** End of File ************
Step 2: Adding .adm files to the Administrative Templates in a GPO
Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.
Right-click an existing GPO (or create a new GPO, then right-click on it) and select Edit.
Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.
In the Add/Remove Templates window click Add.
Browse to the location of the required .ADM file and click Open.
In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.
Now re-open the Administrative Templates section and browse to the new settings location.
Step 3: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.
Follow these steps:
In GPEdit.msc (or any other GPO Editor window you're using) click on View -> Filtering.
Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.
Now you will be able to see the new settings in the right pane:
You can now configure any of the above settings:
Note: You do not need the adm template stored in inf directory any more as it is copied along with the policy folder in the Sysvol share. However you might need it to modify the template if required.
-------------- End of Document -----------------
Tags: Active Directory, Group Policy, Windows 2003
Published Date: 20080507
No comments:
Post a Comment