USB device

N

Newbie

Hello,

How to disable USB device except keyboard and mouse?

Thanks
 
S

Steve Riley [MSFT]

Why do you want to do this? If your intent is to stop people from taking
copies of files, then it won't work. People are supremely ingenious and will
find all kinds of ways to export data from your network.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Newbie" <Newbie@discussions.microsoft.com> wrote in message
news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
> Hello,
>
> How to disable USB device except keyboard and mouse?
>
> Thanks
>
>
 
N

Newbie

Hello Steve,

Do you have any better idea to stop employee to copy company data?

Thanks


"Steve Riley [MSFT]" wrote:

> Why do you want to do this? If your intent is to stop people from taking
> copies of files, then it won't work. People are supremely ingenious and will
> find all kinds of ways to export data from your network.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
> > Hello,
> >
> > How to disable USB device except keyboard and mouse?
> >
> > Thanks
> >
> >
 
B

Ben M. Schorr - MVP (OneNote)

Don't employ people you don't trust.

"There are seldom good technological solutions to behavioral problems."
-Ed-

--
-Ben-
Ben M. Schorr, MVP
Roland Schorr & Tower
http://www.rolandschorr.com
http://www.officeforlawyers.com
Author - The Lawyer's Guide to Microsoft Outlook 2007:
http://tinyurl.com/5m3f5q



"Newbie" <Newbie@discussions.microsoft.com> wrote in message
news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com:

> Hello Steve,
>
> Do you have any better idea to stop employee to copy company data?
>
> Thanks
>
>
> "Steve Riley [MSFT]" wrote:
>
>
> > Why do you want to do this? If your intent is to stop people from taking
> > copies of files, then it won't work. People are supremely ingenious and will
> > find all kinds of ways to export data from your network.
> >
> > --
> > Steve Riley
> > steve.riley@microsoft.com
> > http://blogs.technet.com/steriley
> > http://www.protectyourwindowsnetwork.com
> >
> >
> >
> > "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> > news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
>
> > > Hello,
> > >
> > > How to disable USB device except keyboard and mouse?
> > >
> > > Thanks
> > >
> > >
 
D

Dan

LOL, the job posting could read as such, "People unable to pass full
background checks involving city, state, federal and international databases
with fingerprint scanning need not apply -- <grin and bear it>.

"Ben M. Schorr - MVP (OneNote)" wrote:

> Don't employ people you don't trust.
>
> "There are seldom good technological solutions to behavioral problems."
> -Ed-
>
> --
> -Ben-
> Ben M. Schorr, MVP
> Roland Schorr & Tower
> http://www.rolandschorr.com
> http://www.officeforlawyers.com
> Author - The Lawyer's Guide to Microsoft Outlook 2007:
> http://tinyurl.com/5m3f5q
>
>
>
> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com:
>
> > Hello Steve,
> >
> > Do you have any better idea to stop employee to copy company data?
> >
> > Thanks
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >
> > > Why do you want to do this? If your intent is to stop people from taking
> > > copies of files, then it won't work. People are supremely ingenious and will
> > > find all kinds of ways to export data from your network.
> > >
> > > --
> > > Steve Riley
> > > steve.riley@microsoft.com
> > > http://blogs.technet.com/steriley
> > > http://www.protectyourwindowsnetwork.com
> > >
> > >
> > >
> > > "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> > > news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
> >
> > > > Hello,
> > > >
> > > > How to disable USB device except keyboard and mouse?
> > > >
> > > > Thanks
> > > >
> > > >
>
>
 
R

RichK

With Vista, you can implement this with Group Policies.
Here's one technet article discussing this.
http://technet.microsoft.com/en-us/magazine/cc138012.aspx

I am not providing any assurance that this will make copying corporate data
impossible for a determined individual, but it could make it more difficult.






"Newbie" <Newbie@discussions.microsoft.com> wrote in message
news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
> Hello,
>
> How to disable USB device except keyboard and mouse?
>
> Thanks
>
>
 
S

Steve Riley [MSFT]

Let's consider this for a moment.

Alice, in the course of her job requirements, must read the contents of File
A, which is stored in a network share. So she opens Word and selects the
file. A copy of the file is now, of course, in the memory of Alice's
computer -- there's simply no other way that Word could display the file.
Now say Alice saves that copy (that's in memory, remember) to her own hard
drive. Alice now has her own copy of the file. Alice could give this copy to
anyone she wants, possibly by sending as an email attachment or whatever.

See how this is NO DIFFERENT than simply copying the file from the network
share to a USB drive?

If people need access to data to do their jobs, then you have to have some
minimum amount of trust in them. Why else would you give them job
assignments that require such access?

Nevertheless, you do have one further choice here. Windows Rights Management
Services allows authors to assign permissions to files that remain with the
file regardless of its location -- and the file is always encrypted when on
disk. Let's continue the above scenario. Bob is the author of the file, and
when he wrote it, he gave read-only rights to Alice. RMS encrypts the file
and places what amounts to an access control list on the file itself: this
ACL grants read-only access to Alice. When Alice opens the file in Word,
Word first verifies Alice's identity, and only then obtains the key to
decrypt the file. Information Rights Management (the Office component of
RMS) decrypts the file, hands the bits to Word for display, and disables all
functionality that would allow Alice to do anything with the file -- copy,
edit, paste, save, save as, print, print screen -- all are disabled because
the ACL grants read-only access.

Now say Alice tries to circumvent the protection and copies the file
directly from the network share to a USB drive. Well, remember that the file
is encrypted. Alice could give a copy to anyone she chooses -- and the file
will be useless, since the encryption key is unavailable to anyone not on
the document's access control list.


Here's an important computer security axiom: protection belongs on the thing
you're trying to protect, not on the thing you're trying to defend against.
You can't expect to stop information leakage by controlling storage devices
or network pipes. The only thing that really works is to put the protection
right on the information itself, using a system that allows the information
to validate identity claims of those trying to get access.

More information about RMS here: http://www.microsoft.com/rms


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Newbie" <Newbie@discussions.microsoft.com> wrote in message
news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com...
> Hello Steve,
>
> Do you have any better idea to stop employee to copy company data?
>
> Thanks
>
>
> "Steve Riley [MSFT]" wrote:
>
>> Why do you want to do this? If your intent is to stop people from taking
>> copies of files, then it won't work. People are supremely ingenious and
>> will
>> find all kinds of ways to export data from your network.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
>> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
>> > Hello,
>> >
>> > How to disable USB device except keyboard and mouse?
>> >
>> > Thanks
>> >
>> >
 
N

Newbie

This link solves my problem.

http://www.petri.co.il/disable_usb_disks_with_gpo.htm


Thanks all

"Steve Riley [MSFT]" wrote:

> Let's consider this for a moment.
>
> Alice, in the course of her job requirements, must read the contents of File
> A, which is stored in a network share. So she opens Word and selects the
> file. A copy of the file is now, of course, in the memory of Alice's
> computer -- there's simply no other way that Word could display the file.
> Now say Alice saves that copy (that's in memory, remember) to her own hard
> drive. Alice now has her own copy of the file. Alice could give this copy to
> anyone she wants, possibly by sending as an email attachment or whatever.
>
> See how this is NO DIFFERENT than simply copying the file from the network
> share to a USB drive?
>
> If people need access to data to do their jobs, then you have to have some
> minimum amount of trust in them. Why else would you give them job
> assignments that require such access?
>
> Nevertheless, you do have one further choice here. Windows Rights Management
> Services allows authors to assign permissions to files that remain with the
> file regardless of its location -- and the file is always encrypted when on
> disk. Let's continue the above scenario. Bob is the author of the file, and
> when he wrote it, he gave read-only rights to Alice. RMS encrypts the file
> and places what amounts to an access control list on the file itself: this
> ACL grants read-only access to Alice. When Alice opens the file in Word,
> Word first verifies Alice's identity, and only then obtains the key to
> decrypt the file. Information Rights Management (the Office component of
> RMS) decrypts the file, hands the bits to Word for display, and disables all
> functionality that would allow Alice to do anything with the file -- copy,
> edit, paste, save, save as, print, print screen -- all are disabled because
> the ACL grants read-only access.
>
> Now say Alice tries to circumvent the protection and copies the file
> directly from the network share to a USB drive. Well, remember that the file
> is encrypted. Alice could give a copy to anyone she chooses -- and the file
> will be useless, since the encryption key is unavailable to anyone not on
> the document's access control list.
>
>
> Here's an important computer security axiom: protection belongs on the thing
> you're trying to protect, not on the thing you're trying to defend against.
> You can't expect to stop information leakage by controlling storage devices
> or network pipes. The only thing that really works is to put the protection
> right on the information itself, using a system that allows the information
> to validate identity claims of those trying to get access.
>
> More information about RMS here: http://www.microsoft.com/rms
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com...
> > Hello Steve,
> >
> > Do you have any better idea to stop employee to copy company data?
> >
> > Thanks
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Why do you want to do this? If your intent is to stop people from taking
> >> copies of files, then it won't work. People are supremely ingenious and
> >> will
> >> find all kinds of ways to export data from your network.
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> >> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
> >> > Hello,
> >> >
> >> > How to disable USB device except keyboard and mouse?
> >> >
> >> > Thanks
> >> >
> >> >
 
D

Dan

I like your response, Steve and I will definately read up on Windows Rights
Management. Thanks for all of your postings.

"Steve Riley [MSFT]" wrote:

> Let's consider this for a moment.
>
> Alice, in the course of her job requirements, must read the contents of File
> A, which is stored in a network share. So she opens Word and selects the
> file. A copy of the file is now, of course, in the memory of Alice's
> computer -- there's simply no other way that Word could display the file.
> Now say Alice saves that copy (that's in memory, remember) to her own hard
> drive. Alice now has her own copy of the file. Alice could give this copy to
> anyone she wants, possibly by sending as an email attachment or whatever.
>
> See how this is NO DIFFERENT than simply copying the file from the network
> share to a USB drive?
>
> If people need access to data to do their jobs, then you have to have some
> minimum amount of trust in them. Why else would you give them job
> assignments that require such access?
>
> Nevertheless, you do have one further choice here. Windows Rights Management
> Services allows authors to assign permissions to files that remain with the
> file regardless of its location -- and the file is always encrypted when on
> disk. Let's continue the above scenario. Bob is the author of the file, and
> when he wrote it, he gave read-only rights to Alice. RMS encrypts the file
> and places what amounts to an access control list on the file itself: this
> ACL grants read-only access to Alice. When Alice opens the file in Word,
> Word first verifies Alice's identity, and only then obtains the key to
> decrypt the file. Information Rights Management (the Office component of
> RMS) decrypts the file, hands the bits to Word for display, and disables all
> functionality that would allow Alice to do anything with the file -- copy,
> edit, paste, save, save as, print, print screen -- all are disabled because
> the ACL grants read-only access.
>
> Now say Alice tries to circumvent the protection and copies the file
> directly from the network share to a USB drive. Well, remember that the file
> is encrypted. Alice could give a copy to anyone she chooses -- and the file
> will be useless, since the encryption key is unavailable to anyone not on
> the document's access control list.
>
>
> Here's an important computer security axiom: protection belongs on the thing
> you're trying to protect, not on the thing you're trying to defend against.
> You can't expect to stop information leakage by controlling storage devices
> or network pipes. The only thing that really works is to put the protection
> right on the information itself, using a system that allows the information
> to validate identity claims of those trying to get access.
>
> More information about RMS here: http://www.microsoft.com/rms
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> news:85347336-3129-447E-9D64-00847ABB6620@microsoft.com...
> > Hello Steve,
> >
> > Do you have any better idea to stop employee to copy company data?
> >
> > Thanks
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Why do you want to do this? If your intent is to stop people from taking
> >> copies of files, then it won't work. People are supremely ingenious and
> >> will
> >> find all kinds of ways to export data from your network.
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "Newbie" <Newbie@discussions.microsoft.com> wrote in message
> >> news:0BBD4C40-A510-4443-AAFE-448967419C77@microsoft.com...
> >> > Hello,
> >> >
> >> > How to disable USB device except keyboard and mouse?
> >> >
> >> > Thanks
> >> >
> >> >
 
You must log in or register to reply here.

Similar threads

G
my USB keyboard type alone and i can t find a solution
Replies
0
Views
38
George Sebastian1
G
D
USB ports do not work.
Replies
0
Views
7
DezRom
D
S
Device manager keyboard drivers problem
Replies
0
Views
22
Saint Gurji
S
K
The usb device is not fully connected.
Replies
0
Views
27
Karolis Petkūnas
K
K
The usb device is not fully connected.
Replies
0
Views
39
Karolis Petkūnas
K
Back
Top Bottom