Solved

lock down removable media

Posted on 2006-06-17
4
521 Views
Last Modified: 2013-12-04
Hi All,

OK, an easier question than my last two...

We are coming up to budget time and I don't want to pay for anti virus licenses for the tills at our shops as that will save me a couple of thousand pounds...

If I lock down the removable media and access to the Internet then the only vector for viruses will be accross the network, if the machines that are vunerable (e.g. the Office PC and Server) have up to date virus protection then in theory I don't need to protect the tills as the network vector is also covered.

Ideally I would like like to control access to the removable media through Group Policy (Windows 2003 Domain) for ease of administration, the only two relevent settings I could find where under user policy and are 'Prevent Access to Drives from My Computer' & 'Hide these specified drives in My Computer', while this will prevent access to these drives by the user will it prevent a malicious virus infecting the PC if inserted...?
0
Comment
Question by:SNRequip
  • 2
4 Comments
 
LVL 4

Expert Comment

by:mrenos
ID: 16926401
Why do all this trouble and don't install some very nice FREEWARE antivirus ( www.free-av.com) on each workstation with Microsoft Defender, enable the windows firewall, enable the automatic updates and you will be fine..
Also, don't forget..Use firefox instead of internet explorer, it's safer for the users and it has a lot of extensions where you can use.

Babs,
Hope this helps..
0
 
LVL 3

Accepted Solution

by:
jeffrash earned 125 total points
ID: 16932818
When you say you want to "lock down removable media", do you just want to lock out USB ports? Or do you also want to disallow installing unapproved software from places like CD ROM's, firewire devices and network shares? You could do some serious lockdowns by creating a GPO to allow software to only be installed from certain paths. But this can be a bit dangerous, do some practice in a non-production environment.

To just lock out USB access there are two files you can disallow access to via a "File System" GPO, they are:

%systemroot%\inf\usbstor.inf
%systemroot%\inf\usbstor.PNF

Just go to "Windows Settings\Security Settings\File System" in a new (or old) GPO and deny access to those you want to lock out (like "Everyone")

Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
0
 

Author Comment

by:SNRequip
ID: 16967288
Hi jeffrash, mrenos,

Sorry for the delay in response, budgets & audits going on, fun times...

Babs,

Thanks for the suggestion, often forget the value of freeware option when in corporate life however I like to avoid having to install and maintain individual apps on PCs where ever possible, the installation of firefox also would be a major task in our environment.

Jeffash,

Basically I want to stop all virus vectors to these machines other than via the network  (so network shares are OK) as the network vectors are protected by Anti Virus, Webfilters, mailfilters etc, so that would include USB Ports, CD Drives & Floppy Drives
0
 

Author Comment

by:SNRequip
ID: 16967320
Sorry, trigger happy with the submit button...

To continue, we use usb scanners, keyboards etc but I assume that this setting wouldn't block those.

The ide of using GPO is to avoid having to disable the CD Drives/USB ports individually as this is a pain (65 machines) and also I'd like the flexibility of removing these settings as and when neccessary.

Will have a tinker with the USB lockout suggestion, other than that I guess that as I know the Drive letter for these tills on the CD Drives I can use the Prevent Access to these Drives options.

So as long as I can lock down the Internet on these machines (again I'd like to do that centrally) they should be secure.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question