Locking down CD roms, USB mass storage devices and Floppy disk dri

June 16, 2008

I'm in a very security concious company which wants access to CD-Rom drives,

floppy disk drives & USB mass storage devices restricted to the majority of

machines. This is easy enough in itself, Ive used an group policy ADM to set

the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR",

"SYSTEM\CurrentControlSet\Services\Cdrom",

"SYSTEM\CurrentControlSet\Services\Flpydisk" and

"SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are

disabled via registry.

The issue I have is granting access to those users who are authorised to use

these devices. At present I am applying these settings individually to

different OU's however a multitude of group policies takes a lot longer to

apply than a single, large group policy.

What I would like to do is create a script to temporarily amend these

settings back via regedit which the users can run vioa an ICON & a=only

authorised users can access. The problem with this is that it only works for

USB mass-storage devices. All the others only re-enable on reboot. Does

anyone know of a way around this?

Jordan

June 16, 2008

Re: Locking down CD roms, USB mass storage devices and Floppy diskdri

Re: Locking down CD roms, USB mass storage devices and Floppy diskdri

What about setting the services to 'manual' and let

start them by the admin manually by means of

net start xxx

or

sc start xxx

Restricted users should get an 'access denied' when

trying this.

Uwe

Jordan Fey wrote:

> I'm in a very security concious company which wants access to CD-Rom drives,

> floppy disk drives & USB mass storage devices restricted to the majority of

> machines. This is easy enough in itself, Ive used an group policy ADM to set

> the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR",

> "SYSTEM\CurrentControlSet\Services\Cdrom",

> "SYSTEM\CurrentControlSet\Services\Flpydisk" and

> "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are

> disabled via registry.

>

> The issue I have is granting access to those users who are authorised to use

> these devices. At present I am applying these settings individually to

> different OU's however a multitude of group policies takes a lot longer to

> apply than a single, large group policy.

>

> What I would like to do is create a script to temporarily amend these

> settings back via regedit which the users can run vioa an ICON & a=only

> authorised users can access. The problem with this is that it only works for

> USB mass-storage devices. All the others only re-enable on reboot. Does

> anyone know of a way around this?

>

> Jordan

>

June 18, 2008

Re: Locking down CD roms, USB mass storage devices and Floppy disk

Re: Locking down CD roms, USB mass storage devices and Floppy disk

Sorry if is ound a little dumb, but which service

"Uwe Sieber" wrote:

>

> What about setting the services to 'manual' and let

> start them by the admin manually by means of

> net start xxx

> or

> sc start xxx

>

> Restricted users should get an 'access denied' when

> trying this.

>

> Uwe

>

> Jordan Fey wrote:

> > I'm in a very security concious company which wants access to CD-Rom drives,

> > floppy disk drives & USB mass storage devices restricted to the majority of

> > machines. This is easy enough in itself, Ive used an group policy ADM to set

> > the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR",

> > "SYSTEM\CurrentControlSet\Services\Cdrom",

> > "SYSTEM\CurrentControlSet\Services\Flpydisk" and

> > "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are

> > disabled via registry.

> >

> > The issue I have is granting access to those users who are authorised to use

> > these devices. At present I am applying these settings individually to

> > different OU's however a multitude of group policies takes a lot longer to

> > apply than a single, large group policy.

> >

> > What I would like to do is create a script to temporarily amend these

> > settings back via regedit which the users can run vioa an ICON & a=only

> > authorised users can access. The problem with this is that it only works for

> > USB mass-storage devices. All the others only re-enable on reboot. Does

> > anyone know of a way around this?

> >

> > Jordan

> >

>

Sign In

Locking down CD roms, USB mass storage devices and Floppy disk dri

Recommended Posts

Guest Jordan Fey

Popular Days

Popular Days

Guest Uwe Sieber

Guest Jordan Fey

Similar Content

No ASIX USB Dongle Found No Bootable Device Insert Boot Disk And Press Any Key

Windows 10 treats any USB storage as a local disk

My HDD's usb getting recogonized and visible on device manager but not showing either on disk management nor on explorer.

how to recover lost USB external hard disk after its drive uninstalled? it cannot be initialised because of I/O device error

Unable to create a system image to a usb mass storage flash drive, with the error: "This drive is not a valid backup location"

Browse

Activity

Site Info