Deny Access to Peripherals (USB, CDRW, etc)

S

StarTrek4U

Gawd
Joined
Jan 8, 2003
Messages
1,011
I know I've seen software like this before but I can't find the right way to phrase it for google so I'm hoping some people here might be able to help. I work for a bank and in the never ending process of attempting to gain compliance we are now needing to explore software that will not allow USB ports and possibly CDRW drives, etc. to be used to actually copy data and then leave with it. Basically we need the ability to lockdown access to peripherals. If anyone has used anything like this and has a recommendation/suggestion I'd love it hear it.

Thanks.
 
Well for the USB ports, just disable them in the BIOS. And as for the CD-RWs, my favorite policy is just to order CD-ROM drives (yes thats still possible).

Not the most elegant solutions, but sometimes simple is best. :)
 
With the Microsoft Desktop Optimization Pack, you can do this in Windows XP/Server 2003. MDOP is available to Software Assurance corporate customers, but I am not sure if it is available for single use.

It used to be a part of Desktop Standard. Look into that.
 
Ah, good old Microsoft SA. Its great if the initial investment doesn't kill you.
 
amenthes said:
That's great for Vista/Longhorn, but I know of no such functionality in Server 2k/2k3 and XP/2000 clients. Does it exist there too or is it just a Longhorn feature?
Click to expand...

Group Policy has been around since Server 2000. It is exactly what you need.
 
I wasn't aware that Group Policy had a way to do this prior to Longhorn, but apparently it is possible on older versions.

Here's a how to on disabling access to USB storage devices with Group Policies on Server 2k/2k3:
http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks


slowbiznatch: I'm aware that Group Policy has been around since 2000, it actually was around in the Windows NT days as well :). If you have any info on how to solve this particular problem using GP that would be helpful to post.
 
amenthes said:
I wasn't aware that Group Policy had a way to do this prior to Longhorn, but apparently it is possible on older versions.

Here's a how to on disabling access to USB storage devices with Group Policies on Server 2k/2k3:
http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks


slowbiznatch: I'm aware that Group Policy has been around since 2000, it actually was around in the Windows NT days as well :). If you have any info on how to solve this particular problem using GP that would be helpful to post.
Click to expand...

There are thousands of policies out there that can limit very specific things like you are looking for to very broad tasks like installing new hardware. If you want me to go through all of them and show you exactly how to get to them, let me know and I'll go through it all tonight. I simply wanted to give you a starting point to help you resolve your issue, I'm sorry I didn't do all the legwork for you immediately.

In regards to Windows NT -- Group Policy was not established. You might be referring to System Policy, but there was not Group Policy. Group Policy can't exist without Active Directory, which was introduced in Windows Server 2000.
 
slowbiznatch: You should read the entire thread, I'm not the one with the problem, that would be the original poster.

I am not trying to be rude to you, and I'm not suggesting that you explain all of group policy. I'm simply suggesting that when a specific problem is stated (block access to USB and CDRW), and you say it can be done using Group Policy, it would be helpful if you at least provided a link to some information on how you propose the OP fixes his/her specific problem using Group Policy.

No offense intended, just trying to clarify and help StarTrek4U find a solution to his/her problem.
 
These were all some good ideas, thanks for the thoughts, now time to pitch them to management and see what they want to do... ;)
 
StarTrek4U said:
... we are now needing to explore software that will not allow USB ports and possibly CDRW drives, etc. to be used to actually copy data and then leave with it. Basically we need the ability to lockdown access to peripherals.
Click to expand...

My employer is in the same boat. We're currently working to implement DeviceLock.

I'm not at all involved with the project so I can't comment on the software itself, but the feature list looks decent. The site says there's a demo avaliable so if you're still looking, give it a try.
 
amenthes said:
Well sure if you want to do it the EASY way. ;)

That actually looks like a nice piece of software, good find. Not too expensive considering the security it gives.
Click to expand...

I work the company. It isn't as good as it looks. It does allow you to deploy all of the settings via gpo or the console. However it has some holes and gaps that need to be addressed. If the user has admin rights they can just uninstall it. It has a server portion for reporting but it won't tell you if it was uninstalled. its really just a log collector for events. It requires the devicelock service to be installed on the machine for the settings to do anything.
 
You must log in or register to reply here.
Back
Top