While USB drives and other portable media are convenient, data protection policies may prohibit administrators or other individuals from connecting storage devices to servers. Windows Server 2008 introduces a Group Policy setting that can prohibit the read or write activities of floppy, CD and DVD drives, tape, and devices such as mobile phones, music players, and cameras. They can be collectively prohibited as well, so all classes of removable storage can be applied to this rule. (This functionality is available with Windows Server 2008 and Windows Vista, but it is ignored in previous versions of Windows.)Figure A shows these settings in the Computer Configuration section of the Group Policy Management Editor. Figure A
Creating a Group Policy Object (GPO) for this configuration can be applied in various configurations. For example, if all computer accounts are in one organizational unit (OU), the Computer Configuration equivalent of this configuration can be made in a GPO and linked to the OU for a consistent configuration across all computer accounts in that OU. Likewise, if the user configuration Group Policy options are configured within a GPO and linked to an OU of user accounts, the policy can be applied as well.
Use this configuration with caution; in emergency situations, there may be access required to removable media for situations where a network is not available. Also, it is a good idea to do a few tests to make sure this configuration can be used with correct permissions or via a domain disjoin and local Group Policy configuration to circumvent the configuration if needed.
Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.