1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent use of USB keys on client PC's

Discussion in 'Windows & Other Software' started by Spider, 8 May 2006.

  1. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    Is there any way I can prevent users sticking in a USB memeory PC into their PC's and taking data off the network and home with them?
    Im locking down what users can and cannot copy to/from the works PC's and wondered if there was anything in group policy that would allow me to prevent them from simply inserting a USB key for example and copying data to/from it.

    What are the best practices for securing a network in this way?

    Thanks
     
  2. The_KiD

    PermaBanned

    Joined: 19 Apr 2006

    Posts: 2,342

    Location: West Yorkshire

  3. #Chri5#

    Soldato

    Joined: 27 Feb 2003

    Posts: 6,953

    Location: Shropshire

  4. Pyrosoft

    Gangster

    Joined: 5 Feb 2004

    Posts: 342

    Location: Rotherham

    I'd use GPO, but you could also use the registry if you like

    location = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies.
    key = WriteProtect
    type = REG_DWORD
    value = 1
     
  5. GM@N

    Wise Guy

    Joined: 7 Nov 2002

    Posts: 2,096

    Location: Normally in Bed Sleeping

  6. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    If its configurable throught a GPO (as linked above), can i ask why people are buying and using 3rd party software for it?
     
  7. NathanE

    Capodecina

    Joined: 21 Oct 2002

    Posts: 18,022

    Location: London & Singapore

    Because it was only added to GPO relatively recently, IIRC with XP SP2. Hence why third party software exists and still exists for the issue...
     
  8. The_KiD

    PermaBanned

    Joined: 19 Apr 2006

    Posts: 2,342

    Location: West Yorkshire

    Thats correct, only works with server 2003 and XP SP2

    not with 2000 server Boo HiSS!
     
  9. Spider

    Hitman

    Joined: 28 Nov 2002

    Posts: 766

    Location: Down the road

    ah, that makes sense!

    thnx
     
  10. Energize

    Caporegime

    Joined: 12 Mar 2004

    Posts: 28,784

    Location: London

    At our school they have disabled usb pens, its extreemly annoying, we couldnt bring work in, take work home, backup our work, it was a very bad idea, luckily its easy to get around (just transfer files over the internet), but I think disabling pens should be a last resort, it would be easier to deny permission to copy certain files from the drive, I mean what sort of stuff do you have on there, government secrets?
     
    Last edited: 8 May 2006
  11. Sone

    Sgarrista

    Joined: 18 Oct 2002

    Posts: 7,655

    Our salesman all have access to the customer master list, which could be of considerable value to our competitors. Don't want that getting out on usb key!
     
  12. Energize

    Caporegime

    Joined: 12 Mar 2004

    Posts: 28,784

    Location: London

    Then just deny access to it? If they already have access to it, wether pens are disabled or not they could copy it and so it makes no difference disabling usb, other than causing inconvience.

    If I couldnt trust someone with the file I wouldnt give them access to it tbh.
     
    Last edited: 8 May 2006
  13. tedaC

    Hitman

    Joined: 26 Apr 2006

    Posts: 659

    yup or they could just copy and paste the data from it
     
  14. NathanE

    Capodecina

    Joined: 21 Oct 2002

    Posts: 18,022

    Location: London & Singapore

    In a school there's really no reason for them to disable USB storage drives. Have you spoke to the admin about it?

    But in government and corporation organisations it is an invaluable security tool. It prevents employees either delibrately or accidently creating duplicates of sensitive files that shouldn't be taken off the central server.
     
  15. Energize

    Caporegime

    Joined: 12 Mar 2004

    Posts: 28,784

    Location: London

    You'd just set the permissions so that you cant copy any of the files on the server. Because disabling usb drives doesnt do a thing with all the other ways of copying them. People that cant be trusted should not be given access to the files.



    The admin locked it out because people were running programs straight from the drives.