enty66
asked on
USB Memory Stick GPO settings
We are trying to allow users of the XP Pro stations on our Windows 2003 Server domain access to use their USB memory sticks whilst still maintaining securityof the XP pro stations i.e. we wish users to be able to use their USB memory sticks without being able to anything else whic hwould compromise security. Is there a GPO setting that allows this? Thanks
ASKER
Yes sorry it does sound a little vague. Basically we want users to be able to use their thumb drives i.e. put them into the usb slot and use them to retrieve/save their work. I could do this by making them members of the Power Users group or local administrators group BUT this would give them far too much control over the local machine.
Not sure this is possible without VISTA.
How are they being restricted today ?
How are they being restricted today ?
ASKER
Yes i believe Vista has vast improvements over the gpo control of usb devices. At the mo they are simply prohibited to use them but this is becoming more and more of an inderence.
are you saying you want them to be able to copy work from their USB pen drives onto the PC BUT NOT SAVE BACK TO THE usb IE Prevent corporate info from potentially being taken off site on the pen drives.
The below reg entries allow you to read from the USB and copy to the PC but prevent you from writing back from that PC to the USB, you can of course then put the USB in another PC not in that domain ie laptop or without these reg entries and write to the USB as it only affects PCs not the actual USB.
I implemented a Group Policy in our Org to prevent just this using an ADM file which stops dating being taken off site, but still allows the use ie reading of USB drives it also can be used for USB Floppies and CD drives.
Anyhow below are the reg entries, try them on a PC.
But DO NOT have a USB device in when you use the reg, Just check the reg location as its just the dword that does the work.
BELOW are 2 simple Reg files if you double click the top one it disables USB pen drives and the other re-enables the USB pendrives
************************** ********** ********** ********** ********** *******
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\US BSTOR]
"Start"=dword:00000004
************************** ********** ********** ********** ********** ********
The one below re-enables your USB pen drive
************************** ********** ********** ********** ********** *********
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\US BSTOR]
"Start"=dword:00000003
************************** ********** ********** ********** ********** ********
Basically its just the dword.
Im not sure to be honest if I understand what your trying to do, but if this is what your trying to do throughout the company I will paste the ADM file and instructions on how to implement it.
Sorry if Ive totally mis understood what you are trying to achieve
The below reg entries allow you to read from the USB and copy to the PC but prevent you from writing back from that PC to the USB, you can of course then put the USB in another PC not in that domain ie laptop or without these reg entries and write to the USB as it only affects PCs not the actual USB.
I implemented a Group Policy in our Org to prevent just this using an ADM file which stops dating being taken off site, but still allows the use ie reading of USB drives it also can be used for USB Floppies and CD drives.
Anyhow below are the reg entries, try them on a PC.
But DO NOT have a USB device in when you use the reg, Just check the reg location as its just the dword that does the work.
BELOW are 2 simple Reg files if you double click the top one it disables USB pen drives and the other re-enables the USB pendrives
**************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
**************************
The one below re-enables your USB pen drive
**************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
**************************
Basically its just the dword.
Im not sure to be honest if I understand what your trying to do, but if this is what your trying to do throughout the company I will paste the ADM file and instructions on how to implement it.
Sorry if Ive totally mis understood what you are trying to achieve
Another possibility....I haven't personally used GFI's endpointsecurity, but i have used other GFI products and I like them very much. From what you are trying to accomplish I think this may be worth taking a look at anyways. GFI's endpointsecurity is fee based, but they do offer 30 day trials.
http://www.gfi.com/endpointsecurity/
Hope this helps.
http://www.gfi.com/endpointsecurity/
Hope this helps.
Heres the .ADM file I mentioned earlier.
Its late over here so Im off to bed.
Save the below as a
".adm" file
call it along the lines of USBSTORAGE.ADM
Then install it as an adm file into a new group policy called what ever you want and under.
HOW TO ADD AN ADM FILE
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm
Once the adm is installed continue below with a new Group Policy called USB write prevent, or whatever you want.
Computer Config>Admin Templates >
You will see a new policy called Custom Policy settings.
In the right hand side when you drill down into the last section ie Restrict Drives you wont at first see anything. Dont worry, right click in the right hand side in the empty white area and select
View>filtering> then tick Only show configured policy settings, untick Only show policy settings that can be fully managed.
You will now have the option to enable/disable writing to USB pen drives/USB CD Drives/USB Floppy drives
ADM file below
************************** ********** ********** ********** ****
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\ Services\U SBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\ Services\C drom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\ Services\F lpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\ Services\S floppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB Removable Drives"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
labeltextusb="usbstore.sys driver status"
labeltextcd="cdrom.sys driver status"
labeltextflpy="flpydisk.sy s driver status"
labeltextls120="sfloppy.sy s driver status"
Enabled="Stopped"
Disabled="Started"
************************** ********** ********** ********** ********** *********
ONLY SAVE INSIDE THE ASTERIXS
Its late over here so Im off to bed.
Save the below as a
".adm" file
call it along the lines of USBSTORAGE.ADM
Then install it as an adm file into a new group policy called what ever you want and under.
HOW TO ADD AN ADM FILE
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm
Once the adm is installed continue below with a new Group Policy called USB write prevent, or whatever you want.
Computer Config>Admin Templates >
You will see a new policy called Custom Policy settings.
In the right hand side when you drill down into the last section ie Restrict Drives you wont at first see anything. Dont worry, right click in the right hand side in the empty white area and select
View>filtering> then tick Only show configured policy settings, untick Only show policy settings that can be fully managed.
You will now have the option to enable/disable writing to USB pen drives/USB CD Drives/USB Floppy drives
ADM file below
**************************
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB Removable Drives"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables
labeltextusb="usbstore.sys
labeltextcd="cdrom.sys driver status"
labeltextflpy="flpydisk.sy
labeltextls120="sfloppy.sy
Enabled="Stopped"
Disabled="Started"
**************************
ONLY SAVE INSIDE THE ASTERIXS
ASKER
Thanks for that, although it is not exactly what i was meaning it is extremely useful. My problem, i think, is much less complex. Basically, i want to allow users the ability to insert and install usb pen drives without going to the extreme lenghts of making them members of the power users or local admins group which would also give them the ability to delete local system files at will.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Got you.
Yes it should allow them to install the usb device,
The users I allow to read from their USBs certainly DO NOT have install rights as they are standard domain users.
Yes it should allow them to install the usb device,
The users I allow to read from their USBs certainly DO NOT have install rights as they are standard domain users.
enty66
Any update?
Any update?
Would be interested to find out the outcome as he should not of needed to of changed group membership to get the USB sticks to activate
Could you clarify exactly what you want to prevent them from doing with thier thumb drives?