Locking down CD roms, USB mass storage devices and Floppy disk dri

  • Thread starter Thread starter Jordan Fey
  • Start date Start date
J

Jordan Fey

Guest
I'm in a very security concious company which wants access to CD-Rom drives,
floppy disk drives & USB mass storage devices restricted to the majority of
machines. This is easy enough in itself, Ive used an group policy ADM to set
the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR",
"SYSTEM\CurrentControlSet\Services\Cdrom",
"SYSTEM\CurrentControlSet\Services\Flpydisk" and
"SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are
disabled via registry.

The issue I have is granting access to those users who are authorised to use
these devices. At present I am applying these settings individually to
different OU's however a multitude of group policies takes a lot longer to
apply than a single, large group policy.

What I would like to do is create a script to temporarily amend these
settings back via regedit which the users can run vioa an ICON & a=only
authorised users can access. The problem with this is that it only works for
USB mass-storage devices. All the others only re-enable on reboot. Does
anyone know of a way around this?

Jordan
 
Re: Locking down CD roms, USB mass storage devices and Floppy diskdri

Re: Locking down CD roms, USB mass storage devices and Floppy diskdri


What about setting the services to 'manual' and let
start them by the admin manually by means of
net start xxx
or
sc start xxx

Restricted users should get an 'access denied' when
trying this.


Uwe



Jordan Fey wrote:
> I'm in a very security concious company which wants access to CD-Rom drives,
> floppy disk drives & USB mass storage devices restricted to the majority of
> machines. This is easy enough in itself, Ive used an group policy ADM to set
> the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR",
> "SYSTEM\CurrentControlSet\Services\Cdrom",
> "SYSTEM\CurrentControlSet\Services\Flpydisk" and
> "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are
> disabled via registry.
>
> The issue I have is granting access to those users who are authorised to use
> these devices. At present I am applying these settings individually to
> different OU's however a multitude of group policies takes a lot longer to
> apply than a single, large group policy.
>
> What I would like to do is create a script to temporarily amend these
> settings back via regedit which the users can run vioa an ICON & a=only
> authorised users can access. The problem with this is that it only works for
> USB mass-storage devices. All the others only re-enable on reboot. Does
> anyone know of a way around this?
>
> Jordan
>
 
Re: Locking down CD roms, USB mass storage devices and Floppy disk

Re: Locking down CD roms, USB mass storage devices and Floppy disk

Sorry if is ound a little dumb, but which service

"Uwe Sieber" wrote:

>
> What about setting the services to 'manual' and let
> start them by the admin manually by means of
> net start xxx
> or
> sc start xxx
>
> Restricted users should get an 'access denied' when
> trying this.
>
>
> Uwe
>
>
>
> Jordan Fey wrote:
> > I'm in a very security concious company which wants access to CD-Rom drives,
> > floppy disk drives & USB mass storage devices restricted to the majority of
> > machines. This is easy enough in itself, Ive used an group policy ADM to set
> > the "start" values for "SYSTEM\CurrentControlSet\Services\USBSTOR",
> > "SYSTEM\CurrentControlSet\Services\Cdrom",
> > "SYSTEM\CurrentControlSet\Services\Flpydisk" and
> > "SYSTEM\CurrentControlSet\Services\Sfloppy" accordingly so as the devices are
> > disabled via registry.
> >
> > The issue I have is granting access to those users who are authorised to use
> > these devices. At present I am applying these settings individually to
> > different OU's however a multitude of group policies takes a lot longer to
> > apply than a single, large group policy.
> >
> > What I would like to do is create a script to temporarily amend these
> > settings back via regedit which the users can run vioa an ICON & a=only
> > authorised users can access. The problem with this is that it only works for
> > USB mass-storage devices. All the others only re-enable on reboot. Does
> > anyone know of a way around this?
> >
> > Jordan
> >
>
 

Similar threads

P
Disable USB port from access smart-phone memory (without Group policy) in C#
Replies
0
Views
91
Prajith C S
P
F
Windows 10 No Access to USB / CD devices - "location is not available" "D:\ is not accessible" "Access is denied"
Replies
0
Views
130
Fozzy279
F
P
Windows 10 Device Guard and Credential Guard Demystified
Replies
0
Views
381
Priyanka_Pillai
P
M
Windows Admin Center 1809 and SDK now generally available!
Replies
0
Views
583
Microsoft Windows Server Team
M
M
Windows Admin Center 1809 and SDK now generally available!
Replies
0
Views
794
Microsoft Windows Server Team
M
Back
Top