Jump to content

USB device

Guest Newbie

By Guest Newbie
in Techno Babble

 Share

Recommended Posts

Guest Newbie

Guest Newbie

Posted
Posted

Hello,

 

How to disable USB device except keyboard and mouse?

 

Thanks

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Posted
Posted

Why do you want to do this? If your intent is to stop people from taking

copies of files, then it won't work. People are supremely ingenious and will

find all kinds of ways to export data from your network.

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Newbie" <Newbie@discussions.microsoft.com> wrote in message

news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...<span style="color:blue">

> Hello,

>

> How to disable USB device except keyboard and mouse?

>

> Thanks

>

> </span>

Guest Newbie

Guest Newbie

Posted
Posted

Hello Steve,

 

Do you have any better idea to stop employee to copy company data?

 

Thanks

 

 

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> Why do you want to do this? If your intent is to stop people from taking

> copies of files, then it won't work. People are supremely ingenious and will

> find all kinds of ways to export data from your network.

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...<span style="color:green">

> > Hello,

> >

> > How to disable USB device except keyboard and mouse?

> >

> > Thanks

> >

> > </span></span>

Guest Ben M. Schorr - MVP (OneNote)

Guest Ben M. Schorr - MVP (OneNote)

Posted
Posted

Don't employ people you don't trust.

 

"There are seldom good technological solutions to behavioral problems."

-Ed-

 

--

-Ben-

Ben M. Schorr, MVP

Roland Schorr & Tower

http://www.rolandschorr.com

http://www.officeforlawyers.com

Author - The Lawyer's Guide to Microsoft Outlook 2007:

http://tinyurl.com/5m3f5q

 

 

 

"Newbie" <Newbie@discussions.microsoft.com> wrote in message

news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com:

<span style="color:blue">

> Hello Steve,

>

> Do you have any better idea to stop employee to copy company data?

>

> Thanks

>

>

> "Steve Riley [MSFT]" wrote:

>

><span style="color:green">

> > Why do you want to do this? If your intent is to stop people from taking

> > copies of files, then it won't work. People are supremely ingenious and will

> > find all kinds of ways to export data from your network.

> >

> > --

> > Steve Riley

> > steve.riley@microsoft.com

> > http://blogs.technet.com/steriley

> > http://www.protectyourwindowsnetwork.com

> >

> >

> >

> > "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> > news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...</span>

><span style="color:green"><span style="color:darkred">

> > > Hello,

> > >

> > > How to disable USB device except keyboard and mouse?

> > >

> > > Thanks

> > >

> > ></span></span></span>

Guest Dan

Guest Dan

Posted
Posted

LOL, the job posting could read as such, "People unable to pass full

background checks involving city, state, federal and international databases

with fingerprint scanning need not apply -- <grin and bear it>.

 

"Ben M. Schorr - MVP (OneNote)" wrote:

<span style="color:blue">

> Don't employ people you don't trust.

>

> "There are seldom good technological solutions to behavioral problems."

> -Ed-

>

> --

> -Ben-

> Ben M. Schorr, MVP

> Roland Schorr & Tower

> http://www.rolandschorr.com

> http://www.officeforlawyers.com

> Author - The Lawyer's Guide to Microsoft Outlook 2007:

> http://tinyurl.com/5m3f5q

>

>

>

> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com:

> <span style="color:green">

> > Hello Steve,

> >

> > Do you have any better idea to stop employee to copy company data?

> >

> > Thanks

> >

> >

> > "Steve Riley [MSFT]" wrote:

> >

> ><span style="color:darkred">

> > > Why do you want to do this? If your intent is to stop people from taking

> > > copies of files, then it won't work. People are supremely ingenious and will

> > > find all kinds of ways to export data from your network.

> > >

> > > --

> > > Steve Riley

> > > steve.riley@microsoft.com

> > > http://blogs.technet.com/steriley

> > > http://www.protectyourwindowsnetwork.com

> > >

> > >

> > >

> > > "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> > > news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...</span>

> ><span style="color:darkred">

> > > > Hello,

> > > >

> > > > How to disable USB device except keyboard and mouse?

> > > >

> > > > Thanks

> > > >

> > > ></span></span>

>

> </span>

Guest RichK

Guest RichK

Posted
Posted

With Vista, you can implement this with Group Policies.

Here's one technet article discussing this.

http://technet.microsoft.com/en-us/magazine/cc138012.aspx

 

I am not providing any assurance that this will make copying corporate data

impossible for a determined individual, but it could make it more difficult.

 

 

 

 

 

 

"Newbie" <Newbie@discussions.microsoft.com> wrote in message

news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...<span style="color:blue">

> Hello,

>

> How to disable USB device except keyboard and mouse?

>

> Thanks

>

> </span>

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Posted
Posted

Let's consider this for a moment.

 

Alice, in the course of her job requirements, must read the contents of File

A, which is stored in a network share. So she opens Word and selects the

file. A copy of the file is now, of course, in the memory of Alice's

computer -- there's simply no other way that Word could display the file.

Now say Alice saves that copy (that's in memory, remember) to her own hard

drive. Alice now has her own copy of the file. Alice could give this copy to

anyone she wants, possibly by sending as an email attachment or whatever.

 

See how this is NO DIFFERENT than simply copying the file from the network

share to a USB drive?

 

If people need access to data to do their jobs, then you have to have some

minimum amount of trust in them. Why else would you give them job

assignments that require such access?

 

Nevertheless, you do have one further choice here. Windows Rights Management

Services allows authors to assign permissions to files that remain with the

file regardless of its location -- and the file is always encrypted when on

disk. Let's continue the above scenario. Bob is the author of the file, and

when he wrote it, he gave read-only rights to Alice. RMS encrypts the file

and places what amounts to an access control list on the file itself: this

ACL grants read-only access to Alice. When Alice opens the file in Word,

Word first verifies Alice's identity, and only then obtains the key to

decrypt the file. Information Rights Management (the Office component of

RMS) decrypts the file, hands the bits to Word for display, and disables all

functionality that would allow Alice to do anything with the file -- copy,

edit, paste, save, save as, print, print screen -- all are disabled because

the ACL grants read-only access.

 

Now say Alice tries to circumvent the protection and copies the file

directly from the network share to a USB drive. Well, remember that the file

is encrypted. Alice could give a copy to anyone she chooses -- and the file

will be useless, since the encryption key is unavailable to anyone not on

the document's access control list.

 

 

Here's an important computer security axiom: protection belongs on the thing

you're trying to protect, not on the thing you're trying to defend against.

You can't expect to stop information leakage by controlling storage devices

or network pipes. The only thing that really works is to put the protection

right on the information itself, using a system that allows the information

to validate identity claims of those trying to get access.

 

More information about RMS here: http://www.microsoft.com/rms

 

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Newbie" <Newbie@discussions.microsoft.com> wrote in message

news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com...<span style="color:blue">

> Hello Steve,

>

> Do you have any better idea to stop employee to copy company data?

>

> Thanks

>

>

> "Steve Riley [MSFT]" wrote:

><span style="color:green">

>> Why do you want to do this? If your intent is to stop people from taking

>> copies of files, then it won't work. People are supremely ingenious and

>> will

>> find all kinds of ways to export data from your network.

>>

>> --

>> Steve Riley

>> steve.riley@microsoft.com

>> http://blogs.technet.com/steriley

>> http://www.protectyourwindowsnetwork.com

>>

>>

>>

>> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

>> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...<span style="color:darkred">

>> > Hello,

>> >

>> > How to disable USB device except keyboard and mouse?

>> >

>> > Thanks

>> >

>> > </span></span></span>

Guest Newbie

Guest Newbie

Posted
Posted

This link solves my problem.

 

http://www.petri.co.il/disable_usb_disks_with_gpo.htm

 

 

Thanks all

 

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> Let's consider this for a moment.

>

> Alice, in the course of her job requirements, must read the contents of File

> A, which is stored in a network share. So she opens Word and selects the

> file. A copy of the file is now, of course, in the memory of Alice's

> computer -- there's simply no other way that Word could display the file.

> Now say Alice saves that copy (that's in memory, remember) to her own hard

> drive. Alice now has her own copy of the file. Alice could give this copy to

> anyone she wants, possibly by sending as an email attachment or whatever.

>

> See how this is NO DIFFERENT than simply copying the file from the network

> share to a USB drive?

>

> If people need access to data to do their jobs, then you have to have some

> minimum amount of trust in them. Why else would you give them job

> assignments that require such access?

>

> Nevertheless, you do have one further choice here. Windows Rights Management

> Services allows authors to assign permissions to files that remain with the

> file regardless of its location -- and the file is always encrypted when on

> disk. Let's continue the above scenario. Bob is the author of the file, and

> when he wrote it, he gave read-only rights to Alice. RMS encrypts the file

> and places what amounts to an access control list on the file itself: this

> ACL grants read-only access to Alice. When Alice opens the file in Word,

> Word first verifies Alice's identity, and only then obtains the key to

> decrypt the file. Information Rights Management (the Office component of

> RMS) decrypts the file, hands the bits to Word for display, and disables all

> functionality that would allow Alice to do anything with the file -- copy,

> edit, paste, save, save as, print, print screen -- all are disabled because

> the ACL grants read-only access.

>

> Now say Alice tries to circumvent the protection and copies the file

> directly from the network share to a USB drive. Well, remember that the file

> is encrypted. Alice could give a copy to anyone she chooses -- and the file

> will be useless, since the encryption key is unavailable to anyone not on

> the document's access control list.

>

>

> Here's an important computer security axiom: protection belongs on the thing

> you're trying to protect, not on the thing you're trying to defend against.

> You can't expect to stop information leakage by controlling storage devices

> or network pipes. The only thing that really works is to put the protection

> right on the information itself, using a system that allows the information

> to validate identity claims of those trying to get access.

>

> More information about RMS here: http://www.microsoft.com/rms

>

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com...<span style="color:green">

> > Hello Steve,

> >

> > Do you have any better idea to stop employee to copy company data?

> >

> > Thanks

> >

> >

> > "Steve Riley [MSFT]" wrote:

> ><span style="color:darkred">

> >> Why do you want to do this? If your intent is to stop people from taking

> >> copies of files, then it won't work. People are supremely ingenious and

> >> will

> >> find all kinds of ways to export data from your network.

> >>

> >> --

> >> Steve Riley

> >> steve.riley@microsoft.com

> >> http://blogs.technet.com/steriley

> >> http://www.protectyourwindowsnetwork.com

> >>

> >>

> >>

> >> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> >> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...

> >> > Hello,

> >> >

> >> > How to disable USB device except keyboard and mouse?

> >> >

> >> > Thanks

> >> >

> >> > </span></span></span>

Guest Dan

Guest Dan

Posted
Posted

I like your response, Steve and I will definately read up on Windows Rights

Management. Thanks for all of your postings.

 

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> Let's consider this for a moment.

>

> Alice, in the course of her job requirements, must read the contents of File

> A, which is stored in a network share. So she opens Word and selects the

> file. A copy of the file is now, of course, in the memory of Alice's

> computer -- there's simply no other way that Word could display the file.

> Now say Alice saves that copy (that's in memory, remember) to her own hard

> drive. Alice now has her own copy of the file. Alice could give this copy to

> anyone she wants, possibly by sending as an email attachment or whatever.

>

> See how this is NO DIFFERENT than simply copying the file from the network

> share to a USB drive?

>

> If people need access to data to do their jobs, then you have to have some

> minimum amount of trust in them. Why else would you give them job

> assignments that require such access?

>

> Nevertheless, you do have one further choice here. Windows Rights Management

> Services allows authors to assign permissions to files that remain with the

> file regardless of its location -- and the file is always encrypted when on

> disk. Let's continue the above scenario. Bob is the author of the file, and

> when he wrote it, he gave read-only rights to Alice. RMS encrypts the file

> and places what amounts to an access control list on the file itself: this

> ACL grants read-only access to Alice. When Alice opens the file in Word,

> Word first verifies Alice's identity, and only then obtains the key to

> decrypt the file. Information Rights Management (the Office component of

> RMS) decrypts the file, hands the bits to Word for display, and disables all

> functionality that would allow Alice to do anything with the file -- copy,

> edit, paste, save, save as, print, print screen -- all are disabled because

> the ACL grants read-only access.

>

> Now say Alice tries to circumvent the protection and copies the file

> directly from the network share to a USB drive. Well, remember that the file

> is encrypted. Alice could give a copy to anyone she chooses -- and the file

> will be useless, since the encryption key is unavailable to anyone not on

> the document's access control list.

>

>

> Here's an important computer security axiom: protection belongs on the thing

> you're trying to protect, not on the thing you're trying to defend against.

> You can't expect to stop information leakage by controlling storage devices

> or network pipes. The only thing that really works is to put the protection

> right on the information itself, using a system that allows the information

> to validate identity claims of those trying to get access.

>

> More information about RMS here: http://www.microsoft.com/rms

>

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com...<span style="color:green">

> > Hello Steve,

> >

> > Do you have any better idea to stop employee to copy company data?

> >

> > Thanks

> >

> >

> > "Steve Riley [MSFT]" wrote:

> ><span style="color:darkred">

> >> Why do you want to do this? If your intent is to stop people from taking

> >> copies of files, then it won't work. People are supremely ingenious and

> >> will

> >> find all kinds of ways to export data from your network.

> >>

> >> --

> >> Steve Riley

> >> steve.riley@microsoft.com

> >> http://blogs.technet.com/steriley

> >> http://www.protectyourwindowsnetwork.com

> >>

> >>

> >>

> >> "Newbie" <Newbie@discussions.microsoft.com> wrote in message

> >> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...

> >> > Hello,

> >> >

> >> > How to disable USB device except keyboard and mouse?

> >> >

> >> > Thanks

> >> >

> >> > </span></span></span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...