2008年5月20日 星期二

如何使用 Group Policy(GPO) 限制USB 存取

方法一:
GPO的設定
------------------------------------------------------------------
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname

POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY

POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY

POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY

POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="自定群組管理原則"
categoryname="禁止卸除式硬體"
policynameusb="禁止USB隨插即用裝置"
policynamecd="禁止光碟機"
policynameflpy="禁止軟碟機"
policynamels120="禁止高容量軟碟機"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="關閉 USB Ports"
labeltextcd="關閉 CD-ROM 裝置"
labeltextflpy="關閉軟碟機裝置"
labeltextls120="關閉大容量軟碟機裝置"
Enabled="啟用"
Disabled="停用"
------------------------------------------------------------------

方法二:
利用修改Registry 的機碼

HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies

設定為唯讀, StorageDevicePolicies = 1
張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)