我在上一家公司设置了 ADM,并将 GP 设置为某些组。启用大容量存储和禁用大容量存储。如果有组更改,他们需要重新启动。它的注册表更改基本上禁用了 USB 大容量存储驱动程序。
这是我使用的 ADM。几年前从谷歌那里抢到的。
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB Removable Drives"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
labeltextusb="usbstore.sys driver status"
labeltextcd="cdrom.sys driver status"
labeltextflpy="flpydisk.sys driver status"
labeltextls120="sfloppy.sys driver status"
Enabled="Stopped"
Disabled="Started"
您说的是应用于计算机而不是用户的设置。如果您不介意将其应用于计算机,则可以创建一个安全组并将不应“限制”的计算机放入其中。修改您在其中应用这些限制的组策略对象的权限,以包括您创建的计算机组的“拒绝应用组策略”,并且这些设置将不再适用于这些计算机。您可以根据需要将计算机移入和移出组,但我相当肯定您会卡住重新启动计算机以使限制与非限制生效。
据我所知,环氧树脂是解决这个问题的一种非常流行的方法。
您如何防止用户使用绕过安全性的 USB 驱动器
以太网、USB、电话等的物理端口锁?
不过,实际上,GP 看起来是最好的答案:
http://windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html
我在上一家公司设置了 ADM,并将 GP 设置为某些组。启用大容量存储和禁用大容量存储。如果有组更改,他们需要重新启动。它的注册表更改基本上禁用了 USB 大容量存储驱动程序。
这是我使用的 ADM。几年前从谷歌那里抢到的。
如果在 windows7 中使用 gpedit 禁用 USB 大容量存储设备
设备管理器->更新驱动->浏览:c->windows->inf->usbsstore.disabled(将usbstore.disabled重命名为usbstore.inf然后选择usbstore.inf)->下一步完成