General discussion


Storage Device Lockdown via Group Policy

By jvoss ·
I am trying to lock down (disable) storage devices via group policy. I need this to work with applications from vendors other than Microsoft. Devices may not be NTFS. Generally USB or Firewire, some EIDE. Need to limit access to CDRW's and the other Read/Write devices that 2000 and XP so nicely work with. The Windows Explorer policies do not get the job done.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Storage Device Lockdown v ...

well here's a basic way for Floppys and CD-RWs. open up the group policy you want to use [default domain policy if you want]expand computer configuration, Windows Settings, security settings, local policies, security options. You can restrict access to CD -Roms & floppies to locally logged on users and hopefully you've set that so domain users are denied logon locally.

This doesn't address Firewire, USB and other PnP devices that a user can just plug into a port and W2K/XP will automatically install drivers for. Groups policy User Configuration Administrative Templates, Windows Components, Windows Installer, Disable Media Source for any install properties might do the trick. Also on some mainboards [MSI boards have/had this option, the BIOS allows you to turn on and off specific USB ports. If you don't have a need for USB/Firewire devices, turn em off on the mainboard.

Collapse -

by jvoss In reply to

Poster rated this answer.
I could actually use a domain group to limit the login to the machine and the locally logged in users (members of the group would still be able to use the devices) I have added a comment to more clearly define the requirement.

Collapse -

by jvoss In reply to Storage Device Lockdown v ...

The objective is to let anyone in the organization to use the device as a normal workstation, but restrict the use of any non-standard mass storage device. Primary concern are CDRW/DVD+-RW+-R/USB or Firewire mass storage device that can be hooked up on a whim. Only good news is that the Open hard drive device is the first EIDE channel and it is the primary drive and drive C: using NTFS.

Collapse -

by CG IT In reply to Storage Device Lockdown v ...

I've should have learned long before this not to to try and answer questions that appear to be someone who is just jerking chains.

Collapse -

by CG IT In reply to

your initial question was how to lock down [disable] Mass Storage Devices like CD RW's Firewire and USB via group policy. I gave you that answer. Now you add something different.

Collapse -

by voldar In reply to Storage Device Lockdown v ...

As D.R. said before, I don't think there is a GPO that refers to the FireWire port or anything like it (USB etc.), but I think you can restrict the installation of the hardware drivers so that they should be digitally signed.
It's not an answer, just a "place to start from".

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums