?
Solved

GPO and USB flash drives

Posted on 2010-09-20
10
Medium Priority
?
1,816 Views
Last Modified: 2012-06-27
Hi guys

I have been searching the net for a while on how to disable USB flash drives via GPO, most of the information I have found is to disable the autorun function; this is however not what I am looking for.
The company I work for considers it's data to be very sensitive and would like to prohibit any employee (apart from top management) from using a flash drive and/or be able to copy data from the server to their PC's. I know I can disable USB ports via the BIOS but that would mean that mice and keyboards would also stop working.

So, in short, can anyone point me in the direction of some useful information regarding GPO and the restriction of moving/coping data off the companies file server? We are running Server 2008 R2

Thanks in advance.
0
Comment
Question by:DJMohr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 8

Accepted Solution

by:
McNetic earned 2000 total points
ID: 33722850
There is no reliable way to disable flash drives (which also could be memory cards) by GPO, you need 3rd party tools like http://www.drivelock.com/, http://www.devicelock.com/, etc.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33722870
@ McNetic

How about completely restricting the option of moving data off the server?
0
 
LVL 2

Expert Comment

by:sushil_dias
ID: 33722875
This should answer your question
http://www.petri.co.il/disable_usb_disks_with_gpo.htm 
0
Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

 
LVL 3

Expert Comment

by:Puzatiy
ID: 33722919
You can restict them in GPO by restict spicifical diveces :
Go to >>> Computer > Configuration > | > Administrative Templates > | > System > | > Device Installation > | > Device Installation Restrictions

Then you just need to copy or insert there Hardware Id (Ids)
That you can see in any computer wan you inserting any usb device in > divece manager in propartice of Specifila USB.
image0041221558635264.jpg
image0061221558635264.jpg
image0121221558658905.jpg
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33723024
Will try these suggestions and report back.
0
 
LVL 8

Expert Comment

by:McNetic
ID: 33723101
This is no real security. Users will still be able to use card readers, digital cameras, etc. etc. for transfering data.
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33723256
Yea the GPO doesn't work/doesn't do what I'm looking to do.
0
 
LVL 3

Expert Comment

by:Puzatiy
ID: 33723357
More good advice

When you enering USB or Camera or other device its automaticliy istalling Driver and doing few inputs in to the Registry
You can take that place in GPO and restict any key changing (Set up only administrator permitions on thouse keys)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
But its will only prevent usage of newly plugged-in USBs

Or you know what you even have Dkey there that called USBSTOR
Its setted on "Start"=dword:00000003
and if you want to disable it to them soo chage it to 00000004.

Go to GPMC >>> Your Policy > Computer Configuration > Secrurity Settings > Registry
righ click > Add Key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
Dword 00000004 (To Disable)
or
Dword 00000003 (To Enable)
enable-usb-store.reg
disable-usb-store.reg
1.bmp
0
 
LVL 1

Author Comment

by:DJMohr
ID: 33743130
@ McNetic

seems like those packages you suggested will do the trick.
Thanks
0
 
LVL 1

Author Closing Comment

by:DJMohr
ID: 33743134
...
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question