No announcement yet.

USB Best Practise

  • Filter
  • Time
  • Show
Clear All
new posts

  • USB Best Practise

    We are moving onto Windows 7 from Windows XP & I wanted to change the way our USB policy is done.

    Currently we lock all write access to removable storage devices by a registry key locally on the computer.

    My boss wants me to now remove the restriction on some of the computers where sensitive data isnít held so they have a more user friendly environment.

    I plan to move the restriction to GPO but my question was would you enforce the GPO at the user level or computer?

    I was maybe thinking of adding the "Domain Computers" & "Domain Users" group onto the policy & then creating an AD group called "USB No Restrictions" which is set to not apply the GPO so any user or computer in this group would not get the restrictions.

    Does anyone have any comments or advice on this?

  • #2
    Re: USB Best Practise

    Well, the point of Group Policy is to create an environment that is easiest to manage, so here's what I would do. I would create a policy that restricted access to removable storage. I would then create a group that consisted of whichever had fewer people. I mean, to what percentage of people will this be applied?

    If you have ten people out of fifty that need to be restricted, create a group of just those people (or computers if you go that route), apply the policy to them and remove "Authenticated Users" from the ACL.

    However, if it's the other way around, keep Authenticated Users in the ACL, create a group consisting of those that don't need to be restricted, add them to the ACL and where it says "Apply group policy" check "Deny", so that the GPO applies to everyone in the organization but them.

    As far as whether to apply it at the user level or computer level, ask yourself this: which has a higher turnover rate? This determines how often this policy needs to be updated.

    Hope this helps/makes sense.