Guest Jordan Fey Posted June 16, 2008 Posted June 16, 2008 I'm in a very security concious company which wants access to CD-Rom drives, floppy disk drives & USB mass storage devices restricted to the majority of machines. This is easy enough in itself, Ive used an group policy ADM to set the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR", "SYSTEM\CurrentControlSet\Services\Cdrom", "SYSTEM\CurrentControlSet\Services\Flpydisk" and "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are disabled via registry. The issue I have is granting access to those users who are authorised to use these devices. At present I am applying these settings individually to different OU's however a multitude of group policies takes a lot longer to apply than a single, large group policy. What I would like to do is create a script to temporarily amend these settings back via regedit which the users can run vioa an ICON & a=only authorised users can access. The problem with this is that it only works for USB mass-storage devices. All the others only re-enable on reboot. Does anyone know of a way around this? Jordan
Guest Uwe Sieber Posted June 16, 2008 Posted June 16, 2008 Re: Locking down CD roms, USB mass storage devices and Floppy diskdri Re: Locking down CD roms, USB mass storage devices and Floppy diskdri What about setting the services to 'manual' and let start them by the admin manually by means of net start xxx or sc start xxx Restricted users should get an 'access denied' when trying this. Uwe Jordan Fey wrote: > I'm in a very security concious company which wants access to CD-Rom drives, > floppy disk drives & USB mass storage devices restricted to the majority of > machines. This is easy enough in itself, Ive used an group policy ADM to set > the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR", > "SYSTEM\CurrentControlSet\Services\Cdrom", > "SYSTEM\CurrentControlSet\Services\Flpydisk" and > "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are > disabled via registry. > > The issue I have is granting access to those users who are authorised to use > these devices. At present I am applying these settings individually to > different OU's however a multitude of group policies takes a lot longer to > apply than a single, large group policy. > > What I would like to do is create a script to temporarily amend these > settings back via regedit which the users can run vioa an ICON & a=only > authorised users can access. The problem with this is that it only works for > USB mass-storage devices. All the others only re-enable on reboot. Does > anyone know of a way around this? > > Jordan >
Guest Jordan Fey Posted June 18, 2008 Posted June 18, 2008 Re: Locking down CD roms, USB mass storage devices and Floppy disk Re: Locking down CD roms, USB mass storage devices and Floppy disk Sorry if is ound a little dumb, but which service "Uwe Sieber" wrote: > > What about setting the services to 'manual' and let > start them by the admin manually by means of > net start xxx > or > sc start xxx > > Restricted users should get an 'access denied' when > trying this. > > > Uwe > > > > Jordan Fey wrote: > > I'm in a very security concious company which wants access to CD-Rom drives, > > floppy disk drives & USB mass storage devices restricted to the majority of > > machines. This is easy enough in itself, Ive used an group policy ADM to set > > the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR", > > "SYSTEM\CurrentControlSet\Services\Cdrom", > > "SYSTEM\CurrentControlSet\Services\Flpydisk" and > > "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are > > disabled via registry. > > > > The issue I have is granting access to those users who are authorised to use > > these devices. At present I am applying these settings individually to > > different OU's however a multitude of group policies takes a lot longer to > > apply than a single, large group policy. > > > > What I would like to do is create a script to temporarily amend these > > settings back via regedit which the users can run vioa an ICON & a=only > > authorised users can access. The problem with this is that it only works for > > USB mass-storage devices. All the others only re-enable on reboot. Does > > anyone know of a way around this? > > > > Jordan > > >
Recommended Posts