|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: How to disable all floppy drives on the network
From: Jannie Hanekom (j_hanekom
hotmail.com)
Date: Wed Dec 10 2003 - 13:01:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
If you can disable the "Floppy Disk" driver through a policy, you'll
probably meet management's requirement, though many would see the logic as
flawed. The "Hide these specified drives" user policy is also quite useful
in enforcing this type of limit.
Note that disabling the floppy driver doesn't prevent people from sticking
in ZIP drives, LS-120 drives, CD Writers, USB Storage Keys, Infrared, USB
Wireless LAN adapters, printers, or any other type of removable
storage/transfer mechanism. Hiding drives is somewhat useful for that, but
you'll have to disable the Command Prompt in conjunction with that. (Any
application that doesn't use the standard Windows File Open/Save/Browse
dialogs will still provide access to the removable device.) The floppy disk
driver key is at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk
You can change the "Start" type to one of the following:
0x00 Boot
0x01 System
0x02 Auto load
0x03 Load on demand
0x04 Disabled
You can possibly set up your own ADM template for this, but I'm speculating
it will be possible to add this into the "System Services" list in Group
Policies. Try adding the following into the relevant policy's GptTmpl.inf
file in Sysvol\<domain>\Policies\<UUID>\Machine\Microsoft\Windows
NT\SecEdit:
[Service General Setting]
FlpyDisk,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;SY)"
You can get the UUID of the policy by displaying its properties in AD Users
& Computers. The line above should add a "FlpyDisk" entry under System
Services in the group policy you added it to. Open the Group Policy, change
anything (just to notify AD that it has changed) and close it. I've not
tested it, but in theory applying the policy now will disable the floppy
driver.
Just be careful with applying this policy to all computers - limit "Apply
Group Policy" to only a test set of workstations to verify that this
actually works.
Jannie
-----Original Message-----
From: Sakaba [mailto:Sakabaalexandria.cc]
Sent: 10 December 2003 05:46
To: focus-mssecurityfocus.com
Subject: How to disable all floppy drives on the network
Hi everyone,
I got a AD network running mostly Win2k and WinXP. All our client PCs have
floppy drives but I've been asked by management to remove them to prevent
users from putting data on floppies which short of encrypting the files lack
security. This is obviously very time consuming so I'm looking for a way to
simply disable them.
- The group policy setting that limits access to the locally logged in user
is no good because the drive still shows up to many applications that were
installed under local admin.
- I can disable each drive via AD users/computers-->manage computer (one at
a time)-->disable floppy device. This is very time consuming because I
can't manage multiple computers at a time and we are talking about thousands
of boxes.
I was thinking maybe a WMI script might do it but I'm a neopyte in that area
so I'm not sure. Any ideas?
Best Regards,
sakaba
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]