Re: USB Drives

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/01/05 

Date: Mon, 31 Jan 2005 21:54:47 -0600

First off you need to try and prevent these users from being Local
Administrators or else you will have a very difficult time - particularly
for Windows 2000. In Windows 2000 you can use Group Policy user
configuration/administrative templates/system and there are two settings for
"allow only" and " do not allow" Windows applications. If the user can
rename an executable they will be able to bypass restrictions in the " do
not allow" list though I still would at least add install.exe and setup.exe.
The " allow only" will probably work but can be difficult to populate the
list with all allowed executables as many programs rely on secondary
programs to run, though a utility like the free filemon from SysInternals
can help track those down. If you have XP Pro you can easily restrict users
with Software Restriction Policies - even local administrators with path,
hash, and certificate rules. The links below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
  -- Software Restriction Policies.

"Michael LaFayette" <Michael LaFayette@discussions.microsoft.com> wrote in
message news:CB58D4EF-AC15-4678-8619-DF467AFC54B4@microsoft.com...
>I would like to create a policy that allows access to data on USB drives,
>but
> does not allow programs to be run from them. We are a school, and the
> Administration wants the students to be able to use USB drives for
> storage,
> but I need to restrict software. They have found that they can install
> apps
> to the USB drives at home, then bring them to school and run them.

Relevant Pages

  • Re: Network Administrative Privelages
    ... Are you using software restriction policies? ... I have a Windows 2003 R2 member server on a Windows 2000 native domain. ... administrators to do everything, however, as for my Windows 2003 R2 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Network Administrative Privelages
    ... No software restriction policies were enabled... ... I have a Windows 2003 R2 member server on a Windows 2000 native domain. ... administrators to do everything, however, as for my Windows 2003 R2 ...
    (microsoft.public.windows.server.active_directory)
  • Re: tasklist.exe security problem??
    ... administrator by viewing the membership of the local administrators group and then ... Software Restriction Policies in Windows 2003 ...
    (microsoft.public.windows.server.security)
  • RE: Logical drive sharing with Windows 2003 Server
    ... all local logical drives are shared as ... Windows 2000, Windows XP, Windows 2003). ... Such hidden administrative shares that are created by the computer (such as ... administrators and programs or services that rely on these shares. ...
    (microsoft.public.windows.server.migration)
  • Re: firewall on budget ?
    ... On my local computer when I need to do admin tasks I usually start the ... respective Programs via runas ... Even administrators don't need to create files in C:\ (although ... Windows xp only has preinstalled, ...
    (microsoft.public.windowsxp.security_admin)