Article

(View Disclaimer)

Author: Ravella Raghunadh
Reviewer: Anju Dagliya

Description:

An Administrator can choose to restrict the usage of removable media devices such as USB flash drives, CD-ROM, and Floppy Disks within the organization by using one of the following ZENworks Configuration Management features:

• ZENworks Configuration Management Windows Group Policy
• ZENworks Configuration Management Bundles

ZENworks Configuration Management Windows Group Policy:

1. On the management console device from where you choose to launch the ZENworks Control Center, copy and paste the following information in to a new file named removable_storage.adm.
   

   ################################################################################################################################################
   CLASS MACHINE
   CATEGORY !!category
    CATEGORY !!categoryname
     POLICY !!policynameusb
      KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
      EXPLAIN !!explaintextusb
        PART !!labeltextusb DROPDOWNLIST REQUIRED
    
          VALUENAME "Start"
          ITEMLIST
           NAME !!Disabled VALUE NUMERIC 3 DEFAULT
           NAME !!Enabled VALUE NUMERIC 4
          END ITEMLIST
        END PART
      END POLICY
     POLICY !!policynamecd
      KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
      EXPLAIN !!explaintextcd
        PART !!labeltextcd DROPDOWNLIST REQUIRED
    
          VALUENAME "Start"
          ITEMLIST
           NAME !!Disabled VALUE NUMERIC 1 DEFAULT
           NAME !!Enabled VALUE NUMERIC 4
          END ITEMLIST
        END PART
      END POLICY
     POLICY !!policynameflpy
      KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
      EXPLAIN !!explaintextflpy
        PART !!labeltextflpy DROPDOWNLIST REQUIRED
    
          VALUENAME "Start"
          ITEMLIST
           NAME !!Disabled VALUE NUMERIC 3 DEFAULT
           NAME !!Enabled VALUE NUMERIC 4
          END ITEMLIST
        END PART
      END POLICY
     POLICY !!policynamels120
      KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
      EXPLAIN !!explaintextls120
        PART !!labeltextls120 DROPDOWNLIST REQUIRED
    
          VALUENAME "Start"
          ITEMLIST
           NAME !!Disabled VALUE NUMERIC 3 DEFAULT
           NAME !!Enabled VALUE NUMERIC 4
          END ITEMLIST
        END PART
      END POLICY
    END CATEGORY
   END CATEGORY
    
   [strings]
   category="Custom Policy Settings"
   categoryname="Restrict Drives"
   policynameusb="Disable USB Removable Drives"
   policynamecd="Disable CD-ROM"
   policynameflpy="Disable Floppy"
   policynamels120="Disable High Capacity Floppy"
   explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
   explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of CD-ROM Drives select STARTED for the cdrom.sys driver status in the drop-down list."
   explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of Floppy Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
   explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of High Capacity Floppy Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
   labeltextusb="usbstore.sys driver status"
   labeltextcd="cdrom.sys driver status"
   labeltextflpy="flpydisk.sys driver status"
   labeltextls120="sfloppy.sys driver status"
   Enabled="Stopped"
   Disabled="Started"
   
   ################################################################################################################################################
   

2. Log in to ZENworks Control Center

3. Create a new Windows Group Policy

   For more information on creating Windows Group Policy, see the Novell ZENworks 10 Configuration Management Documentation: Windows Group Policy

4. In the Windows Group Policy Settings step of the Windows Group Policy creation wizard, select Computer configuration and User configuration, then click Configure to launch the local Group Policy editor tool.
5. Click Computer Configuration and right-click Administrative Templates.

6. Click Add/Remove Templates.

   

   Click to view.

7. Click Add and browse to and select the .adm file created in Step1, then click Open to list the file in the Add/Remove Templates dialog box.

8. Click on View > Filtering

   

   Click to view.

9. Deselect the Only show policy settings that can be fully managed option.

   

   Click to view.

10. Click Administrative Templates > Custom Policy Settings > Restrict Devices to view the new settings.
11. Select Disable the USB Removable Drives.
12. Select the Enabled option.

13. In the usbstore.sys driver status option, select Stopped.

    

    Click to view.

    Policy settings

14. Repeat Step 11 through Step 13 to disable the CD-ROM, Floppy, and High Capacity Floppy disks.
15. Close the group policy editor to finish the policy create wizard

16. Assign the created Group Policy to ZENworks Configuration Management device or users to block the usage of removable media for the assigned users and devices.

    For more information on assigning Policies to the devices, see Assigning a Policy to Devices

    For more information on assigning Policies to the users, see Assigning a Policy to Users

ZENworks Configuration Management Bundles

1. Create registry file with following information:
   

   ################################################################################################################################################
   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
   "Start"=dword:00000004
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
   "Start"=dword:00000004
   
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk]
   "Start"=dword:00000004
   
   ################################################################################################################################################
   
   

   Note: Add the registry key for a removable device in the registry file only if you want to restrict the usage of that removable device for the users and devices. For example, if you want to block only USB devices, then include only USBSTOR key in the registry file. However, if you want to block both USB and Floppy Disks, then include both USBSTOR and Flpydisk keys in the registry file.

2. Log in to ZENworks Control Center

3. Create a new Directive Bundle

   For more information on Creating Directive Bundles, see the Novell ZENworks 10 Configuration Management Documentation: Creating Directive Bundles

4. Add Registry Edit Action to the bundle

   

   Click to view.

   For more information on adding the Registry Edit Action, see the Novell ZENworks 10 Configuration Management Documentation: Action - Registry Edit

5. Browse and import the registry file created in Step 1.

6. Assign the bundle to ZENworks Configuration Management devices or users to block the usage of removable media for them.

   For more information on assigning bundles to the devices, see the Novell ZENworks 10 Configuration Management Documentation: Assigning Existing Bundles to Devices.

   For more information on assigning bundles to the users, see the Novell ZENworks 10 Configuration Management Documentation: Assigning Existing Bundles to Users

7. Launch the bundle. You can choose to configure a distribution or launch schedule for the bundle.

   For more information on Bundle Schedules, see the Novell ZENworks 10 Configuration Management Documentation: Bundle Schedules Types

   Note: "User Login" event would be recommended for Bundle Launch schedule

I would like to thank Anju Dagliya for reviewing this cool solution and providing valuable feedback.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.