. Before we learned the reasonable settings of Windows XP Group Policy to make the system more secure, how to use Group Policy under Vista? I will discuss this issue for you today.
The most misunderstood group policy is its name -- group policy is not the way to apply the strategy to the group! In contrast, Group Policy enforces individual or individual user accounts and computer accounts by linking Group Policy to Active Directory containers (usually organizational units, but also including domains and sites). The Group Policy object here is a collection of policy settings.
Although restricting removable devices through Group Policy is not a very good network security solution, users who have installed a storage device (such as a USB-powered device) can continue to use it. However, we can still make some subtle settings that allow you to limit specific removable storage devices by their ID.
It's hard to say which security threat has the biggest impact on your network data. For several reasons, I tend to think that removable storage devices, especially USB drive devices, should be at the top of the list. Cause 1: USB storage devices are very easy to ignore. The second reason: There is a simple fact that you can store large amounts of data (such as up to 4GB of data) on a USB drive, which means users can bring the same large applications to the enterprise. in. It also means that users can take up to 4GB of data from the enterprise. Any data that users can access can be easily copied to these drives. Moreover, the USB device itself is small in size, which makes it easy for users to bring it into and out of the enterprise.
The author has talked with some network administrators about the security risks of USB storage devices. However, the most common practice for these network administrators is to disable the USB port on the workstation. There are some newer machines that allow you to disable the USB port via BiOS, but most older machines don't provide this capability. In this case, there is another scheme that is most commonly used, which is to block the USB port with tape to prevent it from being used.
Although these methods can play a role, they all have some shortcomings. For the operator, these methods are "labor-intensive", which means that it is too difficult to implement. Another problem is that disabling the USB port does not completely solve the problem of users accessing removable media. Users can easily use FireWire hard drives and removable DVD drives as an alternative.
The biggest drawback of all of these methods is that permanently disabling the USB port prevents the user from using the USB device and makes these ports inaccessible to supported users. In addition, there are occasional legitimate reasons why a USB port should be available. For example, some jobs require the user to have a USB scanner connected to their PC.
Fortunately, an important goal of Microsoft's Windows Vista (and its famous Windows Server 2008 (Longhorn)) is to give administrators better control over how workstations use hardware. Now we can control access to the removable manuscript device by means of Group Policy.
Restricting Group Policy settings for USB storage device access is currently only available in Windows Vista. Currently, this means that you can only set Group Policy at the local computer level. After Windows Server 2008 is released, you can set these group policies on the domain, in the site, or at the OU level (provided you have a domain controller for Windows Server 2008, of course).
To access the required Group Policy settings, you must open the Group Policy Object Editor. Therefore, please click "Start" /"All Programs" /"Accessories" (English operating system is Start /All Programs /AccessorIEs, I use English system). Next, enter the MMC command. This will cause Windows to open an empty Microsoft Management Console. After the console opens, select Add /Remove Snap-In from the File menu. Select the Group Policy Object option from the list of snap-ins and click the Add button. By default, this snap-in will connect to the Local Computer policy, so just click OK (ok) and then click Finish.
The local computer policy will be loaded into the console. Now navigate to Computer Configuration Administrative Templates System Device Installation Device Installation Restrictions. In doing so, the details pane shows several restrictions related to installing hardware devices, as shown in the following figure:
There are many settings related to restricting device installation. These settings are not necessarily, specifically associated with, the mobile device, but are generally associated with the hardware device. The basic idea here is that if you limit the user to install the device, it will block any devices that you don't specifically enable.
Regarding removable device issues, you can pay special attention to the two policy settings: The first setting is "Allow Administrators to Override Device Installation Restrictions" if you implement any Device limit settings, then you need to enable this setting. Otherwise, even the administrator cannot install any new hardware on the workstation.
The second important setting is "Prevent Installation of Removable Devices". If you enable this setting, users will not be able to install removable devices. If a user already uses a removable device in the system, there will be a driver for this removable device, so the user will continue to use it. However, the user will never be able to update the device's drivers.
In fact, there are still a lot of security measures that we can set through Windows Vista, which is waiting for you to explore and discover further.