SNRequip
asked on
lock down removable media
Hi All,
OK, an easier question than my last two...
We are coming up to budget time and I don't want to pay for anti virus licenses for the tills at our shops as that will save me a couple of thousand pounds...
If I lock down the removable media and access to the Internet then the only vector for viruses will be accross the network, if the machines that are vunerable (e.g. the Office PC and Server) have up to date virus protection then in theory I don't need to protect the tills as the network vector is also covered.
Ideally I would like like to control access to the removable media through Group Policy (Windows 2003 Domain) for ease of administration, the only two relevent settings I could find where under user policy and are 'Prevent Access to Drives from My Computer' & 'Hide these specified drives in My Computer', while this will prevent access to these drives by the user will it prevent a malicious virus infecting the PC if inserted...?
OK, an easier question than my last two...
We are coming up to budget time and I don't want to pay for anti virus licenses for the tills at our shops as that will save me a couple of thousand pounds...
If I lock down the removable media and access to the Internet then the only vector for viruses will be accross the network, if the machines that are vunerable (e.g. the Office PC and Server) have up to date virus protection then in theory I don't need to protect the tills as the network vector is also covered.
Ideally I would like like to control access to the removable media through Group Policy (Windows 2003 Domain) for ease of administration, the only two relevent settings I could find where under user policy and are 'Prevent Access to Drives from My Computer' & 'Hide these specified drives in My Computer', while this will prevent access to these drives by the user will it prevent a malicious virus infecting the PC if inserted...?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi jeffrash, mrenos,
Sorry for the delay in response, budgets & audits going on, fun times...
Babs,
Thanks for the suggestion, often forget the value of freeware option when in corporate life however I like to avoid having to install and maintain individual apps on PCs where ever possible, the installation of firefox also would be a major task in our environment.
Jeffash,
Basically I want to stop all virus vectors to these machines other than via the network (so network shares are OK) as the network vectors are protected by Anti Virus, Webfilters, mailfilters etc, so that would include USB Ports, CD Drives & Floppy Drives
Sorry for the delay in response, budgets & audits going on, fun times...
Babs,
Thanks for the suggestion, often forget the value of freeware option when in corporate life however I like to avoid having to install and maintain individual apps on PCs where ever possible, the installation of firefox also would be a major task in our environment.
Jeffash,
Basically I want to stop all virus vectors to these machines other than via the network (so network shares are OK) as the network vectors are protected by Anti Virus, Webfilters, mailfilters etc, so that would include USB Ports, CD Drives & Floppy Drives
ASKER
Sorry, trigger happy with the submit button...
To continue, we use usb scanners, keyboards etc but I assume that this setting wouldn't block those.
The ide of using GPO is to avoid having to disable the CD Drives/USB ports individually as this is a pain (65 machines) and also I'd like the flexibility of removing these settings as and when neccessary.
Will have a tinker with the USB lockout suggestion, other than that I guess that as I know the Drive letter for these tills on the CD Drives I can use the Prevent Access to these Drives options.
So as long as I can lock down the Internet on these machines (again I'd like to do that centrally) they should be secure.
To continue, we use usb scanners, keyboards etc but I assume that this setting wouldn't block those.
The ide of using GPO is to avoid having to disable the CD Drives/USB ports individually as this is a pain (65 machines) and also I'd like the flexibility of removing these settings as and when neccessary.
Will have a tinker with the USB lockout suggestion, other than that I guess that as I know the Drive letter for these tills on the CD Drives I can use the Prevent Access to these Drives options.
So as long as I can lock down the Internet on these machines (again I'd like to do that centrally) they should be secure.
Also, don't forget..Use firefox instead of internet explorer, it's safer for the users and it has a lot of extensions where you can use.
Babs,
Hope this helps..