Solved

lock down removable media

Posted on 2006-06-17
4
519 Views
Last Modified: 2013-12-04
Hi All,

OK, an easier question than my last two...

We are coming up to budget time and I don't want to pay for anti virus licenses for the tills at our shops as that will save me a couple of thousand pounds...

If I lock down the removable media and access to the Internet then the only vector for viruses will be accross the network, if the machines that are vunerable (e.g. the Office PC and Server) have up to date virus protection then in theory I don't need to protect the tills as the network vector is also covered.

Ideally I would like like to control access to the removable media through Group Policy (Windows 2003 Domain) for ease of administration, the only two relevent settings I could find where under user policy and are 'Prevent Access to Drives from My Computer' & 'Hide these specified drives in My Computer', while this will prevent access to these drives by the user will it prevent a malicious virus infecting the PC if inserted...?
0
Comment
Question by:SNRequip
  • 2
4 Comments
 
LVL 4

Expert Comment

by:mrenos
ID: 16926401
Why do all this trouble and don't install some very nice FREEWARE antivirus ( www.free-av.com) on each workstation with Microsoft Defender, enable the windows firewall, enable the automatic updates and you will be fine..
Also, don't forget..Use firefox instead of internet explorer, it's safer for the users and it has a lot of extensions where you can use.

Babs,
Hope this helps..
0
 
LVL 3

Accepted Solution

by:
jeffrash earned 125 total points
ID: 16932818
When you say you want to "lock down removable media", do you just want to lock out USB ports? Or do you also want to disallow installing unapproved software from places like CD ROM's, firewire devices and network shares? You could do some serious lockdowns by creating a GPO to allow software to only be installed from certain paths. But this can be a bit dangerous, do some practice in a non-production environment.

To just lock out USB access there are two files you can disallow access to via a "File System" GPO, they are:

%systemroot%\inf\usbstor.inf
%systemroot%\inf\usbstor.PNF

Just go to "Windows Settings\Security Settings\File System" in a new (or old) GPO and deny access to those you want to lock out (like "Everyone")

Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
0
 

Author Comment

by:SNRequip
ID: 16967288
Hi jeffrash, mrenos,

Sorry for the delay in response, budgets & audits going on, fun times...

Babs,

Thanks for the suggestion, often forget the value of freeware option when in corporate life however I like to avoid having to install and maintain individual apps on PCs where ever possible, the installation of firefox also would be a major task in our environment.

Jeffash,

Basically I want to stop all virus vectors to these machines other than via the network  (so network shares are OK) as the network vectors are protected by Anti Virus, Webfilters, mailfilters etc, so that would include USB Ports, CD Drives & Floppy Drives
0
 

Author Comment

by:SNRequip
ID: 16967320
Sorry, trigger happy with the submit button...

To continue, we use usb scanners, keyboards etc but I assume that this setting wouldn't block those.

The ide of using GPO is to avoid having to disable the CD Drives/USB ports individually as this is a pain (65 machines) and also I'd like the flexibility of removing these settings as and when neccessary.

Will have a tinker with the USB lockout suggestion, other than that I guess that as I know the Drive letter for these tills on the CD Drives I can use the Prevent Access to these Drives options.

So as long as I can lock down the Internet on these machines (again I'd like to do that centrally) they should be secure.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now