Announcement

Collapse
No announcement yet.

Lock down USB storage/CDRom at USER level via GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lock down USB storage/CDRom at USER level via GPO

    Hi guys,

    Long time lurker first time poster after some advice here please.

    I've seen all the articles and read all the threads regarding locking down USBSTOR.SYS, CDROM.SYS etc via GPO and have seen the respective ADM files.

    http://www.petri.co.il/disable_usb_disks_with_gpo.htm
    http://diaryproducts.net/about/opera...ble_usb_sticks
    http://support.microsoft.com/kb/555324
    http://www.petri.co.il/disable_writi..._in_xp_sp2.htm
    http://forums.petri.com/showthread.php?t=22971
    http://forums.petri.com/showthread.php?t=3299
    http://forums.petri.com/showthread.php?t=9280
    http://www.geekzone.co.nz/forums.asp...&topicid=39308
    http://support.microsoft.com/kb/823732

    Creating the GPO itself seems relatively straightforward. The real problem I have here is how to apply it at USER level. Say I create the GPO for every PC in the enterprise, how do I apply it such that if a user object in my Managers OU, for example, logs onto any given workstation, then they can use USB sticks, the optical drive etc, but if a user object in my Staff OU logs on to the same box then all USB storage, optical drive, FDD etc is locked down, then say a Manager logs on again and it's opened up again? All the machines are in one OU at the moment.

    I had a look at the idea of Security Filtering but I'm really not sure I get it.
    http://social.technet.microsoft.com/...e-523e08124d47
    http://www.windowsnetworking.com/art...Filtering.html

    Also what's "Loopback processing"? Would that be of any use to me here? I've read about it in the articles above but, again, I don't really get it.

    Finally, as an aside and slightly OT, I understand that if a particular stick has already been attached to a machine and had the driver loaded then you cannot then lock that down, is that the case? Is there a way around that?

    Any help you guys can offer me in this implementation would be much appreciated!!

    Many thanks in advance all.

  • #2
    Re: Lock down USB storage/CDRom at USER level via GPO

    I think you're on the right track with security filtering. The confusing thing about group policy is that its application is based upon OU structure and you can organize your OU structure in a million different ways.

    In our environment we generally link our policies to OUs that contain computers and then filter by global groups that contain users. So for the sake of example here's how I would accomplish what you're trying to do in my environment.

    1. Create a policy that has the setting that I want to push down, lets call it 'Lock Down Removeable Storage'.
    2. Assuming that I want to apply to XP workstations I'd link it to our XP workstations OU.

    So at this point USBs and CDROMs are getting locked down for all Authenticated Users that logon to an XP workation. The next step would be to open it up for the managers. Here's how I would do that.

    1. Create a totally separate policy that reverses all the settings that I previously made, call this one 'Allow Removeable Storage'.
    2. In the GPMC, with the policy selected, under the scope tab, I would Remove Authenticated Users from security filtering and Add a global group that contained just the managers.
    3. Finally, I'd link it to the XP workstation OU so that it applies after the policy I created to lock it down. So selecting the XP workstation OU in GPMC, I want the Allow Removeable Storeage Policy to appear above the Lock Down Removable Storage Policy in the link order.

    So what going to happen is when any Authenticated User logs on to an XP workstation their USB and CDROM is going to get locked down by the Lock Down Removable Storage Policy. However, if my ID is a member of the managers global group, the Allow Removable Storage Policy will also apply, reversing the lockdown.

    Some additional relevant information about my environment. I do have GPO Loopback Processing enabled. I set it within the Default Domain Policy and use loopback for everything.

    Also, I do not create 2 policies everytime I want to filter something. What I do is create a baseline policy for each OS, that contains all the settings that I want to push down. Then I just have to create one policy if I want to filter something from getting applied. In this instance I would add the lock-down stuff to my XP Baseline policy, and then create a filter policy to exempt the managers.

    Anyways.... that's what I would do. You should be good and confused now!

    Comment


    • #3
      Re: Lock down USB storage/CDRom at USER level via GPO

      Nice, exactly what I was after Scott. I'll give that a punt and report back.

      Thanks pal

      Comment


      • #4
        Re: Lock down USB storage/CDRom at USER level via GPO

        Originally posted by ScottMcD View Post

        So what going to happen is when any Authenticated User logs on to an XP workstation their USB and CDROM is going to get locked down by the Lock Down Removable Storage Policy. However, if my ID is a member of the managers global group, the Allow Removable Storage Policy will also apply, reversing the lockdown.
        Hi Scott

        Thanks again for your helpful post and apologies for the tardy response, this project has been on hold for a while but has now been resurrected.

        Quick question regarding your suggestion: if baseline policy is such that these storage devices are locked down, then that policy is reversed by someone in the Managers OU logging on, when that person logs off the storage devices are still open (ie the Open policy hasn't been reversed). So if someone in the Staff OU then logs on afterwards they would still be open presumably? How would I prevent that? I'm wondering if rather than have the baseline policy I would be better to link the lockdown policy to the Staff OU and the open policy to the Managers OU. What do you think? Is there a best practice for this please?

        Thanks again for your help sir!

        Comment

        Working...
        X