WellingtonIS
asked on
Block USB Drives
I'm looking for a wa,y software, GPO, anything to block access to a USB mass storage device to any and all PC's in our network unless we approve them and they are password protected. We use XP on all of our desktops and server 2003 for our DC;s
Does anyone know of a way to do this or any software that may accomplish this?
Does anyone know of a way to do this or any software that may accomplish this?
ASKER
That's only part of it. I need to be able to allow those devices that we in IT approve. With the registry its all or nothing and with a GPO is by user name or pc name. I need to be able to distinguish by the device.
ASKER
We don't use endpoint. I'm looking at the software suggestion.
ASKER
Does anyone know of software that will allow me to block by device instead of user or computer? The problem is I want to all certain USB devices that come from IT if I create a registry entry or a GPO then that restricts either uses or computers but not the actual device. For example If I have a USB storage device for IT purposes, then I want to be able to use that device on any PC in the domain. If I create a GPO then I can't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! I'm going to look into this.
Apparently this is a duplicate question. The admins say the other post is going to be deleted and I won't get the points over there. Here is my answer from the other post:
GPO can stop USB devices, but the "unless we approve them" part isn't really possible in that context. However, after applying the policy, I guess you could remotely edit the user's registry and temporarily enable the setting again.
http://www.petri.co.il/forums/showthread.php?t=3299
http://www.mydigitallife.info/2008/06/26/disable-usb-removable-mass-storage-device-drive-access-in-windows/
http://www.intelliadmin.com/index.php/2006/04/disable-usb-drives/
GPO can stop USB devices, but the "unless we approve them" part isn't really possible in that context. However, after applying the policy, I guess you could remotely edit the user's registry and temporarily enable the setting again.
http://www.petri.co.il/forums/showthread.php?t=3299
http://www.mydigitallife.info/2008/06/26/disable-usb-removable-mass-storage-device-drive-access-in-windows/
http://www.intelliadmin.com/index.php/2006/04/disable-usb-drives/
ASKER
This did what we needed thanks.
how many computers you are looking at protecting / or how many computers are there in your environment.
1. what are the kind of usb device that you use. list all
2. what are the usb devices you want to block. list all.
1. what are the kind of usb device that you use. list all
2. what are the usb devices you want to block. list all.
ASKER
There are about 1200 in the domain. I'm want to disallow all USB Devices unless we (IT) give them out. I think we are going to use Lexar 4 gig devices.
how about keyboards mouse and headphone printers etc?
also are you looking at some end point security solutions?
ASKER
Keyboards, mice, printers need access. Endpoint would be fantastic however we use CA.
is ca not able to address to your need?
give me a mac address of any one machine , VID & PID key of USB Keyboards, mice, printers need access and any one of usb drive that you would like to work
give me a mac address of any one machine , VID & PID key of USB Keyboards, mice, printers need access and any one of usb drive that you would like to work
hey did u find a solution?
http://support.microsoft.com/kb/823732
http://support.microsoft.com/kb/555324