Dell recommends Windows 8.

Windows Group Policy Options & Storage

Paul Ferrill, CTO, Avionics Test and Analysis Corp | 11/2/2012 | 6 comments

Paul Ferrill
Navigating the waters of Group Policy is not for the faint of heart and requires a combination of knowledge and experience to get it right.

Group Policy Options (GPO) allow you to control what users can and can't do with respect to removable storage devices. Microsoft recently published a spreadsheet with all of the available GPO settings for Windows Server 2012 and Windows 8. You can download it yourself and browse through all 3,486 entries if you'd like. Here's a link to GPO settings for all versions of Windows.

So what kinds of things can you do with GPO? You could implement a no-removable storage policy by using the Group Policy Editor. I talked in my last post about the security risks of removable storage.

From the Group Policy Editor you should see a list of all removable storage devices from CD and DVD to tape and WPD devices. If you wanted to restrict USB disks, you would need to modify the Removable Disks policy and change the setting for any of the three available policies -- deny execute, read access, or write access. Once you create a policy it must be pushed out to all systems that you wish to have covered and then executed. This can be done in several ways, including using the Windows Server Update Services (WSUS) or by using a login script.

In previous versions of Windows Server, you had to use one or more command line tools to activate a new Group Policy. Windows Server 2012 adds a new feature in the Group Policy Management Console allowing you to select organizational units on which to refresh Group Policy. This only works in an environment with computers joined to an Active Directory domain. Another new feature in Windows Server 2012 is a status reporting tool allowing you to monitor the status of Active Directory and Sysvol replication. AD replication is a key piece of the Group Policy puzzle as it is the mechanism for propagating updates across an entire domain.

If you don't know about the Microsoft Security Compliance Manager (SCM), you should. It's a free tool from the Solution Accelerator team with all kinds of functionality related to security. It includes baseline configurations for all Microsoft operating systems prior to Windows Server 2012 and Windows 8. There's a beta of SCM 3.0 which includes updates for both of these plus Windows Internet Explorer 10. You can find out more here.

If you're in a predominantly Microsoft shop, you have access to a number of system utilities and free tools to manage access to your storage. It might take some time to wade through the help files to figure out which ones you need to tweak, but that will be time well spent.

View Comments: Newest First | Oldest First | Threaded View
anthony.nima   Windows Group Policy Options & Storage   11/30/2012 3:12:17 AM
Re: Disabling USB devices
Exactly Tuscany, this indeed a good suggestion if it works as planned.
SaneIT   Windows Group Policy Options & Storage   11/13/2012 2:27:40 PM
Re: Disabling USB devices
It's funny to see other people who get the value of this small but very powerful addition to GPO, I've worked for a couple companies where IP was a huge issue and one of them even made visitors check their personal electronics at that door.  The software packages we ran to prevent removable storage from being used was very pricey and somewhat cumbersome, I look forward to Microsoft wedging more features like this into their back end products.
Tuscany   Windows Group Policy Options & Storage   11/13/2012 11:01:11 AM
Re: Disabling USB devices
@SaneIT    I agree.  I am also happy to learn of this feature.  It might save companies a few dollars since they won't need to go 3rd party anymore.
Trek   Windows Group Policy Options & Storage   11/8/2012 2:11:05 PM
Re: GPO features
@ SaneIT, agreed that this is good.  I think the reason it doesn't receive a lot of hype is because the the individual consumer isn't the targeted market, so why advertise to them?

However, these a very serious business needs. There are many things improved such as: 

You don't need a schema extension
You don't need to deploy any 2012 Domain Controllers
You don't need to flip the bit to Domain or Forest Functional Level
All you need to do is install the OS and install/enable the Remote Server Administration Tools.
Toby   Windows Group Policy Options & Storage   11/8/2012 9:05:21 AM
GPO features
Sane: Agreed this is a great feature as would be the ability to control other aspects of the hardware like the camera, wifi and even access to certain things stored on dsk for example. How about MSFT publish a list of the new things GPO now has the ability to manage somewhere where we can all find it..?
SaneIT   Windows Group Policy Options & Storage   11/8/2012 7:58:30 AM
Disabling USB devices
"you could implement a no-removable storage policy by using the Group Policy Editor."

This is great news, I had not heard that they implemented this.  I've worked for several companies where intellectual property was a big deal and we had to use third party software to monitor and disable removable media.  That's one thing that I like about Microsoft, they do a lot of great things on the back end that won't make the press releases.


The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Paul Ferrill
Paul Ferrill   2/21/2013   12 comments
Making the decision to migrate older versions of Windows Server over to the latest version is often avoided because of the headaches involved.
Paul Ferrill   1/10/2013   33 comments
Microsoft has released a number of versions of Windows Server 2012, including one with the Essentials label. It's meant to be a follow-on product to Windows Small Business Server (SBS) ...
Paul Ferrill   11/28/2012   8 comments
Microsoft has a number of tools to help you with your transition to Windows Server 2012. I'll be looking at several of these to help lay out what each does and how they might be of benefit ...
Paul Ferrill   11/26/2012   3 comments
If you're embarking on a Windows 8 migration -- or even if you're in testing mode for the time being -- you'll want to download the Windows Assessment and Deployment Kit (ADK) for Windows 8.
Days
Hours
Minutes
Seconds
Dell Information Resources
SPONSORED BY DELL
VIDEOS
WINDOWS CLIENT
WINDOWS SERVER
On-demand Video with Chat
The culture of work is changing. Tech-savvy and always-connected people want faster, more intuitive technology, uninterrupted services, and freedom to work anywhere, anytime, on a variety of devices.
Latest Archived Broadcast
Bring-Your-Own-Device (BYOD) is about more than just a device.
© 2014 UBM TechWeb - Privacy Policy