Disable USB disks

[ajbritton]

I just found this article on the excellent Daniel Petri website. I've not tried it, but it looks a lot simpler than some solutions I've seen.

[Gatt]

nice, pity our school is letting kids use pen drives - much to my disdain

[ChrisH]

Thats how you can stop everyone from using USB disks but unfortunately its per machine. I restrict drives for students as they are always drive d: it's easy for me to do.

[NetworkGeezer]

Why do you need to ban USB drives?

So long as you have AV, WSUS,SRP and LUA then there shouldn't really be a problem with executable content.
Locking the BIOS will also help some, despite Geoff's handy cracking tips.
(They have to be able to run the executable first )

[Ric_]

@NetworkGeezer: Why do you need to allow their use? There are many means of electronic data transfer that negates their use and are far more reliable.

Surely, the hassle of setting up policies, etc. can be avoided by just not using them.

[tosca925]

We let our kids use them as well.

[Gatt]

they become a haven for kids to bring all sorts in with them - games, viruses, shortcuts etc.

I've used GPO to restrict the running of exe's from the pen drives as best i can, but the buggers still get round it.

Would rather vito them completely

Looking at removing all removable drives from the PC's over summer (ie floppy's and CD/DVD drives, etc)

[ChrisH]

We have that setup and it works ok for us. They can email stuff in if needed or if they cant they can bring it to me to sort on a disc.

[Gatt]

That's how I wanna go, but TPTB are over-ruling me on it

[NetworkGeezer]

Then they have a valid reason for being on Hotmail during lesson time.

[pete]

We don't allow USB drives used by the kids, for the reasons mentioned and it's far too easy to get up to stuff using one. Kids bring anything they need to via sneakernet (and we stick it on) or email it in. We don't have floppy drives or cd-roms for the same reason.

We alter permissions on usbstor.inf on the virgin ghost. Works fine for us (yes there are ways around it, but the bar is sufficiently high to make it easier to bring the stick to us).

You can also set up a group policy to encrypt the data on all removable media.

[NetworkGeezer]

I've used GPO to restrict the running of exe's from the pen drives as best i can, but the buggers still get round it.

How?

If you have path based white-list software restriction policies and all students are restricted users then there should be very little they could do.

It might take a while but locking the box down is the best policy so you're not caught on the hop. Not every one has broadband at home and the time to wait while the 25MB Publisher file is upload to their Hotmail account.

I hope I am not living under a false sense of security.

[Gatt]

They renamed the file IIRC - hadn't locked it down properly in SRP

[ajbritton]

@NetworkGeezer: Why do you need to allow their use? There are many means of electronic data transfer that negates their use and are far more reliable.

The only good reasons I can currently think of are where students are working on projects which are too large to move around by email e.g. digital video

[Ric_]

@NetworkGeezer: Why do you need to allow their use? There are many means of electronic data transfer that negates their use and are far more reliable.

The only good reasons I can currently think of are where students are working on projects which are too large to move around by email e.g. digital video

Which is why I copy the file into their MyDocuments for them or a staff member drops it into the shared area where they can pick it up.

FYI I have also blocked access to webmail for kids so that they must email to their school email account which can be monitored more closely. This is mainly for anti-bullying and the like but helps solve this problem.