Total ban on removable media

[tech_guy]

You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003:

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

We use it and it works a treat - easy to enable / disable. Don't forget to uncheck 'only show policy settings that can be fully managed' under filtering to see the options.

[GREED]

We still use them, but deiable autorun on all drives, and also manage the attachemtns that can be accessed, and where they can be saved to (which is almost nowhere for the children).

[enjay]

You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003

Thanks for that. I think it is an overkill response to this problem, but would address what to do with controlled assessment candidates.

[AlexB]

Could you keep me/us posted on how you get on with this as this sounds like a useful solution to a few issues that have plagued me in one or two schools.

If nothing else, getting the AV to scan the drive and kill off any autorun chicanery BEFORE anything goes in the system that would be a real plus.

We have this entry in our USBDLM reg entry

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Uwe Sieber\USBDLM\OnArrival]
"Force"="1"
"open"="\"%ProgramFiles%\\McAfee\\VirusScan Enterprise\\scan32.exe\" %drive%"

It causes the McAfee scanner to scan the USB stick, sadly the window remains open after the scan even if nothing is found. It is useful to scan for the kids sake as no executables can run from USB sticks within school.

Just an aside, unless you use another key to demote the "OnArrival" part of USBDLM runs with local admin privs.

[contink]

We have this entry in our USBDLM reg entry

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Uwe Sieber\USBDLM\OnArrival]
"Force"="1"
"open"="\"%ProgramFiles%\\McAfee\\VirusScan Enterprise\\scan32.exe\" %drive%"

It causes the McAfee scanner to scan the USB stick, sadly the window remains open after the scan even if nothing is found. It is useful to scan for the kids sake as no executables can run from USB sticks within school.

Just an aside, unless you use another key to demote the "OnArrival" part of USBDLM runs with local admin privs.

Could you use something like AutoIT to open the necessary command and then shutdown the window when a "completed" message or such like comes up?

Just a thought...

Thanks for sharing that though...

[deanc]

possibly worth checking with the IT staff as to what course they are running first, the OCR nationals specifically state that students must back-up thier work to removable medium, i.e USB/Floppy/Zip (the spec mentions it, nobody ever does)

[enjay]

You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003

@tech_guy - is it possible to do that via RMMC/CC3, or would I have to do it straight in the AD?

[Michael]

Tech_guy's link looks very interesting, however in the past (as an alternative) I created a custom GPO which limits the number of drive letters available.

If all existing network drives are using drive letters, plugging in a USB stick will do nothing as no letter can be assigned.

[enjay]

That would suffice - could you post the adm file?

[mattx]

Not sure if anyone has used this template ?

Group Policy to disable Autorun Arricc

[Michael]

Firstly here are all the numeric values for all drive letters:

Code:

A 1
B 2
C 4
D 8
E 16 
F 32
G 64
H 128
I 256
J 512
K 1024
L 2048
M 4096
N 8192
O 16384
P 32768
Q 65536
R 131072
S 262144
T 524288
U 1048576
V 2097152
W 4194304
X 8388608
Y 16777216
Z 33554432

And here's a caption from a System.adm file from Windows Server 2003 R2 I have customised. I recommend you make a copy and name it System1.adm leaving the existing System.adm file in place. By creating a Test OU, you can remove System.adm and import System1.adm without affecting your other OUs.

In this example the Numeric Value is 63 which would restrict drives A to F. You can do any combination according to your requirements. Hope this helps

Code:

POLICY !!NoDrives
			#if version >= 4
			SUPPORTED !!SUPPORTED_Win2k
			#endif

			EXPLAIN !!NoDrives_Help
			PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
				VALUENAME "NoDrives"
				ITEMLIST
					NAME !!ABOnly           VALUE NUMERIC	3
					NAME !!COnly            VALUE NUMERIC	4
					NAME !!DOnly            VALUE NUMERIC 	8
					NAME !!ABConly          VALUE NUMERIC 	7
					NAME !!ABCDOnly         VALUE NUMERIC	15
					NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT
					NAME !!Logistix		VALUE NUMERIC	63
					; low 26 bits on (1 bit per drive)
					NAME !!RestNoDrives     VALUE NUMERIC	0
				END ITEMLIST
			END PART
		END POLICY

		POLICY !!NoViewOnDrive
			#if version >= 4
			SUPPORTED !!SUPPORTED_Win2k
			#endif

			EXPLAIN !!NoViewOnDrive_Help
			PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
				VALUENAME "NoViewOnDrive"
				ITEMLIST
					NAME !!ABOnly           VALUE NUMERIC	3
					NAME !!COnly            VALUE NUMERIC	4
					NAME !!DOnly            VALUE NUMERIC 	8
					NAME !!ABConly          VALUE NUMERIC 	7
					NAME !!ABCDOnly         VALUE NUMERIC	15
					NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT
					NAME !!Logistix		VALUE NUMERIC	63
					; low 26 bits on (1 bit per drive)
					NAME !!RestNoDrives     VALUE NUMERIC	0
				END ITEMLIST
			END PART
		END POLICY

Anywhere under strings:

Code:

[strings]
Logistix="Restrict drives A to F only"

[zag]

We've banned USB drives for many years and use our VLE or webmail to exchange files. Seems to work quite well.

I disabled autorun in GPO and made all the shared drives read only on the root, this stopped all the netsky virus type things propagating immediately. Not had a problem with them since.

[enjay]

Tech_guy's link looks very interesting, however in the past (as an alternative) I created a custom GPO which limits the number of drive letters available.

If all existing network drives are using drive letters, plugging in a USB stick will do nothing as no letter can be assigned.

Actually, thinking about it, the same can be achieved via the RMMC if you have CC3 or (presumably) CC4, where you can specify which drive letters are visible and/or accessible to a user.

[Michael]

Actually, thinking about it, the same can be achieved via the RMMC if you have CC3 or (presumably) CC4, where you can specify which drive letters are visible and/or accessible to a user.

Very possible, but with a little tweaking the same results can be achieved for free.

[cookie_monster]

We disabled autorun on drives and then use Software Restriction Policy to blanket ban executable files from all locations other than where we whitelist. This has solved the problem for us. This also stops exe games and portable apps/TOR programs and so on.