Inline comments...
Yes, we're looked at that document. There are two problems
with the "MS fix" however:
1. It's a daunting task to justify the cost in time of
logging into over 600 systems one at a time to change the
registry on each to disable usb drive creation. MS didn't
seem to think about this on an enterprise scale.
Script it.
We
considered just batching up a large reg change to push out as
well; but this would mean we couldn't know if they all worked
or failed for sure,
As part of your script, have it report back on the status.
as well we were concerned about the
potential for systems failure as direct reg edits can be
risky.
Roll it out as you would anything- in stages, not all at once.
Even if only 2% of the systems failed, it wouldn't be
worth it the downtime costs.
That's the risk you take with *anything* you do to a machine, however.
Installing software could render a machine useless. That's why you test, and
pilot, and roll out in batches.
2. We would like for IT staff and a few select managers and
systems to be allowed access.
You could still accomplish this via scripting and GPOs to assign the
scripts; possibly a little WMI filtering, as well. Use scripts to determine
which machines have USB devices installed and would therefore need the
registry modification. Using GPOs to set permissions on the usb files is
trivial and would easily allow you to grant some managers and administrators
access.
USB keys when properly used
can be a powerful tool for our IT staff. This would be an
"all or nothing" approach. Something on the network level is
much more preferable to the system level, and I'm guessing
sysadmins who work on 500+ node decentralized networks are in
the same boat.
Nope. We have around 12,000 employee machines (8,000 employees) and 200,000
customer machines- all over the world. Every continent/country with the
possible exception of Antarctica. Obviously we don't manipulate USB on our
customer machines, but everything we do has to be deployable on a very large
scale. This is why we script, and use WMI, and of course, why we use
enterprise management software, as well. It's also why we have a staff of
1,200 programmers, but that's another story. :-)
We tried restricting usbstor.sys through the GPO, but I think
the file gets local system level access and runs anyways
<grumble grumble>.
Then something was done incorrectly, I would suspect. Either the policy
wasn't correct, was not applied or the machines already had USB devices
installed. Reading below, it appears it was the last item- these machines
*already* had USB devices installed, which need to be addressed via the
registry modification, as noted in the KB article Susan gave you.
Laura
<snip>
HOW TO: Disable the Use of USB Storage Devices in Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
Disable completely?
Steven Hay wrote:
Good topic question, one we're having issues with as well,
but with XP
SP1.
We want to disable any removable drives from working on our 400+
workstations without having to visit each one.
I tried denying access to usbstor.sys in the GPO, and confirmed that
the policy was applied to our test system. But it seems like the
system privliges override the GPO rights (I'm guessing) as the
removable drive letter pops up and is usable when a USB drive is
connected.
Anyone have any experience with locking these down using GPO?
Steve
---------------------------------------------------------------------------
---------------------------------------------------------------------------
