You can use this nifty .adm with group policy to block usb, cd, floppy and super floppy devices on server 2003:
HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
We use it and it works a treat - easy to enable / disable. Don't forget to uncheck 'only show policy settings that can be fully managed' under filtering to see the options.
We still use them, but deiable autorun on all drives, and also manage the attachemtns that can be accessed, and where they can be saved to (which is almost nowhere for the children).
It causes the McAfee scanner to scan the USB stick, sadly the window remains open after the scan even if nothing is found. It is useful to scan for the kids sake as no executables can run from USB sticks within school.Code:[HKEY_LOCAL_MACHINE\SOFTWARE\Uwe Sieber\USBDLM\OnArrival] "Force"="1" "open"="\"%ProgramFiles%\\McAfee\\VirusScan Enterprise\\scan32.exe\" %drive%"
Just an aside, unless you use another key to demote the "OnArrival" part of USBDLM runs with local admin privs.
contink (8th December 2009)
possibly worth checking with the IT staff as to what course they are running first, the OCR nationals specifically state that students must back-up thier work to removable medium, i.e USB/Floppy/Zip (the spec mentions it, nobody ever does)
Tech_guy's link looks very interesting, however in the past (as an alternative) I created a custom GPO which limits the number of drive letters available.
If all existing network drives are using drive letters, plugging in a USB stick will do nothing as no letter can be assigned.
That would suffice - could you post the adm file?
Firstly here are all the numeric values for all drive letters:
And here's a caption from a System.adm file from Windows Server 2003 R2 I have customised. I recommend you make a copy and name it System1.adm leaving the existing System.adm file in place. By creating a Test OU, you can remove System.adm and import System1.adm without affecting your other OUs.Code:A 1 B 2 C 4 D 8 E 16 F 32 G 64 H 128 I 256 J 512 K 1024 L 2048 M 4096 N 8192 O 16384 P 32768 Q 65536 R 131072 S 262144 T 524288 U 1048576 V 2097152 W 4194304 X 8388608 Y 16777216 Z 33554432
In this example the Numeric Value is 63 which would restrict drives A to F. You can do any combination according to your requirements. Hope this helps
Anywhere under strings:Code:POLICY !!NoDrives #if version >= 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!NoDrives_Help PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoDrives" ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT NAME !!Logistix VALUE NUMERIC 63 ; low 26 bits on (1 bit per drive) NAME !!RestNoDrives VALUE NUMERIC 0 END ITEMLIST END PART END POLICY POLICY !!NoViewOnDrive #if version >= 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!NoViewOnDrive_Help PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoViewOnDrive" ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT NAME !!Logistix VALUE NUMERIC 63 ; low 26 bits on (1 bit per drive) NAME !!RestNoDrives VALUE NUMERIC 0 END ITEMLIST END PART END POLICY
Code:[strings] Logistix="Restrict drives A to F only"
We've banned USB drives for many years and use our VLE or webmail to exchange files. Seems to work quite well.
I disabled autorun in GPO and made all the shared drives read only on the root, this stopped all the netsky virus type things propagating immediately. Not had a problem with them since.
Very possible, but with a little tweaking the same results can be achieved for free.Actually, thinking about it, the same can be achieved via the RMMC if you have CC3 or (presumably) CC4, where you can specify which drive letters are visible and/or accessible to a user.
We disabled autorun on drives and then use Software Restriction Policy to blanket ban executable files from all locations other than where we whitelist. This has solved the problem for us. This also stops exe games and portable apps/TOR programs and so on.
There are currently 1 users browsing this thread. (0 members and 1 guests)