Now, if you have not used a U disk computer users I am afraid really rare. U disk with its increasingly small size, rapid expansion of capacity, more and more inexpensive price successfully replaced the floppy disk, become the mainstream of mobile storage media.
Convenience at the same time brings a huge security risks. U disk has become the largest spread in addition to the network of viruses and malicious programs to spread the way. Inadvertently inserted between, virus or malicious program has infected your computer.
Is it always possible to passively use anti-virus software to defend itself? Like automotive safety technology, Windows 7 provides active defense technology in addition to passive defenses-restricting the running of programs on mobile storage.
It is also very handy to start this feature, run Gpedit.msc directly, open the local Group Policy Editor, locate Computer Configuration, expand to find Administrative Templates, and then click System to locate and tap Removable Storage access. All available Removable Storage access-related policies are displayed on the right.
U disk belongs to removable disks, so we'll see how to set up access policies for removable disks.
Since Windows Vista began, the system has been able to limit the reading and writing of removable disks, which should be no stranger to this. Moreover, only limit the U disk read and write, and can not meet our needs. Can not read naturally will not infect the virus, but also lost the meaning of U disk. Inability to write can prevent an outflow of information, but it cannot prevent a virus from invading.
What we need is a new feature that starts with Windows 7 and denies execution permissions.
Click the policy and select enabled to open the policy. Enabling this policy setting will deny Execute permissions on Removable Storage classes. If you disable or do not configure this policy setting, execute permissions on this Removable Storage class are allowed.
After setting up this policy, let's run the program on the U disk to see. The system gives a direct indication that it is not allowed to run:
Although this hint is a bit like UAC, it can't be done by changing the running account. Unless the policy is changed to allow permission to execute.
If you set a policy that denies read permissions, you will not be able to access the information on the U disk.
If you set a policy that denies write permission, you cannot write the information to a USB disk.
Unfold to discuss. For CD/DVD media, the same can be done as a U disk limit. Prevents the disc from automatically running to propagate the virus.
What about readers, mp3/mp4, digital cameras and even mobile phones? These can be read and write via USB interface. In the system, these devices are grouped into the WPD class and can be restricted for reading or writing.
It's always a non-standard device, right? In this case, the system also provides a "custom class" setting, which can be limited to read and write as long as the device's GUID is written.
If you are an administrator of the enterprise, there is no need to run to each machine to set up, you can through Group Policy to implement the strategy quickly.
Well, this is not afraid to lend a colleague of the U disk with the virus back.