Solved

lock down removable media

Posted on 2006-06-17
4
518 Views
Last Modified: 2013-12-04
Hi All,

OK, an easier question than my last two...

We are coming up to budget time and I don't want to pay for anti virus licenses for the tills at our shops as that will save me a couple of thousand pounds...

If I lock down the removable media and access to the Internet then the only vector for viruses will be accross the network, if the machines that are vunerable (e.g. the Office PC and Server) have up to date virus protection then in theory I don't need to protect the tills as the network vector is also covered.

Ideally I would like like to control access to the removable media through Group Policy (Windows 2003 Domain) for ease of administration, the only two relevent settings I could find where under user policy and are 'Prevent Access to Drives from My Computer' & 'Hide these specified drives in My Computer', while this will prevent access to these drives by the user will it prevent a malicious virus infecting the PC if inserted...?
0
Comment
Question by:SNRequip
  • 2
4 Comments
 
LVL 4

Expert Comment

by:mrenos
Comment Utility
Why do all this trouble and don't install some very nice FREEWARE antivirus ( www.free-av.com) on each workstation with Microsoft Defender, enable the windows firewall, enable the automatic updates and you will be fine..
Also, don't forget..Use firefox instead of internet explorer, it's safer for the users and it has a lot of extensions where you can use.

Babs,
Hope this helps..
0
 
LVL 3

Accepted Solution

by:
jeffrash earned 125 total points
Comment Utility
When you say you want to "lock down removable media", do you just want to lock out USB ports? Or do you also want to disallow installing unapproved software from places like CD ROM's, firewire devices and network shares? You could do some serious lockdowns by creating a GPO to allow software to only be installed from certain paths. But this can be a bit dangerous, do some practice in a non-production environment.

To just lock out USB access there are two files you can disallow access to via a "File System" GPO, they are:

%systemroot%\inf\usbstor.inf
%systemroot%\inf\usbstor.PNF

Just go to "Windows Settings\Security Settings\File System" in a new (or old) GPO and deny access to those you want to lock out (like "Everyone")

Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
0
 

Author Comment

by:SNRequip
Comment Utility
Hi jeffrash, mrenos,

Sorry for the delay in response, budgets & audits going on, fun times...

Babs,

Thanks for the suggestion, often forget the value of freeware option when in corporate life however I like to avoid having to install and maintain individual apps on PCs where ever possible, the installation of firefox also would be a major task in our environment.

Jeffash,

Basically I want to stop all virus vectors to these machines other than via the network  (so network shares are OK) as the network vectors are protected by Anti Virus, Webfilters, mailfilters etc, so that would include USB Ports, CD Drives & Floppy Drives
0
 

Author Comment

by:SNRequip
Comment Utility
Sorry, trigger happy with the submit button...

To continue, we use usb scanners, keyboards etc but I assume that this setting wouldn't block those.

The ide of using GPO is to avoid having to disable the CD Drives/USB ports individually as this is a pain (65 machines) and also I'd like the flexibility of removing these settings as and when neccessary.

Will have a tinker with the USB lockout suggestion, other than that I guess that as I know the Drive letter for these tills on the CD Drives I can use the Prevent Access to these Drives options.

So as long as I can lock down the Internet on these machines (again I'd like to do that centrally) they should be secure.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now