{"id":8665,"date":"2006-12-01T15:14:00","date_gmt":"1999-11-29T20:00:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=8665"},"modified":"2006-12-01T15:14:00","modified_gmt":"1999-11-29T20:00:00","slug":"disable-devices-via-group-policy","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=8665","title":{"rendered":"Disable Devices Via Group Policy"},"content":{"rendered":"<div>Have you ever wanted to disable USB storage, floppy disks or CD-ROM&#8217;s by group policy?\u00a0 If you&#8217;re in a security sensitive or regulated organisation then it&#8217;s something that you definitely want to do.\u00a0 In the past I&#8217;ve used a 3rd party solution that fit my needs perfectly and was simple to deploy and manage.<\/div>\n<div>\u00a0<\/div>\n<div>Just now, one of the guys on my client site informed me of an <a href=\"http:\/\/www.petri.co.il\/disable_usb_disks_with_gpo.htm\" rel=\"nofollow\">article <\/a>he found on Daniel Petri&#8217;s famous blog.\u00a0 It references an KB <a href=\"http:\/\/support.microsoft.com\/default.aspx\/kb\/555324\" rel=\"nofollow\">article <\/a>on Microsoft&#8217;s website.\u00a0 The solution is an ADM template that can be imported into a GPO.\u00a0 The template controls the start up of the CD-ROM, floppy and USB storage drivers.\u00a0 The latter does not affect USB mice or keyboards.<\/div>\n<div>\u00a0<\/div>\n<div>It looks like a nice, simple and free solution.\u00a0 Daniel has extended the ADM by adding some documentation.\u00a0 I&#8217;d take it a little further: <\/div>\n<div>\u00a0<\/div>\n<ul>\n<li>I&#8217;d create a group for Floppy access, USB storage access and CD-ROM access.<\/li>\n<li>If I had multiple sites with delegate security administration, I&#8217;d use nested groups with the member groups located where local administrators could manage the membership.<\/li>\n<li>It&#8217;s a per-machine setting so I&#8217;d place the machines in the appropriate groups where the users require access.<\/li>\n<li>I&#8217;d create a GPO for each device type to be managed, e.g. Block USB Storage Access, Block Floppy Access and Block CD-ROM Access.\u00a0 <\/li>\n<li>Using GPO filtering, I&#8217;d prevent the &quot;Apply Policy&quot; permission for each group for the appropriate policy, e.g. the Floppy Access group would be prevented from applying the Block Floppy Access Policy.<\/li>\n<\/ul>\n<p>Problems:\u00a0 It&#8217;s a per-machine setting.\u00a0 What prevents a user from going to a PC that has access in order to copy or steal data, bring in unauthorised materials, etc?\u00a0 Things are going to be tricky when you need to change how the policy is applied, e.g. a user or administrator needs temporary access to the services muct be unblocked and started.\u00a0 The policy supports USB Storage, Floppy drives, CD-ROM&#8217;s and super floppies.\u00a0 Maybe it can be extended to other devices but I don&#8217;t know.<\/p>\n<p>In the past I have used <a href=\"http:\/\/devicelock.com\/\" rel=\"nofollow\">DeviceLock<\/a>.\u00a0 It&#8217;s a simple tool to deploy.\u00a0 It can mange the basic devices as well as WiFi, Bluetooth, Firewire, Serial, etc.\u00a0 It is done on a per group and per device bsisis and is set up like NTFS permissions with a schedule.\u00a0 The basic settings where it uses some local groups and administrators to grant acecss.\u00a0 I populated the local groups using GPO Restricted Groups to grant access to selected <em>users<\/em>.\u00a0 Users could move from machine to machine and always had their designated access or non-access as the case may be.\u00a0 A central policy console as well as GPO integration was available.<\/p>\n<p>If I had the choice, I&#8217;d go with DeviceLock.\u00a0 It was just so simple to deploy and manage.\u00a0 But if you have a tight budget then maybe this custom ADM is a solution for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you ever wanted to disable USB storage, floppy disks or CD-ROM&#8217;s by group policy?\u00a0 If you&#8217;re in a security sensitive or regulated organisation then it&#8217;s something that you definitely want to do.\u00a0 In the past I&#8217;ve used a 3rd party solution that fit my needs perfectly and was simple to deploy and manage. \u00a0 &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=8665\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Disable Devices Via Group Policy&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8665","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/8665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8665"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/8665\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}