Cool Solutions

Blocking Removable Media (USB / CD-ROM / Floppy) Devices in ZENworks Configuration Management Zone



By:

October 5, 2010 11:44 am

Reads: 11053

Comments:1

Score:0

Author: Ravella Raghunadh
Reviewer: Anju Dagliya

Description:

An Administrator can choose to restrict the usage of removable media devices such as USB flash drives, CD-ROM, and Floppy Disks within the organization by using one of the following ZENworks Configuration Management features:

ZENworks Configuration Management Windows Group Policy:

  1. On the management console device from where you choose to launch the ZENworks Control Center, copy and paste the following information in to a new file named removable_storage.adm.
    ################################################################################################################################################
    CLASS MACHINE
    CATEGORY !!category
     CATEGORY !!categoryname
      POLICY !!policynameusb
       KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
       EXPLAIN !!explaintextusb
         PART !!labeltextusb DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 3 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
      POLICY !!policynamecd
       KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
       EXPLAIN !!explaintextcd
         PART !!labeltextcd DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 1 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
      POLICY !!policynameflpy
       KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
       EXPLAIN !!explaintextflpy
         PART !!labeltextflpy DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 3 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
      POLICY !!policynamels120
       KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
       EXPLAIN !!explaintextls120
         PART !!labeltextls120 DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 3 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
     END CATEGORY
    END CATEGORY
     
    [strings]
    category="Custom Policy Settings"
    categoryname="Restrict Drives"
    policynameusb="Disable USB Removable Drives"
    policynamecd="Disable CD-ROM"
    policynameflpy="Disable Floppy"
    policynamels120="Disable High Capacity Floppy"
    explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
    explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of CD-ROM Drives select STARTED for the cdrom.sys driver status in the drop-down list."
    explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of Floppy Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
    explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of High Capacity Floppy Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
    labeltextusb="usbstore.sys driver status"
    labeltextcd="cdrom.sys driver status"
    labeltextflpy="flpydisk.sys driver status"
    labeltextls120="sfloppy.sys driver status"
    Enabled="Stopped"
    Disabled="Started"
    
    ################################################################################################################################################
    
  2. Log in to ZENworks Control Center
  3. Create a new Windows Group Policy

    For more information on creating Windows Group Policy, see the Novell ZENworks 10 Configuration Management Documentation: Windows Group Policy

  4. In the Windows Group Policy Settings step of the Windows Group Policy creation wizard, select Computer configuration and User configuration, then click Configure to launch the local Group Policy editor tool.
  5. Click Computer Configuration and right-click Administrative Templates.
  6. Click Add/Remove Templates.

  7. Click Add and browse to and select the .adm file created in Step1, then click Open to list the file in the Add/Remove Templates dialog box.
  8. Click on View > Filtering

  9. Deselect the Only show policy settings that can be fully managed option.

  10. Click Administrative Templates > Custom Policy Settings > Restrict Devices to view the new settings.
  11. Select Disable the USB Removable Drives.
  12. Select the Enabled option.
  13. In the usbstore.sys driver status option, select Stopped.

    Click to view.

    Policy settings

  14. Repeat Step 11 through Step 13 to disable the CD-ROM, Floppy, and High Capacity Floppy disks.
  15. Close the group policy editor to finish the policy create wizard
  16. Assign the created Group Policy to ZENworks Configuration Management device or users to block the usage of removable media for the assigned users and devices.

    For more information on assigning Policies to the devices, see Assigning a Policy to Devices

    For more information on assigning Policies to the users, see Assigning a Policy to Users

ZENworks Configuration Management Bundles

  1. Create registry file with following information:
    ################################################################################################################################################
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
    "Start"=dword:00000004
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
    "Start"=dword:00000004
    
     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk]
    "Start"=dword:00000004
    
    ################################################################################################################################################
    
    
    Note: Add the registry key for a removable device in the registry file only if you want to restrict the usage of that removable device for the users and devices. For example, if you want to block only USB devices, then include only USBSTOR key in the registry file. However, if you want to block both USB and Floppy Disks, then include both USBSTOR and Flpydisk keys in the registry file.
  2. Log in to ZENworks Control Center

  3. Create a new Directive Bundle

    For more information on Creating Directive Bundles, see the Novell ZENworks 10 Configuration Management Documentation: Creating Directive Bundles

  4. Add Registry Edit Action to the bundle

    For more information on adding the Registry Edit Action, see the Novell ZENworks 10 Configuration Management Documentation: Action – Registry Edit

  5. Browse and import the registry file created in Step 1.

  6. Assign the bundle to ZENworks Configuration Management devices or users to block the usage of removable media for them.

    For more information on assigning bundles to the devices, see the Novell ZENworks 10 Configuration Management Documentation: Assigning Existing Bundles to Devices.

    For more information on assigning bundles to the users, see the Novell ZENworks 10 Configuration Management Documentation: Assigning Existing Bundles to Users

  7. Launch the bundle. You can choose to configure a distribution or launch schedule for the bundle.

    For more information on Bundle Schedules, see the Novell ZENworks 10 Configuration Management Documentation: Bundle Schedules Types

    Note: “User Login” event would be recommended for Bundle Launch schedule

I would like to thank Anju Dagliya for reviewing this cool solution and providing valuable feedback.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

1 Comment

  1. By:htvikrama

    This is a very good article. Thanks for giving detailed information to achieve this.

    We can block RSD and Removable Media easily by configuring the Storage Device Control policy. This policy is provided by Zenworks Endpoint Security Management Product. This product also integrated to ZENworks 11 release.

    You just need to select ‘Disable’ for RSD / CDROM / Floppy while configuring this policy and assign this policy to device or user.

    Find more info in ‘A.7 Storage Device Control Policy’ section under ‘VII Appendixes’ chapter.

    in link
    http://www.novell.com/documentation/beta/zenworks11/zen11_es_policies/?page=/documentation/beta/zenworks11/zen11_es_policies/data/bookinfo.html

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Comment

RSS