Re: Restricting access to removable media

From: Steven Umbach [MVP] (n9rou_at_comcast.com)
Date: 07/13/03 

Date: Sun, 13 Jul 2003 01:44:52 GMT

         Yes of course case has to be secured to protect cmos passwords, but if a standard USB cable is connected to a device such as a printer all bets are off as you mention. I am going to check out one of those third party programs one of these days. Pretty soon a dozen programs are going to be needed on a workstation just to protect users from themselves! --- Steve

  "Dmitry Korolyov" <d__k@nospamformorons.mail.ru> wrote in message news:#pymMgNSDHA.2084@TK2MSFTNGP11.phx.gbl...
  Yup, usb harddrives are the devils. Disabling devices/ports through bios setup and setting password won't work for many reasons - cant differentiate between legitimate usb printer and hard drive, there are vendor passwords, they can be broking by opening computer case and removing the battery...etc.

  The best I have so far is disabling services such as floppy and cdrom under hklm\...services\ in the registry (this can be done with custom template and GP) and setting permissions on them (with GP again) to restrict users from enabling them. This prevents floppies and cdroms. So far. And for all users at once, too, while we'd like to allow some users to use them.

  I tried to look towards floplock from reskit. Somehow it manages to set a security descriptor on cdrom and floppy device. Too bad it does not allow to choose which groups will have access - Power Users and Administrators by default. But there's some good news too - it sets permissions in a way which is compatible with some other programs which do the same. I hope to find out how its being done, to generalize the approach and apply it to any device I need.

  --
  Dmitry Korolyov
  d__k@nospamformorons.mail.ru
  To e-mail me, remove "nospamformorons"
  from the address.

    "Steven Umbach [MVP]" <n9rou@comcast.com> wrote in message news:JN1Qa.44205$OZ2.7216@rwcrnsc54...
             None that I know of other that configuring cmos settings [and password protecting them] and/or using a security case that does not allow user access to those devices/ports and still be able to do their work. There is a company that has a product that they clain will do what you ask - I have not tried out myself, but they do allow you to try it out for free. The USB devices are particulary bothersome as you mention. --- Steve

    http://www.protect-me.com/dl/
    http://securewave.com/products/securent/

      "Dmitry Korolyov" <d__k@nospamformorons.mail.ru> wrote in message news:u02ehCMSDHA.2084@TK2MSFTNGP11.phx.gbl...
      There's a need to restrict users from using any types of removable media. This may include floppy disks, CD/DVD, USB hard drives, zip drives and generally, any kinds of media which can be connected to the workstation. Is there a well-known solution for this?

      Removing devices physically won't work - for example, for USB drives. Plus, if possible, it is preferrable to restrict usage to certain users only, while allowing it to other users (for example, administrators).

      Thanks in advance.

      --
      Dmitry Korolyov
      d__k@nospamformorons.mail.ru
      To e-mail me, remove "nospamformorons"
      from the address.