10.5 Storage Device Control

The Storage Device Control settings determine access to external storage devices (CD/DVDs, removable storage devices, and floppy drives). You can allow read/write access, read-only access, or no access. When disabled (no access), users cannot retrieve any data from the storage device; however, the hard drive and all network drives remain accessible and operational.

  1. Make sure the policy you want to configure is open in the Management Console (see Section 10.1, Accessing the Global Settings).

  2. On the Global Policy Settings tab, click Storage Control Device.

  3. For CD/DVD, Removable Storage, and Floppy Drive, select one of the following options:

    • Allow All Access: Read/write access is allowed.

    • Disable All Access: All access is prevented. When users attempt to access files on a defined storage device, they receive an error message from the operating system, or from the application attempting to access the local storage device, that the action has failed

    • Read-Only Access: Read-only access is allowed. When users attempt to write to the device, they receive an error message from the operating system, or from the application attempting to access the local storage device, that the action has failed

    CD/DVD controls all devices listed under DVD/CD-ROM drives in Windows Device Manager. Removable Storage controls all devices listed under Floppy disk drives in Windows Device Manager. Floppy Drive controls all devices listed under Floppy disk drives in Windows Device Manager.

    To disable CD-ROM drives or floppy drives or set them as Read-Only, the endpoint device’s Local Security Settings must have both Devices: Restrict CD-ROM access to locally logged-on user only and Devices: Restrict floppy access to locally logged-on user only set as Disabled. By default, these settings are disabled. If you need to disable them or verify that they are disabled, open either the Active Directory group policy object or open Administrative Tools on the target devices. Look in Local Security Settings - Security Options and verify that both settings are disabled.

  4. For Autoplay, select from the following options:

    • Allow AutoPlay: Allows the AutoPlay feature, including AutoRun.

    • Block AutoPlay: Blocks the AutoPlay feature, including AutoRun.

    • Block AutoRun: Blocks the AutoRun feature so that autorun.inf instructions are not executed. Launching of applications for specific content (music, video and pictures) is allowed.

    The Windows AutoPlay feature performs two processes. First, it launches the AutoRun process, which looks for an autorun.inf in the root directory and executes the instructions in the file. Second, it looks for specific content (music, video, and pictures) and launches the appropriate application to display or play the content.

  5. If you want to restrict which removable storage devices are allowed, complete the following steps. Doing so creates a whitelist of devices that are allowed; any devices not included in the list are blocked.

    1. In the Preferred Devices list, use one of the following methods to add the removable storage devices that you want to allow:

      • Manually enter the device information. To do so, click a field (Description, Serial Number, Comment) and type the information.

        Only the Description and Serial Number fields are used when matching devices. The Comment field is for your own information.

        The Description field is a partial match field. If you want to match multiple devices, use this field. For example, to match all SanDisk USB drives, enter SanDisk.

        The Serial Number field is an exact match field. Serial numbers are unique to specific removable storage devices. If you want to match specific devices, use this field.

      • Scan the device information. To do so, insert the device into a USB port on the Management Console’s machine, then click Scan.

        After the device information is scanned and displayed, you can edit the fields as necessary to create the device filter you want.

      • Import device information from a file. To do so, click Import, select the file, then click OK. For information about creating an import file, see the ZENworks Endpoint Security Management 4.1 Device Scanner Guide.

    2. Select the Enable Preferred Device List in the Policy setting.

      This overrides the Removable Storage setting and activates the Preferred Devices list.

    3. For the Preferred Devices setting, select one of the following access settings. All devices in the Preferred Devices list receive this access:

      • Allow All Access: The devices in the Preferred Devices list are permitted full read/write capability. All other Removable Storage devices are disabled.

      • Read-Only Access: The devices on the Preferred Devices list are permitted read-only capability. All other Removable Storage devices are disabled.

  6. Click Save Policy to save your changes.