+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31
Hardware Thread, Total ban on removable media in Technical; You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server ...
  1. #16

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,136
    Thank Post
    1,913
    Thanked 1,345 Times in 743 Posts
    Blog Entries
    3
    Rep Power
    395
    You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003:

    HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

    We use it and it works a treat - easy to enable / disable. Don't forget to uncheck 'only show policy settings that can be fully managed' under filtering to see the options.

  2. 2 Thanks to tech_guy:

    enjay (8th December 2009), mattx (4th January 2010)

  3. #17

    GREED's Avatar
    Join Date
    Mar 2008
    Location
    Portsmouth
    Posts
    3,059
    Thank Post
    375
    Thanked 375 Times in 306 Posts
    Blog Entries
    8
    Rep Power
    177
    We still use them, but deiable autorun on all drives, and also manage the attachemtns that can be accessed, and where they can be saved to (which is almost nowhere for the children).

  4. #18
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by tech_guy View Post
    You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003
    Thanks for that. I think it is an overkill response to this problem, but would address what to do with controlled assessment candidates.

  5. #19
    AlexB's Avatar
    Join Date
    Jul 2006
    Location
    Warwickshire
    Posts
    373
    Thank Post
    37
    Thanked 39 Times in 35 Posts
    Rep Power
    23
    Quote Originally Posted by contink View Post
    Could you keep me/us posted on how you get on with this as this sounds like a useful solution to a few issues that have plagued me in one or two schools.

    If nothing else, getting the AV to scan the drive and kill off any autorun chicanery BEFORE anything goes in the system that would be a real plus.
    We have this entry in our USBDLM reg entry

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Uwe Sieber\USBDLM\OnArrival]
    "Force"="1"
    "open"="\"%ProgramFiles%\\McAfee\\VirusScan Enterprise\\scan32.exe\" %drive%"
    It causes the McAfee scanner to scan the USB stick, sadly the window remains open after the scan even if nothing is found. It is useful to scan for the kids sake as no executables can run from USB sticks within school.

    Just an aside, unless you use another key to demote the "OnArrival" part of USBDLM runs with local admin privs.

  6. Thanks to AlexB from:

    contink (8th December 2009)

  7. #20
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by AlexB View Post
    We have this entry in our USBDLM reg entry

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Uwe Sieber\USBDLM\OnArrival]
    "Force"="1"
    "open"="\"%ProgramFiles%\\McAfee\\VirusScan Enterprise\\scan32.exe\" %drive%"
    It causes the McAfee scanner to scan the USB stick, sadly the window remains open after the scan even if nothing is found. It is useful to scan for the kids sake as no executables can run from USB sticks within school.

    Just an aside, unless you use another key to demote the "OnArrival" part of USBDLM runs with local admin privs.
    Could you use something like AutoIT to open the necessary command and then shutdown the window when a "completed" message or such like comes up?

    Just a thought...

    Thanks for sharing that though...

  8. #21

    Join Date
    Dec 2005
    Location
    Midlands
    Posts
    130
    Thank Post
    2
    Thanked 12 Times in 12 Posts
    Rep Power
    20
    possibly worth checking with the IT staff as to what course they are running first, the OCR nationals specifically state that students must back-up thier work to removable medium, i.e USB/Floppy/Zip (the spec mentions it, nobody ever does)

  9. #22
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by tech_guy View Post
    You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003
    @tech_guy - is it possible to do that via RMMC/CC3, or would I have to do it straight in the AD?

  10. #23

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    Tech_guy's link looks very interesting, however in the past (as an alternative) I created a custom GPO which limits the number of drive letters available.

    If all existing network drives are using drive letters, plugging in a USB stick will do nothing as no letter can be assigned.

  11. #24
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    That would suffice - could you post the adm file?

  12. #25

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740
    Not sure if anyone has used this template ?

    Group Policy to disable Autorun Arricc

  13. #26

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    Firstly here are all the numeric values for all drive letters:

    Code:
    A 1
    B 2
    C 4
    D 8
    E 16 
    F 32
    G 64
    H 128
    I 256
    J 512
    K 1024
    L 2048
    M 4096
    N 8192
    O 16384
    P 32768
    Q 65536
    R 131072
    S 262144
    T 524288
    U 1048576
    V 2097152
    W 4194304
    X 8388608
    Y 16777216
    Z 33554432
    And here's a caption from a System.adm file from Windows Server 2003 R2 I have customised. I recommend you make a copy and name it System1.adm leaving the existing System.adm file in place. By creating a Test OU, you can remove System.adm and import System1.adm without affecting your other OUs.

    In this example the Numeric Value is 63 which would restrict drives A to F. You can do any combination according to your requirements. Hope this helps

    Code:
    POLICY !!NoDrives
    			#if version >= 4
    			SUPPORTED !!SUPPORTED_Win2k
    			#endif
    
    			EXPLAIN !!NoDrives_Help
    			PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
    				VALUENAME "NoDrives"
    				ITEMLIST
    					NAME !!ABOnly           VALUE NUMERIC	3
    					NAME !!COnly            VALUE NUMERIC	4
    					NAME !!DOnly            VALUE NUMERIC 	8
    					NAME !!ABConly          VALUE NUMERIC 	7
    					NAME !!ABCDOnly         VALUE NUMERIC	15
    					NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT
    					NAME !!Logistix		VALUE NUMERIC	63
    					; low 26 bits on (1 bit per drive)
    					NAME !!RestNoDrives     VALUE NUMERIC	0
    				END ITEMLIST
    			END PART
    		END POLICY
    
    		POLICY !!NoViewOnDrive
    			#if version >= 4
    			SUPPORTED !!SUPPORTED_Win2k
    			#endif
    
    			EXPLAIN !!NoViewOnDrive_Help
    			PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
    				VALUENAME "NoViewOnDrive"
    				ITEMLIST
    					NAME !!ABOnly           VALUE NUMERIC	3
    					NAME !!COnly            VALUE NUMERIC	4
    					NAME !!DOnly            VALUE NUMERIC 	8
    					NAME !!ABConly          VALUE NUMERIC 	7
    					NAME !!ABCDOnly         VALUE NUMERIC	15
    					NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT
    					NAME !!Logistix		VALUE NUMERIC	63
    					; low 26 bits on (1 bit per drive)
    					NAME !!RestNoDrives     VALUE NUMERIC	0
    				END ITEMLIST
    			END PART
    		END POLICY
    Anywhere under strings:

    Code:
    [strings]
    Logistix="Restrict drives A to F only"

  14. #27
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,808
    Thank Post
    906
    Thanked 420 Times in 353 Posts
    Blog Entries
    12
    Rep Power
    87
    We've banned USB drives for many years and use our VLE or webmail to exchange files. Seems to work quite well.

    I disabled autorun in GPO and made all the shared drives read only on the root, this stopped all the netsky virus type things propagating immediately. Not had a problem with them since.

  15. #28
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by Michael View Post
    Tech_guy's link looks very interesting, however in the past (as an alternative) I created a custom GPO which limits the number of drive letters available.

    If all existing network drives are using drive letters, plugging in a USB stick will do nothing as no letter can be assigned.
    Actually, thinking about it, the same can be achieved via the RMMC if you have CC3 or (presumably) CC4, where you can specify which drive letters are visible and/or accessible to a user.

  16. #29

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    Actually, thinking about it, the same can be achieved via the RMMC if you have CC3 or (presumably) CC4, where you can specify which drive letters are visible and/or accessible to a user.
    Very possible, but with a little tweaking the same results can be achieved for free.

  17. #30
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,203
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    We disabled autorun on drives and then use Software Restriction Policy to blanket ban executable files from all locations other than where we whitelist. This has solved the problem for us. This also stops exe games and portable apps/TOR programs and so on.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Removable Disk Backup
    By Liberto29 in forum Windows
    Replies: 20
    Last Post: 10th September 2009, 12:45 PM
  2. To Ban Or Not To Ban this is the question
    By NBC_Sys_C-ord in forum School ICT Policies
    Replies: 54
    Last Post: 5th December 2008, 10:24 AM
  3. Replies: 4
    Last Post: 19th November 2008, 11:47 AM
  4. Safely Remove Removable Device
    By phillipmillward in forum Windows
    Replies: 16
    Last Post: 21st March 2007, 04:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •