Friday, 25 December 2009

Disable access to USB mass storage - Server 2003 GPO

Create the .adm file using the template below and save it on the server.

ADM template text:

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"


Then import the template by doing the following:

After you create an .adm file, you can load it into the Administrative Templates section of Group Policy Object Editor by performing the following procedure.

To load your .adm file into Group Policy Object Editor
1. Open Group Policy Object Editor.
2. Under either Computer Configuration or User Configuration, right-click Administrative Templates, and then click Add/Remove Templates.
3. In the Add/Remove Templates dialog box, click Add.
4. Navigate to the folder containing the .adm file that you would like to add. Select the file, and then click Open.

5. Do one of the following:
1. If your .adm file was successfully loaded, in the Add/Remove Templates dialog box, click Close. Your policy template has been added successfully.
2. If your .adm file was not successfully loaded, a dialog box is displayed, showing the error and line number of the error. Make a note of the errors that were found, and click OK. Although your .adm file was not successfully loaded, it still appears in the list of .adm files loaded. Select your .adm file, click Remove, and then click Close. Edit the .adm file and correct any problems.

In this case its a Computer Configuration policy.

To actually view the settings in the GPO Editor - Click View - Filtering... - Uncheck everything here.

Source MS KB:
http://support.microsoft.com/kb/555324

No comments:

Post a Comment