usbblocking in desktop laptop

461 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
461
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

usbblocking in desktop laptop

  1. 1. Download the USB_removable_drives_ADM file (2kb) After downloading the .ADM file, read Adding New Administrative Templates to a GPO. You might also be interested in reading Disable Writing to USB Disks with GPO. Note: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it. Follow these steps: 1. In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering. 1. Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.
  2. 2. 1. Now you will be able to see the new settings in the right pane:
  3. 3. 1. You can now configure any of the above settings:
  4. 4. An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files. You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.
  5. 5. Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account. Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail... Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files. Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:
  6. 6. 1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command. Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed. You can download GPMC from the following link (Download GPMC), yet remember it can only be used effectively on Windows Server 2003-based Active Directory. If you do not have GPMC or cannot install it then you'll need to edit the GPO via the regular means, i.e. from Active Directory Users and Computers management tool (dsa.msc). 2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
  7. 7. 3. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and rightclick it. Select Add/Remove Templates.
  8. 8. 4. In the Add/Remove Templates window click Add.
  9. 9. 5. Browse to the location of the required .ADM file and click Open.
  10. 10. 6. In the Add/Remove Templates window notice that the new .ADM file is listed, then clickClose. Now re-open the Administrative Templates section and browse to the new settings location. Disabling GPO settings filtering Many custom Administrative Templates require you to remove the requirement to show policy settings that can be fully managed in the GPO editor. To do so follow the next steps: 1. After completing the above procedure, browse to the newly added Administrative Template section.
  11. 11. Note that the section is indeed listed, however in the right-pane is empty. 2. Right-click an empty spot in the right pane and select View > Filtering. 3. In the Filtering window click to un-mark the "Only show policy settings that can be fully managed" option. Then click Ok. 4. Notice how the available options are now displayed in the right pane. You can now configure these options as you please. However, if the .ADM files were added, for example, when sitting on DC1, how do you make sure they are also replicated to DC2, DC3 and so on? Please let me know if I can solve this any other way or if im doing something wrong. Creating a GPO in Windows 2003 to block USB drives in Windows XP computer This GPO is going to block the usage of USB removable disks, while allowing mouse and keyboards to work. Creating and enabling .ADM file copy and paste the script in note pad written under the instructions and save them with .ADM format. Log into RADDC02 go to Start>>Administrative Tools>>Group Policy Management
  12. 12. on the left pane select Computer Configuration>>Administrative Templates. Right Click Administrative Templates and select Add/ Remove Templates. Click on ADD go to the folder where you saved the .ADM file and add it to the Add/Remove Templates In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering. Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok Click on Computer Configuration>>Administrative templates>>Custom Policy Settings>>Restrict Drives>>Disable USB Removable Drivers Select Enabled from the drop down menu for usbstore.sys driver status select Stopped Creating a new registry entry in the local computer through GPO go to Computer Configuration>>Windows Settings>>Registry. Right Click select Add Key select MACHINE>>SYSTEM/CurrentControlSet>>Services>>USBSTOR>Security then click OK under object name double click on MachineSYSTEMCurrentControlSetServicesUSBSTORSecurity click on Edit Security Click on the desired Group or User names select and Deny permissions for users Note: Alternatively you could just add the name of the user or group you want to prevent from using USB #storage devices. . Click YES to the security warning. Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a #file so we don’t need to worry about inheritance from this object. Modifying USBSTOR files . Go to Computer Configuration>>Administrative Templates>>File System. Right click and Add File and go to the following paths “C:WindowsInfUsbstor.pnf and “C:WindowsInfUsbstor.inf. Double click both of the folders and follow the instructions. Click on the desired Group or User names select and Deny permissions for users Note: Alternatively you could just add the name of the user or group you want to prevent from using USB #storage devices. Click YES to the security warning. Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly #to a file so we don’t need to worry about inheritance from this object. go to run and type cmd, in the cmd window type "gpupdate /force" this will push the GPO out to the computers right away instead of waiting for 90 minutes, which is when the GPO checks for update by default. http://support.microsoft.com/kb/823732 http://www.grouppolicy.biz/2010/02/how-to-use-group-policy-to-disable-usb-drives-on-windows-xp CLASS MACHINE CATEGORY !!category CATEGORY !!categoryname POLICY !!policynameusb KEYNAME "SYSTEMCurrentControlSetServicesUSBSTOR" EXPLAIN !!explaintextusb PART !!labeltextusb DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamecd KEYNAME "SYSTEMCurrentControlSetServicesCdrom" EXPLAIN !!explaintextcd PART !!labeltextcd DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST
  13. 13. NAME !!Disabled VALUE NUMERIC 1 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynameflpy KEYNAME "SYSTEMCurrentControlSetServicesFlpydisk" EXPLAIN !!explaintextflpy PART !!labeltextflpy DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamels120 KEYNAME "SYSTEMCurrentControlSetServicesSfloppy" EXPLAIN !!explaintextls120 PART !!labeltextls120 DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY END CATEGORY END CATEGORY [strings] category="Custom Policy Settings" categoryname="Restrict Drives" policynameusb="Disable USB" policynamecd="Disable CD-ROM" policynameflpy="Disable Floppy" policynamels120="Disable High Capacity Floppy" explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver" explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver" explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver" explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver" labeltextusb="Disable USB Ports" labeltextcd="Disable CD-ROM Drive" labeltextflpy="Disable Floppy Drive" labeltextls120="Disable High Capacity Floppy Drive" Enabled="Enabled" Disabled="Disabled"

×