I haven't been following this thread closely so I don't know if anyone
has explored this solution. Windows XP and I think 2000 support
disabling USB Mass Storage devices via a registry "hack" for lack of a
better word.
This can be incorporated into a .adm file and added to Group Policy.
Copy the text between the stars but don't include the stars. Paste into
a file called (whatever).adm. Upload to group policy.
You can also read the following text and just manually input these
registry settings.
I chose the group policy method and put in a dev environment. Later it
was cleared for production and has come in handy many times so far.
One caveat is that there is a high likely hood that digital cameras will
break and you will have to manually exclude those computers.
*********************************************
CLASS MACHINE
CATEGORY "Custom Policies"
KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
POLICY "USB Mass Storage Installation"
EXPLAIN "When this policy is enabled, USB mass storage device
permissions can be changed by using the drop down box.
Selecting 'Grant Permission' will allow USB mass storage devices to be
installed. Selecting 'Deny Permission' will prohibit
the installation of USB mass storage devices.
IF REMOVING THIS POLICY: Reset to original setting and let policy
propegate before deleting policy."
PART "Change Settings:" DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
NAME "Deny Permission" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
********************************************
Thanks,
Dan Bullock
-----Original Message-----
From: Roman Iwasjuk [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 15, 2006 1:06 PM
To: Focus Microsoft
Subject: RE: Controlling specific USB devices on Windows XP
I think that we're missing something in this discussion - namely that
the
usb lockdown is something that we will have no choice BUT to do - up
till
now shutting down usb ports has been the easy work around - via bios,
not
loading the device drivers or just disabling the port.
The problem is that many hardware vendors are moving towards usb as the
be
all and end all - how many new computers are being sold with no ports
other
than usb - parallel, serial, ps2 - all gone...
What about laptops where the internal connection is via usb - either for
the
hard drive or the onboard cd/dvd ... Disabling the usb is no longer an
option.
We've all got privacy legislation that we have to concern ourselves
with,
not to mention corporate data - if we don't do our due diligence and
restrict the kinds of devices that can access the ports, then we have no
guarantee that info isn't leaving the company.
Roman Iwasjuk
Systems Manager
Buduchnist Credit Union Ltd
On 6/15/06, George Njoku <[EMAIL PROTECTED]> wrote:
>
> Gentlemen, this USB lock down for certain device is a nice idea, but
> just not necessary
>
> George Njoku
> Turner Engineering, Inc.
> 973.263.1000
> [EMAIL PROTECTED]
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.clearswift.com
**********************************************************************
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
The information transmitted may contain confidential material and
is intended only for the person or entity to which it is
addressed. Any review, retransmission, dissemination or other use
of or taking of any action by persons or entities other than the
intended recipient is prohibited. If you are not the intended
recipient, please delete the information from your system and
contact the sender.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
