Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use Vista system group policy to ensure the security of USB devices, the article is very detailed, has a certain reference value, interested friends must read it!

The most misleading thing about group policy is that its name ── Group Policy is not a way to apply policy to a group! In contrast, Group Policy is enforced on individual or individual user accounts as well as computer accounts by linking Group Policy to active Directory container (usually organizational units, but also domains and sites) objects. The group policy object here is a collection of policy settings.

Although restricting mobile devices through group policy is not a very good network security solution, because a user who has installed a storage device (such as an USB driver device) can continue to use it. However, we can still make some subtle settings that allow you to restrict specific removable storage devices through the device's ID.

It's hard to say which security threat affects your network data. For several reasons, I tend to think that removable storage devices, especially USB-driven devices, should be at the top of the list. The reason why 1:USB storage devices are very easy to ignore. Second reason: there is a simple fact that you can store large amounts of data (such as as much as 4GB data) on a USB drive, which means that users can bring equally large applications to the enterprise. It also means that users can take as much as 4GB's data away from the enterprise. Any data that the user can access can be easily copied to these drives. And the USB device itself is very small, which makes it easy for users to bring it into and out of the enterprise.

The author has talked with some network administrators about the security risks of USB storage devices. However, the most common practice for these network administrators is to disable the USB port on the workstation. There are newer machines that allow you to disable the USB port through BIOS, but most older machines do not provide this capability. In this case, another solution that is most commonly used is to seal the USB port with adhesive tape to prevent its use.

Although these methods can play a certain role, they all have some disadvantages. For operators, these methods are "labor-intensive", that is to say, they are too difficult to implement. Another problem is that disabling the USB port does not completely solve the problem of users accessing removable media. Users can easily use FireWire hard drives and removable DVD drives as an alternative.

In all of these methods, the drawback of * is that * disabling USB ports makes it impossible for users to use USB devices and make these ports inaccessible to supported users. In addition, occasionally there are legitimate reasons why the USB port should be available. For example, some jobs require users to have a USB scanner connected to their PC.

Fortunately, an important goal of Microsoft's Windows Vista (and its famous Windows Server 2008 (Longhorn)) is to provide administrators with better control over the way workstations use hardware. Now we can use group policy to control access to removable devices.

Group Policy settings that restrict access to USB storage devices are currently only available in Windows Vista. Currently, this means that you can only set group policy at the local computer level. After the release of Windows Server 2008, you can set these group policies in the domain, in the site, or at the OU level (of course, if you have a domain controller for Windows Server 2008).

To access the required Group Policy settings, you must open the Group Policy object Editor (Group Policy Object Editor). Therefore, click "start" / "all programs" / "attachments" (the English operating system is Start / All Programs/ Accessories, the author is using an English system). Next, enter the MMC command. This will cause Windows to open an empty Microsoft Management console (Microsoft Management Console). After the console opens, select add / remove snap-ins (Add / Remove Snap-In) from the File (File) menu. Select the Group Policy object (Group Policy Object) option from the snap-in list, and then click the add (Add) button. By default, this snap-in connects to the local computer policy (Local Computer policy), so click OK (ok) directly, and then click Finish.

The local computer policy is loaded into the console. Now navigate to "computer configuration", "Administrative templates", "system", "device installation" and "device installation restrictions" (English system is to find Computer Configuration Administrative Templates System Device Installation Device Installation Restrictions). When doing so, the details pane displays several restrictions related to installing hardware devices, as shown in the following figure:

There are many settings related to restricting device installation. These settings are not necessarily and specifically associated with the mobile device, but are generally associated with the hardware device. The basic idea here is that if you restrict users from installing devices, you will prevent any devices that you do not specifically enable.

With regard to mobile devices, you can pay special attention to two policy settings: the * * item setting is "allow administrators to override device installation restrictions" (Allow Administrators to Override Device Installation Restrictions), which you need to enable if you implement any device limit settings. Otherwise, even the administrator cannot install any new hardware on the workstation.

The second important setting is to prevent the installation of removable devices (Prevent Installation of Removable Devices). If you enable this setting, users will not be able to install removable devices. If a user already uses a removable device in the system, there will be a driver for the removable device, so the user will continue to use it. However, the user will never be able to update the driver of the device.

There are many security measures that we can set through Windows Vista group policy, but more knowledge about group policy needs to be further explored and discovered.

The above is all the contents of the article "how to use Vista system Group Policy to secure USB Devices". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.