PDA

View Full Version : Restrict access to USB flash storage device to console user only

ZC Wong
Hi,

It is possible to restrict floppy and CD-ROM access to console user only
in the security policy. But can I do the same for the USB storage
devices? For example a CompactFlash card reader, etc?

Thanks.
Steven L Umbach
There is no security policy for such. Some have suggested to configure
security on removeable storage in Computer Management/removable
storage/properties/security where you could give access to just interactive.
I have personally never tried that and have my doubts, but it may be worth a
try. Otherwise there are third party applications such as DeviceLock that
may be able to control access and may be free to try. You can also modify
the user right for "access this computer from the network" to generally
control who can access resources on a computer. --- Steve

http://www.protect-me.com/dl/ -- DeviceLock

"ZC Wong" wrote in message
news:c4n5c9$bf2$1@ucsnew1.ncl.ac.uk...
> Hi,
>
> It is possible to restrict floppy and CD-ROM access to console user only
> in the security policy. But can I do the same for the USB storage
> devices? For example a CompactFlash card reader, etc?
>
> Thanks.


ZC Wong
The problem for the INTERACTIVE security group is that terminal service
clients would also be identified as an INTERACTIVE user. It seems that
there is no security group to identify console users.

Steven L Umbach wrote:
> There is no security policy for such. Some have suggested to configure
> security on removeable storage in Computer Management/removable
> storage/properties/security where you could give access to just interactive.
> I have personally never tried that and have my doubts, but it may be worth a
> try. Otherwise there are third party applications such as DeviceLock that
> may be able to control access and may be free to try. You can also modify
> the user right for "access this computer from the network" to generally
> control who can access resources on a computer. --- Steve
>
> http://www.protect-me.com/dl/ -- DeviceLock
>
> "ZC Wong" wrote in message
> news:c4n5c9$bf2$1@ucsnew1.ncl.ac.uk...
>
>>Hi,
>>
>>It is possible to restrict floppy and CD-ROM access to console user only
>>in the security policy. But can I do the same for the USB storage
>>devices? For example a CompactFlash card reader, etc?
>>
>>Thanks.
>
>
>
Steven L Umbach
In that case it may help to put the TS users in their own group with an explicit deny
permissions for that group. --- Steve

"ZC Wong" wrote in message news:c4s8qa$n12$1@ucsnew1.ncl.ac.uk...
> The problem for the INTERACTIVE security group is that terminal service
> clients would also be identified as an INTERACTIVE user. It seems that
> there is no security group to identify console users.
>
> Steven L Umbach wrote:
> > There is no security policy for such. Some have suggested to configure
> > security on removeable storage in Computer Management/removable
> > storage/properties/security where you could give access to just interactive.
> > I have personally never tried that and have my doubts, but it may be worth a
> > try. Otherwise there are third party applications such as DeviceLock that
> > may be able to control access and may be free to try. You can also modify
> > the user right for "access this computer from the network" to generally
> > control who can access resources on a computer. --- Steve
> >
> > http://www.protect-me.com/dl/ -- DeviceLock
> >
> > "ZC Wong" wrote in message
> > news:c4n5c9$bf2$1@ucsnew1.ncl.ac.uk...
> >
> >>Hi,
> >>
> >>It is possible to restrict floppy and CD-ROM access to console user only
> >>in the security policy. But can I do the same for the USB storage
> >>devices? For example a CompactFlash card reader, etc?
> >>
> >>Thanks.
> >
> >
> >


W2K_Admin
It can be done to deny access to USB Mass Storage pretty
easily. Go to www.jsiinc.com -> Tips and Reg Hacks ->
Search for Tip 7093.


>-----Original Message-----
>In that case it may help to put the TS users in their own
group with an explicit deny
>permissions for that group. --- Steve
>
>"ZC Wong" wrote in message
news:c4s8qa$n12$1@ucsnew1.ncl.ac.uk...
>> The problem for the INTERACTIVE security group is that
terminal service
>> clients would also be identified as an INTERACTIVE
user. It seems that
>> there is no security group to identify console users.
>>
>> Steven L Umbach wrote:
>> > There is no security policy for such. Some have
suggested to configure
>> > security on removeable storage in Computer
Management/removable
>> > storage/properties/security where you could give
access to just interactive.
>> > I have personally never tried that and have my
doubts, but it may be worth a
>> > try. Otherwise there are third party applications
such as DeviceLock that
>> > may be able to control access and may be free to try.
You can also modify
>> > the user right for "access this computer from the
network" to generally
>> > control who can access resources on a computer. ---
Steve
>> >
>> > http://www.protect-me.com/dl/ -- DeviceLock
>> >
>> > "ZC Wong" wrote in message
>> > news:c4n5c9$bf2$1@ucsnew1.ncl.ac.uk...
>> >
>> >>Hi,
>> >>
>> >>It is possible to restrict floppy and CD-ROM access
to console user only
>> >>in the security policy. But can I do the same for the
USB storage
>> >>devices? For example a CompactFlash card reader, etc?
>> >>
>> >>Thanks.
>> >
>> >
>> >
>
>
>.
>