Related Tips & Info

Blocking Removable Media (USB / CD-ROM / Floppy) Devices in ZENworks Configuration Management Zone

MigrationDeletedUser
0 Likes

Author: Ravella Raghunadh

Reviewer: Anju Dagliya



Description:


An Administrator can choose to restrict the usage of removable media devices such as USB flash drives, CD-ROM, and Floppy Disks within the organization by using one of the following ZENworks Configuration Management features:







ZENworks Configuration Management Windows Group Policy:




  1. On the management console device from where you choose to launch the ZENworks Control Center, copy and paste the following information in to a new file named removable_storage.adm.

    ################################################################################################################################################
    CLASS MACHINE
    CATEGORY !!category
     CATEGORY !!categoryname
      POLICY !!policynameusb
       KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
       EXPLAIN !!explaintextusb
         PART !!labeltextusb DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 3 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
      POLICY !!policynamecd
       KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
       EXPLAIN !!explaintextcd
         PART !!labeltextcd DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 1 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
      POLICY !!policynameflpy
       KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
       EXPLAIN !!explaintextflpy
         PART !!labeltextflpy DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 3 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
      POLICY !!policynamels120
       KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
       EXPLAIN !!explaintextls120
         PART !!labeltextls120 DROPDOWNLIST REQUIRED
     
           VALUENAME "Start"
           ITEMLIST
            NAME !!Disabled VALUE NUMERIC 3 DEFAULT
            NAME !!Enabled VALUE NUMERIC 4
           END ITEMLIST
         END PART
       END POLICY
     END CATEGORY
    END CATEGORY
     
    [strings]
    category="Custom Policy Settings"
    categoryname="Restrict Drives"
    policynameusb="Disable USB Removable Drives"
    policynamecd="Disable CD-ROM"
    policynameflpy="Disable Floppy"
    policynamels120="Disable High Capacity Floppy"
    explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
    explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of CD-ROM Drives select STARTED for the cdrom.sys driver status in the drop-down list."
    explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of Floppy Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
    explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of High Capacity Floppy Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
    labeltextusb="usbstore.sys driver status"
    labeltextcd="cdrom.sys driver status"
    labeltextflpy="flpydisk.sys driver status"
    labeltextls120="sfloppy.sys driver status"
    Enabled="Stopped"
    Disabled="Started"

    ################################################################################################################################################



  • Log in to ZENworks Control Center

  • Create a new Windows Group Policy



    For more information on creating Windows Group Policy, see the Novell ZENworks 10 Configuration Management Documentation: Windows Group Policy


  • In the Windows Group Policy Settings step of the Windows Group Policy creation wizard, select Computer configuration and User configuration, then click Configure to launch the local Group Policy editor tool.

  • Click Computer Configuration and right-click Administrative Templates.


  • Click Add and browse to and select the .adm file created in Step1, then click Open to list the file in the Add/Remove Templates dialog box.


  • Deselect the Only show policy settings that can be fully managed option.









    Click to view.





  • Click Administrative Templates > Custom Policy Settings > Restrict Devices to view the new settings.

  • Select Disable the USB Removable Drives.

  • Select the Enabled option.

  • In the usbstore.sys driver status option, select Stopped.









    Click to view.


    Policy settings




  • Repeat Step 11 through Step 13 to disable the CD-ROM, Floppy, and High Capacity Floppy disks.

  • Close the group policy editor to finish the policy create wizard

  • Assign the created Group Policy to ZENworks Configuration Management device or users to block the usage of removable media for the assigned users and devices.



    For more information on assigning Policies to the devices, see Assigning a Policy to Devices



    For more information on assigning Policies to the users, see Assigning a Policy to Users




ZENworks Configuration Management Bundles




  1. Create registry file with following information:

    ################################################################################################################################################
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
    "Start"=dword:00000004

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
    "Start"=dword:00000004

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk]
    "Start"=dword:00000004

    ################################################################################################################################################



    Note: Add the registry key for a removable device in the registry file only if you want to restrict the usage of that removable device for the users and devices. For example, if you want to block only USB devices, then include only USBSTOR key in the registry file. However, if you want to block both USB and Floppy Disks, then include both USBSTOR and Flpydisk keys in the registry file.





  • Log in to ZENworks Control Center


  • Create a new Directive Bundle



    For more information on Creating Directive Bundles, see the Novell ZENworks 10 Configuration Management Documentation: Creating Directive Bundles



  • Add Registry Edit Action to the bundle









    Click to view.




    For more information on adding the Registry Edit Action, see the Novell ZENworks 10 Configuration Management Documentation: Action - Registry Edit




  • Browse and import the registry file created in Step 1.



  • Assign the bundle to ZENworks Configuration Management devices or users to block the usage of removable media for them.



    For more information on assigning bundles to the devices, see the Novell ZENworks 10 Configuration Management Documentation: Assigning Existing Bundles to Devices.



    For more information on assigning bundles to the users, see the Novell ZENworks 10 Configuration Management Documentation: Assigning Existing Bundles to Users


  • Launch the bundle. You can choose to configure a distribution or launch schedule for the bundle.



    For more information on Bundle Schedules, see the Novell ZENworks 10 Configuration Management Documentation: Bundle Schedules Types



    Note: "User Login" event would be recommended for Bundle Launch schedule



I would like to thank Anju Dagliya for reviewing this cool solution and providing valuable feedback.

Labels:

How To-Best Practice
Comment List
  • This is a very good article. Thanks for giving detailed information to achieve this.

    We can block RSD and Removable Media easily by configuring the Storage Device Control policy. This policy is provided by Zenworks Endpoint Security Management Product. This product also integrated to ZENworks 11 release.

    You just need to select 'Disable' for RSD / CDROM / Floppy while configuring this policy and assign this policy to device or user.

    Find more info in 'A.7 Storage Device Control Policy' section under 'VII Appendixes' chapter.

    in link
    www.novell.com/.../
Related
Recommended

Resources

Support
Documentation
Learning Services
CyberRes Academy
Partner Programs
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Conduct
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.