File permissions - AD Group Policy

[techie9]

We are attempting to lock down USB storage in Windows XP. I have read
several articles about doing this but have managed to work around every
potential fix. By imposing multi-layer set of restrictions I think
that I have effectively restricted USB storage. The last thing I need
to do is to prevent the USBSTOR.inf and USBSTOR.pnf from being deleted.
I have tried everything that I can think of to stop this from
happening. Turns out that if the user is a local admin (I know in the
perfect world user's shouldn' be local admins unless we can trust them
with our lives but as the saying goes..."we don't live anywhere near
perfect") they can still delete these files regardless of security
settings applied to them. My final hope is to create a File System
Group Policy in AD specifically restricting access to these two files.


My questions are these?

First, how would I create that so that it would apply to my
workstation? (the files exist in the same location in Windows 2003
Server as they do on Windows XP Pro, c:\windows\inf\)

Second, does anybody out there see any adverse effects for the Domain
Controller by applying policy? (Since it is a group policy and we are
only applying to a set of workstations I can't see any illeffect on the
DC but it is always good to double check)

Thank you in advance for your time...

 

[Danny Sanders]

Why re-invent the wheel?

See:
http://www.safend.com/

 

[Danny Sanders]

One more thing with that product.

Remember the uninstall password even if it means writing it down.

hth
DDS W 2k MVP MCSE

 

[dz]

What is the price on that software???

 

[Danny Sanders]

I got 50 licenses for around $2500.00

DDS

 

[dz]

What is the price on that software??? Can it be pushed to the
clients?? If the user has local admin rights and creates a local admin
user on the machine will the policy still apply to that user???

 

[Danny Sanders]

It's controlled by GP. You can push the software out to your clients via GP.
Local admins can't get around it.

I don't work for the company.


Try out the free download. Check out the PDF documentation.

hth
DDS W 2k MVP MCSE

 

[dz]

Well even if it is only $40 per license we are still looking at over
$20,000 for our entire site. GFI LANguard Portable Storage Control 2
is a similar product for $1500 for unlimited licensing.

Let's assume though that my company doesn't want to spend any money on
this... I've come up with a set of restrictions that will lock USB
storage devices down with the exception of these 2 files so far. I'm
almost certain that restricting the permissions on these 2 files
through AD Group Policy will do the trick. I'm hoping to find someone
who can think of why it wouldn't.

 

[dz]

Thanks DDS...

 

[lforbes]

We are attempting to lock down USB storage in Windows XP.

Hi,

Just out of curiosity, what do you mean by USB storage? Are you
referring to USB CD’s, Jumpdrives, Harddrives etc? Have you just
thought about hiding and restricting access to all the drive letters?
Works great for me. If there is no drive letter available then the
drive won’t load.
http://www.sd61.bc.ca/windows2000/HideDrives.htm

Cheers,

Lara

 

[dz]

Yes that is what I am talking about. Geez, wouldn't that be a simple
answer. DOH! Thanks Lara.

Daniel

 

[dz]

Well wait though. What about preventing a local admin from undoing the
restrictions??

 

[lforbes]

Hi,

Well wait though. What about preventing a local admin from undoing the
restrictions??

Well, Group Policy trumps Local Administrative Priviledges. I only
have two people who I trust enought to have admin priviledges. However
Group Policy restrictions overrides their abilities to load the drive
letters because Group Policy overrides any local policies.

Cheers,

Lara

 

[dz]

Yea but I'm talking about the user with local admin rights creating a
new local user to whom group policy doesn't apply.

 

[lforbes]

Yea but I’m talking about the user with local admin rights

creating a new local user to whom group policy doesn’t apply.

Yes, I suppose this is possible. However, it really depends on "why"
you are giving your users "local Admin" priviledges in the first
place. They can pretty much download anything and destroy their
machine with spyware, virus, etc. This is why I do everything in my
power not to ever give admin access.

However, if I was worried about this, then I would also impose a group
policy restricting access to Control Panel - Local Users as well as
"Management".

Cheers,

Lara

 

[Norbert Fehlauer [MVP]]

lforbes wrote:
Hi,

However, if I was worried about this, then I would also impose a group
policy restricting access to Control Panel - Local Users as well as
"Management".

That doesn't really help if the user has local admin rights. An admin is an
admin. You can restrict local admins, but if they know what they do, they
can always get around your restriction. Even if its only temporarly. If you
use 3rd party software to deny access to several drives or ports it would be
much safer then trying to hide the drives by windows policies.
There's quite a few on the market:
Securewave (www.securewave.com)
Safeguard (www.utimaco.com)
Firstware Deviceguard (www.firstattribute.com)
Devicewatch (www.itwatch.de)
Devicelock (www.protect-me.com)


Bye
Norbert

 

[dz]

Well what I have come up with is a set of restrictions that disables
every scenario I can come up with for working around the problem.
Granted given enough time any security setup can be defeated.
Otherwise we would all be out of jobs. However, what I am trying to do
is to make it as difficult as possible for even the most skilled user
to just walk off with data. If a machine gets stolen we will be
relying on our FDE tools and our password restrictions to prevent
access to the data. However, if the machine is unattended and our user
forgets to lock it, then there is a window of opportunity for a skilled
user to retrieve data. We have effectively restricted IE and now we
are looking a other possible problems. I think that I have it though..
If I do, perhaps I can send somebody a list of my policies and one of
you guys can test it for me.. see if you can find a way around. Thanks.

 

[Norbert Fehlauer [MVP]]

dz wrote:
Hi,

Well what I have come up with is a set of restrictions that disables
every scenario I can come up with for working around the problem.

Thats the problem with this. In Windows you _can not_ securely deny/disable
access to a usb media (or other removable media) for an administrator. So
your restrictions only work as far as you're more cleverer than _all_ of
your users. I state that you can't grant this.

Granted given enough time any security setup can be defeated.

If the user is lokal admin and can/should do normal work with the computer
(no kiosk-setup or something like that) it's a matter of not so much time.

user to just walk off with data. If a machine gets stolen we will be
relying on our FDE tools

What do you mean by FDE tools?

Bye
Norbert

 

[dz]

FDE = Full Disc Encryption...

 

[Norbert Fehlauer [MVP]]

FDE = Full Disc Encryption...

OK. Thanks.