[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

removable storages Blocking

Posted on 2013-11-27
2
Medium Priority
?
229 Views
Last Modified: 2013-12-24
Hi,
In my organization antivirus through we are blocking USB Storage Drives (Pen drive ,External HDD,Memory Cards)  but safe mode is not blocking users are logged in safe they copying data.

I am trying to blocking USB Group Policy  through but not working.

please advise how to control Pen drive blocking .

all systems are running  in windows-7 OS.


Thanks,
Sri
0
Comment
Question by:sreenivas_u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Expert Comment

by:EdservG
ID: 39681773
Hi,

The block using GPO depends to GPO apply on user login. If users that use safe mode to access USB don't log on domain, this configuration don't work to block access. Only if users use safe mode with network this show result.

To create a GPO that blocks USB Storage use this: http://support.microsoft.com/kb/555324/

Thanks,
Edserv
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1000 total points
ID: 39683274
In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
    User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

It specify read and write permission on all kinds of removable storage device.

2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

With device installation restrictions, the installation of removable storage device will be totally under control.

More detailed information:

Managing Hardware Restrictions via Group Policy

http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

Computer OU
--USBEnable...Apply usb enabled policy(template)
--USBDiable...Apply usb disable policy(template)

Refer below link for the ADM template

You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

Computer Configuration\Windows setting\security settings\File system Add
%SystemRoot%\inf\usbstor.inf
%SystemRoot%\inf\usbstor.PNF
set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users

Referencelink:http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question