?
Solved

removable storages Blocking

Posted on 2013-11-27
2
Medium Priority
?
225 Views
Last Modified: 2013-12-24
Hi,
In my organization antivirus through we are blocking USB Storage Drives (Pen drive ,External HDD,Memory Cards)  but safe mode is not blocking users are logged in safe they copying data.

I am trying to blocking USB Group Policy  through but not working.

please advise how to control Pen drive blocking .

all systems are running  in windows-7 OS.


Thanks,
Sri
0
Comment
Question by:sreenivas_u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Expert Comment

by:EdservG
ID: 39681773
Hi,

The block using GPO depends to GPO apply on user login. If users that use safe mode to access USB don't log on domain, this configuration don't work to block access. Only if users use safe mode with network this show result.

To create a GPO that blocks USB Storage use this: http://support.microsoft.com/kb/555324/

Thanks,
Edserv
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1000 total points
ID: 39683274
In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
    User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

It specify read and write permission on all kinds of removable storage device.

2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

With device installation restrictions, the installation of removable storage device will be totally under control.

More detailed information:

Managing Hardware Restrictions via Group Policy

http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

Computer OU
--USBEnable...Apply usb enabled policy(template)
--USBDiable...Apply usb disable policy(template)

Refer below link for the ADM template

You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

Computer Configuration\Windows setting\security settings\File system Add
%SystemRoot%\inf\usbstor.inf
%SystemRoot%\inf\usbstor.PNF
set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users

Referencelink:http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question