Translate

Saturday, September 7, 2013

Best Practice: How to use Group Policy to make USB drives read only on Windows XP


One of the great new features with Windows 7 was Bitlocker to Go that enabled IT Administrators to ensure that all data written to USB drives is encrypted. In conjunction with this new feature Microsoft also added another option called “Deny write access to removable drives not protected by BitLocker” which allowed user to still read the files off USB drives that were not encrypted.
The problem with this policy setting is that it is only supported on Windows 7 family computers so unless you are running a SOE that is 100% Windows 7 users could simply logon to XP or Windows Vista to get around this restriction.
image
Luckily Microsoft added a new feature to Windows XP Service Pack 2 that allowed administrator to prevent writing to USB block storage devices (a.k.a memory sticks ) which can be implemented via a Group Policy Preferences registry key.
Key: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies
Value: WriteProtect (REG_DWORD)
Data: 0 = Disabled
Data: 1 = Enabled
To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type System\CurrentControlSet\Control\StorageDevicePolicies into the Key Path field then type WriteProtect into the Value Name field and 1 in the Value Data field and click OK.
image
Once the key is enabled this is the message the user will see when the try to write to a USB storage device.
image
Note: This registry key will also work on Windows Vista
Update: Seem that the MS articles had the wrong registry keys
I got the correct key from http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/
For additional WRONG information on this feature see the links below:
http://support.microsoft.com/kb/555441
http://support.microsoft.com/kb/823732

0 nhận xét:

Post a Comment

 
Design by IT Manager | Bloggerized by Themes For IT Managers | MIS-DUONG