sbs 2003 Devices and security - Tilted Forum Project Discussion Community

John Henry · 02-11-2005, 07:49 AM

Our company has just invested in a couple of 256MB USB memory sticks, one for the boss and one for "general office use" (!).

I urgently need to set up group policy so that absolutely nobody can use any kind of USB devices without authorisation. It would also be good if we could do the same for all removable storage media at the same time.

I'm still getting to grips with sbs 2003 and have rummaged through the Group Policy Object Editor with no success.

Does anybody out there already know how to do this?

bendsley · 02-11-2005, 08:05 AM

Are you running Active Directory in a domain? If so, you should move your people there into different OUs and then set GPOs from there.

I would suggest that you open your MMC, and add the snap-in Group Policy Management (from microsoft.com) and go from there. It will show your Forest(s), then Domain(s)/Site(s), Group Policy Modeling and Group Policy Results.

Are you following me here or do I need to explain further.

Please note that my network is running AD on a couple of domain controllers using Windows 2003 SE, not SBS.

Jolt · 02-11-2005, 05:52 PM

I don't know how to do this, but I can fill in some info on SBS so maybe someone else can.

A machine running SBS *must* be a PDC. This is written in stone. There is no way to de-promote SBS or join it to an existing domain.

Here's my hack-kluge-workaround: If you don't have too many clients, go around and disable their USB controllers in CMOS, then set passwords on the CMOS setup program.

Time to go off on a tangent:
I presume you are concerned about some employee bringing in their own flash drive and carting off sensitive documents. If you're that paranoid about such matters, SBS might not have been the best choice...whereas with 2003 Standard, you can enable Terminal Services...and dumb down all your desktops...all sensitive material remains only on the server.
ok, tangent over, back to your thread.

02-11-2005, 07:49 AM	#1 (permalink)
John Henry Addict Location: Grey Britain	sbs 2003 Devices and security Our company has just invested in a couple of 256MB USB memory sticks, one for the boss and one for "general office use" (!). I urgently need to set up group policy so that absolutely nobody can use any kind of USB devices without authorisation. It would also be good if we could do the same for all removable storage media at the same time. I'm still getting to grips with sbs 2003 and have rummaged through the Group Policy Object Editor with no success. Does anybody out there already know how to do this? __________________ "No one was behaving from very Buddhist motives. Then, thought Pigsy, he was hardly a Buddha, nor was he a monkey. Presently, he was a pig spirit changed into a little girl pretending to be a little boy to be offered to a water monster. It was all very simple to a pig spirit."

02-11-2005, 08:05 AM	#2 (permalink)
bendsley Professional Loafer Location: texas	Are you running Active Directory in a domain? If so, you should move your people there into different OUs and then set GPOs from there. I would suggest that you open your MMC, and add the snap-in Group Policy Management (from microsoft.com) and go from there. It will show your Forest(s), then Domain(s)/Site(s), Group Policy Modeling and Group Policy Results. Are you following me here or do I need to explain further. Please note that my network is running AD on a couple of domain controllers using Windows 2003 SE, not SBS. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."

02-11-2005, 05:52 PM	#3 (permalink)
Jolt Insane Location: Over here	I don't know how to do this, but I can fill in some info on SBS so maybe someone else can. A machine running SBS must be a PDC. This is written in stone. There is no way to de-promote SBS or join it to an existing domain. Here's my hack-kluge-workaround: If you don't have too many clients, go around and disable their USB controllers in CMOS, then set passwords on the CMOS setup program. Time to go off on a tangent: I presume you are concerned about some employee bringing in their own flash drive and carting off sensitive documents. If you're that paranoid about such matters, SBS might not have been the best choice...whereas with 2003 Standard, you can enable Terminal Services...and dumb down all your desktops...all sensitive material remains only on the server. ok, tangent over, back to your thread.