Article
We've had a problem of late with many viruses being brought into the company network via USB storage devices.
Long term we are looking at using ZENworks Endpoint Security Manager to solve our end point security woes.
In the meantime I created two simple ZFD application objects. Both of them are just a simple registry key that is forced to run on user login and no distribution is shown to the end user. The registry key is set to "distribute always".
Corresponding is two eDirectory groups aptly named USB-Enable and USB-Disable. Based on group membership a person will either have access to use a USB storage device or not. By default a person is placed in the USB-Disable group upon account creation.
This does not prevent USB mice nor printers from being used.
To disable usb storage devices:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\
DWORD "start" value=4
To enable usb storage devices:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\
DWORD "start" value=3
Hope that somebody finds this useful!
Editor's Note
Laura's tip will only work if the USB storage driver is already installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time. See this MS article http://support.microsoft.com/kb/823732 for more information about this, and a way to prevent the USBSTOR for being installed.
One other setting you may wish to look at: if you create
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies,"Writeprotect"=1
then you will only be able to read from USB storage. not write to it.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
Still posted
Submitted by deme on 25 February 2008 - 4:26am.
I've posted this hint a few years ago on this site ! You should have to create two Zen Apps ( one for enabling and the other one for disabling USB storage access ) with "force run" flagged.
- Be the first to comment! To leave a comment you need to Login or Register



1