DJMohr
asked on
GPO and USB flash drives
Hi guys
I have been searching the net for a while on how to disable USB flash drives via GPO, most of the information I have found is to disable the autorun function; this is however not what I am looking for.
The company I work for considers it's data to be very sensitive and would like to prohibit any employee (apart from top management) from using a flash drive and/or be able to copy data from the server to their PC's. I know I can disable USB ports via the BIOS but that would mean that mice and keyboards would also stop working.
So, in short, can anyone point me in the direction of some useful information regarding GPO and the restriction of moving/coping data off the companies file server? We are running Server 2008 R2
Thanks in advance.
I have been searching the net for a while on how to disable USB flash drives via GPO, most of the information I have found is to disable the autorun function; this is however not what I am looking for.
The company I work for considers it's data to be very sensitive and would like to prohibit any employee (apart from top management) from using a flash drive and/or be able to copy data from the server to their PC's. I know I can disable USB ports via the BIOS but that would mean that mice and keyboards would also stop working.
So, in short, can anyone point me in the direction of some useful information regarding GPO and the restriction of moving/coping data off the companies file server? We are running Server 2008 R2
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can restict them in GPO by restict spicifical diveces :
Go to >>> Computer > Configuration > | > Administrative Templates > | > System > | > Device Installation > | > Device Installation Restrictions
Then you just need to copy or insert there Hardware Id (Ids)
That you can see in any computer wan you inserting any usb device in > divece manager in propartice of Specifila USB.
image0041221558635264.jpg
image0061221558635264.jpg
image0121221558658905.jpg
Go to >>> Computer > Configuration > | > Administrative Templates > | > System > | > Device Installation > | > Device Installation Restrictions
Then you just need to copy or insert there Hardware Id (Ids)
That you can see in any computer wan you inserting any usb device in > divece manager in propartice of Specifila USB.
image0041221558635264.jpg
image0061221558635264.jpg
image0121221558658905.jpg
ASKER
Will try these suggestions and report back.
This is no real security. Users will still be able to use card readers, digital cameras, etc. etc. for transfering data.
ASKER
Yea the GPO doesn't work/doesn't do what I'm looking to do.
More good advice
When you enering USB or Camera or other device its automaticliy istalling Driver and doing few inputs in to the Registry
You can take that place in GPO and restict any key changing (Set up only administrator permitions on thouse keys)
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\
But its will only prevent usage of newly plugged-in USBs
Or you know what you even have Dkey there that called USBSTOR
Its setted on "Start"=dword:00000003
and if you want to disable it to them soo chage it to 00000004.
Go to GPMC >>> Your Policy > Computer Configuration > Secrurity Settings > Registry
righ click > Add Key
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\USB STOR
Dword 00000004 (To Disable)
or
Dword 00000003 (To Enable)
enable-usb-store.reg
disable-usb-store.reg
1.bmp
When you enering USB or Camera or other device its automaticliy istalling Driver and doing few inputs in to the Registry
You can take that place in GPO and restict any key changing (Set up only administrator permitions on thouse keys)
HKEY_LOCAL_MACHINE\SYSTEM\
But its will only prevent usage of newly plugged-in USBs
Or you know what you even have Dkey there that called USBSTOR
Its setted on "Start"=dword:00000003
and if you want to disable it to them soo chage it to 00000004.
Go to GPMC >>> Your Policy > Computer Configuration > Secrurity Settings > Registry
righ click > Add Key
HKEY_LOCAL_MACHINE\SYSTEM\
Dword 00000004 (To Disable)
or
Dword 00000003 (To Enable)
enable-usb-store.reg
disable-usb-store.reg
1.bmp
ASKER
@ McNetic
seems like those packages you suggested will do the trick.
Thanks
seems like those packages you suggested will do the trick.
Thanks
ASKER
...
ASKER
How about completely restricting the option of moving data off the server?