Use group policies to completely disable USB storage devices, optical drives, floppy drives, and zip drives.

From: http://beyondhdf.blog.51cto.com/229452/131678

 

1. ForbiddenUSBStorage devices, optical drives, soft drives,ZipSoft drive In the current enterprise network environment, enterprise networks are becoming more and more complex. The quality of employees in the company is uneven. In order to enhance network security and data confidentiality, the company proposes to blockUSBStorage devices, optical drives, soft drives,ZipA soft drive device. First, we must have a domain environment to achieve the above purpose in the enterprise network environment. Some may say that it can be implemented without a domain environment. Yes, we can modify the registry of each client without a domain environment. You can imagine that even if our enterprise environment is not a big group60In multiple small network environments, changing the registry of each client computer one by one will also be exhausted. Therefore, in the domain environment, we canDCAfter a policy is created on the client, it is easier to modify the Registry on the client than to modify the Registry on the client. Let's get down to the truth. Download the attachments in my blog. the attachment is the core of this article. Secondly, I would like to recommend that youDCInstall OnGpmcGroup policy management tools to help you troubleshoot group policy management. Step 1: on the domain controller, click Start → run and enter "gpmc. msc" → Click OK to start group policy management. 650) This. width = 650; "border = 0> Step 2: Open Group Policy Management, right-clickZhp.com→ Click "create and link (GPO)" → enter the Group Policy Name "forbidden"USB". Because our strategy is to apply all computers in the enterprise, we createGPOGroup Policy. 650) This. width = 650; "border = 0> Step 3: Right-click "Disable"USB"Policy> click" edit "> right-click" Add/delete template "in" manage template "under" Computer Configuration ". 650) This. width = 650; "border = 0> Step 4: In the "Add/delete template" dialog box that appears, click the "add" button to add a "USB. ADM" Group Policy template in the "Policy template" dialog box that appears. (Here We Can prefix "USB. copy the ADM group policy template to the C: \ WINDOWS \ INF directory or select USB. the location where the Adm Policy template is stored .) Double-click the "USB. ADM" Group Policy template to add the "USB. ADM" Group Policy template. 650) This. width = 650; "border = 0> After adding, return to "add/In the delete template dialog box, we can see "add/The delete template dialog box is named"USB. 650) This. width = 650; "border = 0> Step 5: click "add "./In the delete template dialog box, click "close" and return to the "Group Policy Editor" dialog box. In this case, we can see that there is one more "management template" under "Computer Configuration".Custom policy settings". 650) This. width = 650; "border = 0> Step 6: Right-click "manage template"> "View"> "filter ". 650) This. width = 650; "border = 0> In the pop-up "filter" dialog box, remove the check box before "only display policy settings that can be fully managed ". 650) This. width = 650; "border = 0> Click "OK" to return to the "Group Policy Editor" screen. Step 7: click "Computer Configuration"> "manage template">"Custom policy settings"→ Click"Restrict drives" 650) This. width = 650; "border = 0> Step 8: for example, we want to disableUSBInterface (you can rest assured, although we do notUSBInterface, but it does not affect our useUSBInterface printer, mouse tired device), right click"Disable USB"→ Click" properties ". The"Disable USB" Properties dialog box. 650) This. width = 650; "border = 0> Click "enabled">Disable USB ports", Select"EnabledTo enable this policy. 650) This. width = 650; "border = 0> Note: I would like to remind you that many friends may click "enabled" for this policy and then use"Gpupdate/ForceAndDCRefresh the policy, and finally find out why the policy has been enabled, that is, it does not take effect. Here, I would like to remind you that you must click "enabled" and select"Enabled", Otherwise your policy will not take effect. Click "application"> "OK" to return to the "Group Policy Editor" dialog box. We can see"Disable USB"Status has changed to" enabled ". The" Group Policy Editor "dialog box is closed and the" Group Policy Management "dialog box is displayed. 650) This. width = 650; "border = 0> 2. Forbidden to access Registry Editor tools Here, I would like to remind you that, because the enterprise environment is different, some clients give the same permissions, so the client computer users are prevented from modifying the Group Policy table without authorization to openUSBInterface (although some friends will say that the default refresh interval of the policy is5Minutes, we can change0, Is7Refresh Every second, but the problem will increase the burden on the client and the domain controller and cause network congestion .), For this reason, we can make up for it by establishing a "forbidden access group table" policy. Step 1: on the domain controller, click Start → run and enter "gpmc. msc" → Click OK to start group policy management. 650) This. width = 650; "border = 0> Step 2: Open Group Policy Management, right-clickZhp.com→ Click create and link (GPO) → enter the Group Policy Name "forbidden to access the registry ". Because our policy is to apply all computers in the enterprise, we createGPOGroup Policy. 650) This. width = 650; "border = 0> Step 3: Right-click the "Forbidden Registry Access" policy → click "edit" → right-click "Computer Configuration" → "manage template" → click "system ". 650) This. width = 650; "border = 0> Step 3: right-click "organization access registry editing tool"> "properties" to bring up the "organization access registry editing tool" attribute dialog box → click "enabled" → click "application" → click "OK ". 650) This. width = 650; "border = 0> Okay, let's verify the effectiveness of our policy. Because we are using a computer policy, we firstDCRun"Gpupdate/Force"Command to restart the computer on the client to apply this policy. At this point, we find that the following prompt is displayed when we click Start> Run and enter "regdiet" on the client computer: 650) This. width = 650; "border = 0> So far, we have completed the "Disable Registry" policy. 3. Crack "Forbidden Registry Editor tool" At this time, some friends will say they have a way to crack the policy of prohibiting access to the registry. Indeed, here I can clearly tell you the suffix of some network methods.. RegYou do not want to run it in the system, but you can download theReg. infAttackers can crack this policy. If you have any better way to disable the "forbidden access to the registry" method, you can leave a message to discuss the issue. but here I want to advise you, when we work as a system administrator or network administrator, we do not think that technology is omnipotent. We need technical means and administrative means to comprehensively manage our network, after all, we have three words in our position: Administrator. We are not just a technical performer , is a manager. This is also about how to become a qualified network administrator or system administrator. It's very late today, so I won't say much here.