Yup, usb harddrives are the devils. Disabling devices/ports through bios setup and setting password won't work for many reasons - cant differentiate between legitimate usb printer and hard drive, there are vendor passwords, they can be broking by opening computer case and removing the battery...etc.
The best I have so far is disabling services such as floppy and cdrom under hklm\...services\ in the registry (this can be done with custom template and GP) and setting permissions on them (with GP again) to restrict users from enabling them. This prevents floppies and cdroms. So far. And for all users at once, too, while we'd like to allow some users to use them.
I tried to look towards floplock from reskit. Somehow it manages to set a security descriptor on cdrom and floppy device. Too bad it does not allow to choose which groups will have access - Power Users and Administrators by default. But there's some good news too - it sets permissions in a way which is compatible with some other programs which do the same. I hope to find out how its being done, to generalize the approach and apply it to any device I need.
--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.
None that I know of other that configuring cmos settings [and password protecting them] and/or using a security case that does not allow user access to those devices/ports and still be able to do their work. There is a company that has a product that they clain will do what you ask - I have not tried out myself, but they do allow you to try it out for free. The USB devices are particulary bothersome as you mention. --- Steve
http://www.protect-me.com/dl/
http://securewave.com/products/securent/
There's a need to restrict users from using any types of removable media. This may include floppy disks, CD/DVD, USB hard drives, zip drives and generally, any kinds of media which can be connected to the workstation. Is there a well-known solution for this?
Removing devices physically won't work - for example, for USB drives. Plus, if possible, it is preferrable to restrict usage to certain users only, while allowing it to other users (for example, administrators).
Thanks in advance.
