Locking down the USB & optical drives on Windows Server 2008 R2

1110 pts.
Tags:
Network security
Network Security Management
Optical Drives
USB drive
Windows Server 2008 Administration
Windows Server 2008 R2
Windows Server Security
Can we lock down the USB and Optical drives on a Windows Server 2008 R2 box for all users except the administrators group or even just the administrator?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes, their are group policies settings to do this.

<i>Updated with where in GPO and Registry</i>
<b>Prevent installation of removable devices </b>

<b>Policy Path</b>
Machine System\Device Installation\Device Installation Restrictions

<b>Registry Information </b>
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyRemovableDevices

<b>Information</b>
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.\n\n\nIf you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.\n\n\nIf you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • jinteik
    yes you can do it by setting the policy / policies. it depends alot on how you have set your AD policy.. example IT department can have all access, marketing department can not have access to usb and cdrom..so it depends alot on how u set your OU
    17,850 pointsBadges:
    report
  • NewnanIT
    [...] here to read the rest: Locking down the USB & optical drives on Windows Server 2008 R2 No [...]
    0 pointsBadges:
    report
  • batye
    CLASS MACHINE CATEGORY !!category CATEGORY !!categoryname POLICY !!policynameusb KEYNAME "SYSTEMCurrentControlSetServicesUSBSTOR" EXPLAIN !!explaintextusb PART !!labeltextusb DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamecd KEYNAME "SYSTEMCurrentControlSetServicesCdrom" EXPLAIN !!explaintextcd PART !!labeltextcd DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 1 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynameflpy KEYNAME "SYSTEMCurrentControlSetServicesFlpydisk" EXPLAIN !!explaintextflpy PART !!labeltextflpy DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamels120 KEYNAME "SYSTEMCurrentControlSetServicesSfloppy" EXPLAIN !!explaintextls120 PART !!labeltextls120 DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY END CATEGORY END CATEGORY [strings] category="Custom Policy Settings" categoryname="Restrict Drives" policynameusb="Disable USB" policynamecd="Disable CD-ROM" policynameflpy="Disable Floppy" policynamels120="Disable High Capacity Floppy" explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver" explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver" explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver" explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver" labeltextusb="Disable USB Ports" labeltextcd="Disable CD-ROM Drive" labeltextflpy="Disable Floppy Drive" labeltextls120="Disable High Capacity Floppy Drive" Enabled="Enabled" Disabled="Disabled"
    3,080 pointsBadges:
    report
  • NewnanIT
    [...] Want to lock down the USB and optical drives on Windows Server 2008 R2? The consensus from Jinteik, Mrdenny and Batye is to create a group [...]
    0 pointsBadges:
    report
  • NewnanIT
    [...] 3. Batye, Jinteik, and mrdenny suggest setting the group policy to lock down the USB and optical drives on Windows Server 2008 R2. [...]
    0 pointsBadges:
    report
  • TomLiotta
    First question I'd ask is how other users are being allowed access in the first place. Are users allowed physical access or are these devices exposed through network shares? If a 'user' can actually logon to the server box directly, I'd think there are many routes available other than those devices. Can you list some specific scenarios you are concerned about? Is the console always available to anyone to logon to? ...or does it automatically timeout and lock? I mean, just what security is already in place? I'm barely a novice at direct access to Windows Server itself, so even the fact that the question needs to be answered is disturbing to me. My servers all tend to be AS/400, iSeries, etc., so access to attached devices isn't a big concern -- 'users' couldn't do anything with them to worry about anyway unless they had 'Admin' kinds of authority, in which case they'd be part of the group that you're not locking out. So, what exactly is there to worry about? Aren't there simple solutions? If the console is locked, is it that easy to bypass? And if it's not locked and I start messing with it, whose permissions are in control? Does a policy over me even come into play when somebody else is the session user? I'm mostly just curious, but it does seem odd. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following