USB Drive access control

(imported topic written by vgbond91)

is it possilble to achieve these features by custamizing the BigFix

Allow access to USB drives based on Active Directory user group

Track use of USB devices including reporting on a per computer basis, the make, model, and ID number of any USB Drive that had ever been attached to the computer.

Prevent, by policy, the use of a particular brand of removable device while allowing use of other brands of the device (e.g. disable use of SanDisk USB drives, while allowing use of all other brands).

Disable auto-run of software when removable media is inserted (e.g. selectively enable CD auto run while disabling auto-run for all other removable media).

Provide audit reports on the types of currently connected or previously connected removable media and peripherals.

(imported comment written by BenKus)

Hi vgbond,

Many of these things are built into the Security Policy Manager Fixlet site, including:

  • Disabling USB devices.
  • Disable Auto-Run of removable devices and CDs.
  • Disable other peripherals.

Also the License and Inventory site has an Analysis that detects USB devices connected to the computer.

If you don’t have the Security Policy Manager Fixlet site, talk to your sales representative.

Ben

(imported comment written by vgbond91)

can we block USB Stick based on the make of the USB

(imported comment written by BenKus)

Hi vgbond,

I think this is possible, but you would need to craft custom relevance to identify and block specific devices…

May I ask why this is a request? Are you trying to enforce policy simply based on a type of hardware?

Ben

(imported comment written by prasadk23)

Hi,

There is a similar req aswell, wherein blocking is required based on brand of USB, size of USB .

Has there been any development on this front?

Rgds,

(imported comment written by csoh91)

Does it work for Expresscard too?

How do I disable it?

Or how do I disable other hardware such as Bluetooth?

Thank you

(imported comment written by jpeppers91)

I have the Security Policy Manager site but I don’t see disable autorun. My eyes are tired.

(imported comment written by BenKus)

Hmmm… I don’t see it either… Try this:

Relevance:

((name of it = “WinXP” and csd version of it = “Service Pack 2”) of operating system) AND (not exists key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” whose (value “NoDriveTypeAutoRun” of it as integer = 255 AND type of value “NoDriveTypeAutoRun” of it as string as lowercase = “reg_dword”) of registry)

Action:

regset “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” “NoDriveTypeAutoRun”=dword:000000ff

Ben

(imported comment written by jpeppers91)

Would this work to encompass Vista as well?

(name of operating system = “WinXP” OR name of operating system = “WinVista”) AND (not exists key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer” whose (value “NoDriveTypeAutoRun” of it as integer = 255 AND type of value “NoDriveTypeAutoRun” of it as string as lowercase = “reg_dword”) of registry)

(imported comment written by QXVH_Charles_Brown)

Hey Guys,

just an idea:

exists active device whose (friendly name of it contains “Kingston DT Elite HS 2.0 USB”)

(imported comment written by BenKus)

Hey jpeppers,

That would work if Vista used the same mechanism (but I never tested it so I am not sure)…

Ben