Navigating the waters of Group Policy is not for the faint of heart and requires a combination of knowledge and experience to get it right.
Group Policy Options (GPO) allow you to control what users can and can't do with respect to removable storage devices. Microsoft recently published a spreadsheet with all of the available GPO settings for Windows Server 2012 and Windows 8. You can download it yourself and browse through all 3,486 entries if you'd like. Here's a link to GPO settings for all versions of Windows.
So what kinds of things can you do with GPO? You could implement a no-removable storage policy by using the Group Policy Editor. I talked in my last post about the security risks of removable storage.
From the Group Policy Editor you should see a list of all removable storage devices from CD and DVD to tape and WPD devices. If you wanted to restrict USB disks, you would need to modify the Removable Disks policy and change the setting for any of the three available policies -- deny execute, read access, or write access. Once you create a policy it must be pushed out to all systems that you wish to have covered and then executed. This can be done in several ways, including using the Windows Server Update Services (WSUS) or by using a login script.
In previous versions of Windows Server, you had to use one or more command line tools to activate a new Group Policy. Windows Server 2012 adds a new feature in the Group Policy Management Console allowing you to select organizational units on which to refresh Group Policy. This only works in an environment with computers joined to an Active Directory domain. Another new feature in Windows Server 2012 is a status reporting tool allowing you to monitor the status of Active Directory and Sysvol replication. AD replication is a key piece of the Group Policy puzzle as it is the mechanism for propagating updates across an entire domain.
If you don't know about the Microsoft Security Compliance Manager (SCM), you should. It's a free tool from the Solution Accelerator team with all kinds of functionality related to security. It includes baseline configurations for all Microsoft operating systems prior to Windows Server 2012 and Windows 8. There's a beta of SCM 3.0 which includes updates for both of these plus Windows Internet Explorer 10. You can find out more here.
If you're in a predominantly Microsoft shop, you have access to a number of system utilities and free tools to manage access to your storage. It might take some time to wade through the help files to figure out which ones you need to tweak, but that will be time well spent.
It's funny to see other people who get the value of this small but very powerful addition to GPO, I've worked for a couple companies where IP was a huge issue and one of them even made visitors check their personal electronics at that door. The software packages we ran to prevent removable storage from being used was very pricey and somewhat cumbersome, I look forward to Microsoft wedging more features like this into their back end products.
@ SaneIT, agreed that this is good. I think the reason it doesn't receive a lot of hype is because the the individual consumer isn't the targeted market, so why advertise to them?
However, these a very serious business needs. There are many things improved such as:
You don't need a schema extension You don't need to deploy any 2012 Domain Controllers You don't need to flip the bit to Domain or Forest Functional Level All you need to do is install the OS and install/enable the Remote Server Administration Tools.
Sane: Agreed this is a great feature as would be the ability to control other aspects of the hardware like the camera, wifi and even access to certain things stored on dsk for example. How about MSFT publish a list of the new things GPO now has the ability to manage somewhere where we can all find it..?
"you could implement a no-removable storage policy by using the Group Policy Editor."
This is great news, I had not heard that they implemented this. I've worked for several companies where intellectual property was a big deal and we had to use third party software to monitor and disable removable media. That's one thing that I like about Microsoft, they do a lot of great things on the back end that won't make the press releases.
The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.