RE: Disabling USB mass storage
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 03/05/05
- Previous message: Laura A. Robinson: "RE: Folder Encryption"
- In reply to: Steven Hay: "RE: Disabling USB mass storage"
- Next in thread: Kurt Dillard: "RE: Disabling USB mass storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 05 Mar 2005 13:00:37 -0500 To: "'Steven Hay'" <shay@communitysavings.ca>, "'Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'" <sbradcpa@pacbell.net>
Inline comments...
> Yes, we're looked at that document. There are two problems
> with the "MS fix" however:
>
> 1. It's a daunting task to justify the cost in time of
> logging into over 600 systems one at a time to change the
> registry on each to disable usb drive creation. MS didn't
> seem to think about this on an enterprise scale.
Script it.
> We
> considered just batching up a large reg change to push out as
> well; but this would mean we couldn't know if they all worked
> or failed for sure,
As part of your script, have it report back on the status.
> as well we were concerned about the
> potential for systems failure as direct reg edits can be
> risky.
Roll it out as you would anything- in stages, not all at once.
> Even if only 2% of the systems failed, it wouldn't be
> worth it the downtime costs.
That's the risk you take with *anything* you do to a machine, however.
Installing software could render a machine useless. That's why you test, and
pilot, and roll out in batches.
>
> 2. We would like for IT staff and a few select managers and
> systems to be allowed access.
You could still accomplish this via scripting and GPOs to assign the
scripts; possibly a little WMI filtering, as well. Use scripts to determine
which machines have USB devices installed and would therefore need the
registry modification. Using GPOs to set permissions on the usb files is
trivial and would easily allow you to grant some managers and administrators
access.
> USB keys when properly used
> can be a powerful tool for our IT staff. This would be an
> "all or nothing" approach. Something on the network level is
> much more preferable to the system level, and I'm guessing
> sysadmins who work on 500+ node decentralized networks are in
> the same boat.
Nope. We have around 12,000 employee machines (8,000 employees) and 200,000
customer machines- all over the world. Every continent/country with the
possible exception of Antarctica. Obviously we don't manipulate USB on our
customer machines, but everything we do has to be deployable on a very large
scale. This is why we script, and use WMI, and of course, why we use
enterprise management software, as well. It's also why we have a staff of
1,200 programmers, but that's another story. :-)
>
> We tried restricting usbstor.sys through the GPO, but I think
> the file gets local system level access and runs anyways
> <grumble grumble>.
Then something was done incorrectly, I would suspect. Either the policy
wasn't correct, was not applied or the machines already had USB devices
installed. Reading below, it appears it was the last item- these machines
*already* had USB devices installed, which need to be addressed via the
registry modification, as noted in the KB article Susan gave you.
Laura
<snip>
> HOW TO: Disable the Use of USB Storage Devices in Windows XP:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
>
> Disable completely?
>
> Steven Hay wrote:
>
> >Good topic question, one we're having issues with as well,
> but with XP
> >SP1.
> >
> >We want to disable any removable drives from working on our 400+
> >workstations without having to visit each one.
> >
> >I tried denying access to usbstor.sys in the GPO, and confirmed that
> >the policy was applied to our test system. But it seems like the
> >system privliges override the GPO rights (I'm guessing) as the
> >removable drive letter pops up and is usable when a USB drive is
> >connected.
> >
> >Anyone have any experience with locking these down using GPO?
> >
> >Steve
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Folder Encryption"
- In reply to: Steven Hay: "RE: Disabling USB mass storage"
- Next in thread: Kurt Dillard: "RE: Disabling USB mass storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
