How to control USB ports and CD/DVD drive?

By morland
Dec 17, 2009
  1. Hi,

    In a LAN environment (Windows 2003 as the server O/S and Windows XP and the O/S on client machines) how can we control/limit the use of USB ports and CD/DVD drives? Do we need to use some software for this or are their built-in features etc. (like the concept of Administrator, and Group policies, etc.) that can be used to achieve this?

    The one problem that I can think of is that if USB ports are locked/blocked then how will users be able to use their mouse and keyboards? The reason to control/limit use of USB ports is so that someone might not plug-in a USB stick and either introduce virus into the LAN or copy important and sensitive files. I know that they can easily email the files to someone but the idea is to minimize the risks even though they cannot be totally controlled. We also want to control the use CD drives so that users can not i) Burn data on CD's and ii) install software on their own

    Will appreciate some good and simple solution (if one exists).

    I hope I am NOT posting this in the wrong forum
  2. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    You can set "policies" on the client machines running XP Professional. One such policy disables non-Admin users from using removable USB media by . (If they plug it in, XP won't mount it) Would that meet your need?

    /* edit */
    There are also policies for setting software restrictions on users (among other things). Here's some links/info about setting software policy
    > Description of the Software Restriction Policies in Windows XP
    > Using Software Restriction Policies to Protect Against Unauthorized Software
  3. morland

    morland TS Rookie Topic Starter Posts: 48

    Thanks LookinAround. It looks like this will solve some of the problems. I will have to try them in the actual LAN environment and see how it works. At a glance it seems that this will only help control use of software ( i maybe wrong thought). But what about my core requirements i.e. controlling USB devices and CD drives?

    Will appreciate any clues/tips/thoughts.

  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    1) fyi.. Policies can be set
    > at the individual workstation level or
    > as a "group" policy to be applied to all the machines in a network.
    I've only set policies at the workstation level (i.e. for my own home machines) so someone else can hopefully explain the method to administer policies so they're applied to a group of machines (which would be easier for your situation)
    > Also, here's a link that might also be helpful in that regard

    2) Here's some additional info about setting policy to disable USB removable media. See here

    Someone else might also be aware and better able to provide more info about XP policies to control CD/DVD access and usage (i've never used them). You might also find some info by Googling something like XP group policy CD
  5. tipstir

    tipstir TS Ambassador Posts: 2,383   +105

    Next image of systems the one you use for a test model can be setup to have all of these devices disabled so end user don't have access to them. So GP could be set and tested under UAT prior to your next image deployment or with a small system patch you could send over the domain and have users just leave their system on using SMS push or Active Directory Push to their accounts. The user would just reboot or you could have it done in a WHS.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...