Re: How to restrict file access to Domain Computers Only
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 27 Aug 2006 14:28:37 -0500
I hope that helps out and be sure to test it but my initial test indicated
that if the user is logged onto a computer not in the list as I described
they will not be able to access domain shares. Also keep in mind that just
because users can not see USB drives might not mean that they can not be
accessed by the command line though I assume you have disabled command line
access including to command.com which could create a Software Restriction
Policy for or disable 16 bit apps assuming none are needed in your network
via Group Policy computer configuration/administrative templates/Windows
components/application compatibility - prevent access to 16 but applications
set to enabled. Also if you are not aware of it there is a registry mod for
XP SP2 where you can disable write access to USB devices which can be
implemented via a Group Policy startup script or creating a custom .adm for
computer configuration.
Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx
Controlling block storage devices on USB buses
What does controlling block storage devices on USB buses do?
This feature provides the ability to set a registry key that will prevent
write operations to USB block storage devices, such as memory sticks. When
this registry key is enabled, the devices function only as read-only
devices. You can implement this setting as part of a security strategy to
prevent users from transporting data using these devices.
Who does this feature apply to?
. Users who do not want data to be written from their computer to a
USB storage device.
. IT professionals who want to implement organization controls over
the use of USB block storage devices
What settings are added or changed in Windows XP Service Pack 2
Setting name Location Default value Possible values
WriteProtect
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies
DWORD=0
0 - Disabled
1 - Enabled
"James" <none@xxxxxxxxx> wrote in message
news:%23PhYBYgyGHA.4176@xxxxxxxxxxxxxxxxxxxxxxx
Thanks to all for the good ideas. I never thought of restricting their
ability to logon from other computers. That sounds like the solution I
want.
I'm not really looking for a foolproof solution. If they are determined,
it
will take someone better than I to stop them. But, all email is monitored
and sending files without consent is a releasable offense; remote
"personal"
mailboxes are prohibited (and Internet traffic is monitored); and USB
devices do not appear in My Computer or Windows Explorer.
The home laptop, on the other hand, seemed like a huge gaping hole that
needed a plug; even an imperfect one.
Thanks again.
Later.
James
.
- References:
- How to restrict file access to Domain Computers Only
- From: none
- Re: How to restrict file access to Domain Computers Only
- From: Roger Abell [MVP]
- Re: How to restrict file access to Domain Computers Only
- From: Steven L Umbach
- Re: How to restrict file access to Domain Computers Only
- From: James
- How to restrict file access to Domain Computers Only
- Prev by Date: Re: How to restrict file access to Domain Computers Only
- Next by Date: Re: failing to retrive CRL from certificate server using new LDAP
- Previous by thread: Re: How to restrict file access to Domain Computers Only
- Next by thread: Re: How to restrict file access to Domain Computers Only
- Index(es):
Relevant Pages
|
