Windows Vista offers a new security capability in its ability to configure removable device controls through the use of Group Policy. It lets you control which devices can be installed on a system. In particular, there are many rightfully concerned that someone could plug in a removable disk drive and walking away with sensitive data.
To make use of this new capability, you create an approved list of devices on your network and include it in your GPO. It may be okay for users to install USB mice and keyboards, but not flash memory devices or external disk drives. MP3 players, PDAs and cell phones can also function as drives that can be used to store potentially large amounts of data. You must control their use through a properly-designed GPO.
The best documentation I've seen on this is:
Step-By-Step Guide to Controlling Device Installation and Usage with Group Policy
It offers specific instrucitons on how to...
Prevent installation of all devices
Prevent standard users from installing any device, but allow administrators to install or update devices. To complete this scenario, you configure two computer policies. The first computer policy prevents all users from installing devices, and the second policy exempts administrators from the restrictions.
Allow users to install only authorized devices
Allow users to install only the devices included on a list of authorized devices. This scenario builds on the first scenario and therefore you must complete the first scenario before attempting this scenario. To complete this scenario, you create a list of authorized devices so that users can install only those devices that you specify.
Prevent installation of only prohibited devices
Allow standard users to install most devices but prevent them from installing devices included on a list of prohibited devices. To complete this scenario, you must remove the policies that you created in the first two scenarios. After you have removed those policies, you create a list of prohibited devices so that users can install any device except those that you specify.
Control the use of removable media storage devices
Prevent standard users from writing data to removable storage devices, or devices with removable media, such as a USB memory drive or a CD or DVD burner. To complete this scenario, you configure a computer policy to allow read access, but deny write access to your sample device and to any CD or DVD burner device on your computer.
Comments :
Post a Comment