主页 / server / 问题 / 31730
Accepted
chmeee
Asked: 2009-06-26 09:22:44 +0800 CST

在某些用户上使用 Active Directory 在 Windows 上启用/禁用 USB 设备

  • 772

出于信息泄露的原因,我被要求禁用对 Windows 机器上 USB 设备的访问。

虽然这可以通过 Active Directory 完成,但问题是该解决方案应该让我们在有限的授权期限内启用某些用户的访问权限。

如何使用 Active Directory 完成此操作(如果可能)?

如果没有,我可以使用哪个软件来做到这一点?

windows security active-directory usb

4 个回答

  1. Best Answer

    您说的是应用于计算机而不是用户的设置。如果您不介意将其应用于计算机,则可以创建一个安全组并将不应“限制”的计算机放入其中。修改您在其中应用这些限制的组策略对象的权限,以包括您创建的计算机组的“拒绝应用组策略”,并且这些设置将不再适用于这些计算机。您可以根据需要将计算机移入和移出组,但我相当肯定您会卡住重新启动计算机以使限制与非限制生效。

    • 4

  2. 据我所知,环氧树脂是解决这个问题的一种非常流行的方法。

    您如何防止用户使用绕过安全性的 USB 驱动器

    以太网、USB、电话等的物理端口锁?

    不过,实际上,GP 看起来是最好的答案:

    http://windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html

    • 0

  3. 我在上一家公司设置了 ADM,并将 GP 设置为某些组。启用大容量存储和禁用大容量存储。如果有组更改,他们需要重新启动。它的注册表更改基本上禁用了 USB 大容量存储驱动程序。

    这是我使用的 ADM。几年前从谷歌那里抢到的。

    CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
     PART !!labeltextusb DROPDOWNLIST REQUIRED

       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
     PART !!labeltextcd DROPDOWNLIST REQUIRED

       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
     PART !!labeltextflpy DROPDOWNLIST REQUIRED

       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED

       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB Removable Drives"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
labeltextusb="usbstore.sys driver status"
labeltextcd="cdrom.sys driver status"
labeltextflpy="flpydisk.sys driver status"
labeltextls120="sfloppy.sys driver status"
Enabled="Stopped"
Disabled="Started"
    • 0

  4. 如果在 windows7 中使用 gpedit 禁用 USB 大容量存储设备

    1. 重置 gpedit 配置设置所有可移动存储类:拒绝所有未配置的访问
    2. 然后 Gpupdate
    3. 驱动安装
      设备管理器->更新驱动->浏览:c->windows->inf->usbsstore.disabled(将usbstore.disabled重命名为usbstore.inf然后选择usbstore.inf)->下一步完成
    4. 重启机器
    • 0

相关问题