Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Block USB Flash Drives?

Posted on 2012-04-06
9
Medium Priority
?
602 Views
Last Modified: 2012-05-14
We have a smaller network of about 50 computers.

We have SBS 2011.

We also have Symantec Endpoint protection 12.1

I"m wanting to block USB flashsticks on our network.

But I want it to be allowed completely at all times for some certain users (Our department heads etc), and for other users I want it to be possible only if I enter in a password for them.

Is there a way to accomplish this?

Thanks
0
Comment
Question by:Pancake_Effect
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 12

Expert Comment

by:FarWest
ID: 37817761
sure, there is
and it is implemented in our network,
you can configure Policies-Application and Device Control  that implemented on that group and  block all usb, and then make exceptions for other usb drivers that is in your network like printers & scanners

check this URL

http://www.symantec.com/business/support/index?page=content&id=TECH104299&locale=en_US

and if you need more help  , I can provide you with screen shots from my environment
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 37818471
There is one more option

http://www.netwrix.com/usb_blocker_freeware.html

This product will allow you to control USB device on endpoint as per your requirement mention above ( per user, per computer and password basis).
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37824460
fryezz thanks for the link, it looks like I can simply block USB devices via group policy. That's a good start.. but sometimes users do need legit reasons for using a USB memory stick, so if that happens I'm hoping for a way that I can walk over to their office while they are on it, and I can simply type in a password and be good to go for them to have temporary access. Changing group policy settings every time to let them have access could be a pain otherwise.

Gajendra_Rathod that looks like what I want it to do exactly, but it has some pretty bad reviews saying it's buggy and is not free after 50 computers.

I'm hoping to use our resources between Group Policy and Symantec to make this work (if possible) I inherited this network here recently and it's for healthcare so it's quite important in my opinion to block USB ports...but like in most IT departments, it's always a problem of money hence why I'm hoping to utilize free solutions or what we have already(Symantec 12.1 endpoint manager or Group Policy.)
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 10

Assisted Solution

by:Gajendra Rathod
Gajendra Rathod earned 2000 total points
ID: 37824813
Please contact Netwrix support for quotation above product and I am sure they will reply you as it is free ware product.

Please check for below solution,

http://www.symantec.com/business/support/index?page=content&id=TECH106304





You can block USB device installation using GPO.


You can restrict or allow devices by Device IDs or Device Setup Classes
Computer Configuration
 Administrative Templates
 System
 Device Installation
 Prevent Installation of Devices that match any of these device IDs.

Computer Configuration
Administrative Templates
System
Device Installation
Prevent Installation of Devices using drivers that match
these device setup classes.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 37825548
what I know that Symantec End Point client allows you to put the management password to have one time unlock (temporarily override)
but I could not verify that know,
you can give it a try on your environment and see what options are available
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37843313
I was able to successfully block USB via Symantec End Point, but I'm trying to figure out the one time unlock you spoke about. If I can get a one time unlock, that would work perfectly for all my dilemmas.
0
 
LVL 12

Expert Comment

by:FarWest
ID: 37843469
I think you can go on with this work arround, ( I did not try it but I hope it will work :) )

export the policy that enable the USB to a shared folder and when you go to manager office import it
after that just run update policy ( SEP Client Icon rignt click), and it well get back everything to normal

for exporting - importing ploicies check this

http://www.symantec.com/business/support/index?page=content&id=TECH95478&locale=en_US
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37853255
I tried Netwrix and it doesn't allow you to specify gp objects, you have to apply it to the entire domain then set up the exclusions. I really didn't like the flexibility in that.

fryezz that could work, I tried it out, but it's not really user friendly..My goal is to allow HR to do this also for users. It surprises me that windows or Symantec doesn't have a built in password system for USB devices
0
 
LVL 10

Accepted Solution

by:
Gajendra Rathod earned 2000 total points
ID: 37926242
Netwrix work at OU level.

Create OU based on department.

Netwrix server can be install on any machine in domain.

I think it is good application for USB blocking
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question