RE: How to disable all floppy drives on the network
TSimons_at_Delphi-Tech.com
Date: 12/11/03
- Previous message: Michael Roach: "RE: How to disable all floppy drives on the network"
- Maybe in reply to: Sakaba: "How to disable all floppy drives on the network"
- Next in thread: marco2: "RE: How to disable all floppy drives on the network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: annie.leung@bcliquorstores.com, j_hanekom@hotmail.com, focus-ms@securityfocus.com Date: Wed, 10 Dec 2003 19:08:31 -0500
Same as the Floppy, just disable:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
-----Original Message-----
From: Leung, Annie LDB:EX
To: 'Jannie Hanekom'; focus-ms@securityfocus.com
Cc: sakaba@alexandria.cc
Sent: 12/10/2003 3:41 PM
Subject: RE: How to disable all floppy drives on the network
FYI.
I bought a USB storage device of 64 MB early this year. I gave it to my
husband for him to save his PowerPoint files at work. However, his
workstation failed to accept it and he asked their administrator who
said it
is the company policy that they don't allow these devices and the
platform
actually configured to not accept these USB devices.
I don't know how do they do that, by workstation or by GPO, don't know.
Annie Leung
-----Original Message-----
From: Jannie Hanekom [mailto:j_hanekom@hotmail.com]
Sent: Wednesday, December 10, 2003 11:02 AM
To: focus-ms@securityfocus.com
Cc: sakaba@alexandria.cc
Subject: RE: How to disable all floppy drives on the network
If you can disable the "Floppy Disk" driver through a policy, you'll
probably meet management's requirement, though many would see the logic
as
flawed. The "Hide these specified drives" user policy is also quite
useful
in enforcing this type of limit.
Note that disabling the floppy driver doesn't prevent people from
sticking
in ZIP drives, LS-120 drives, CD Writers, USB Storage Keys, Infrared,
USB
Wireless LAN adapters, printers, or any other type of removable
storage/transfer mechanism. Hiding drives is somewhat useful for that,
but
you'll have to disable the Command Prompt in conjunction with that.
(Any
application that doesn't use the standard Windows File Open/Save/Browse
dialogs will still provide access to the removable device.) The floppy
disk
driver key is at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk
You can change the "Start" type to one of the following:
0x00 Boot
0x01 System
0x02 Auto load
0x03 Load on demand
0x04 Disabled
You can possibly set up your own ADM template for this, but I'm
speculating
it will be possible to add this into the "System Services" list in Group
Policies. Try adding the following into the relevant policy's
GptTmpl.inf
file in Sysvol\<domain>\Policies\<UUID>\Machine\Microsoft\Windows
NT\SecEdit:
[Service General Setting]
FlpyDisk,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLO
CRSD
RCWDWO;;;SY)"
You can get the UUID of the policy by displaying its properties in AD
Users
& Computers. The line above should add a "FlpyDisk" entry under System
Services in the group policy you added it to. Open the Group Policy,
change
anything (just to notify AD that it has changed) and close it. I've not
tested it, but in theory applying the policy now will disable the floppy
driver.
Just be careful with applying this policy to all computers - limit
"Apply
Group Policy" to only a test set of workstations to verify that this
actually works.
Jannie
-----Original Message-----
From: Sakaba [mailto:Sakaba@alexandria.cc]
Sent: 10 December 2003 05:46
To: focus-ms@securityfocus.com
Subject: How to disable all floppy drives on the network
Hi everyone,
I got a AD network running mostly Win2k and WinXP. All our client PCs
have
floppy drives but I've been asked by management to remove them to
prevent
users from putting data on floppies which short of encrypting the files
lack
security. This is obviously very time consuming so I'm looking for a
way to
simply disable them.
- The group policy setting that limits access to the locally logged in
user
is no good because the drive still shows up to many applications that
were
installed under local admin.
- I can disable each drive via AD users/computers-->manage computer (one
at
a time)-->disable floppy device. This is very time consuming because I
can't manage multiple computers at a time and we are talking about
thousands
of boxes.
I was thinking maybe a WMI script might do it but I'm a neopyte in that
area
so I'm not sure. Any ideas?
Best Regards,
sakaba
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Michael Roach: "RE: How to disable all floppy drives on the network"
- Maybe in reply to: Sakaba: "How to disable all floppy drives on the network"
- Next in thread: marco2: "RE: How to disable all floppy drives on the network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
