Software to control usb access

Thanks every one,
i will suggest GFI end point security to my boss and i will let you know which one we are going to use

Why is everyone opting to install third party software instead of just using device manager isn't the goal here simply to make usb ports not use mass storage?

Hello Nevins

I for one i really don't like anything 3rd Party. But what if the end user u are protecting the usb ports from is also a 60% good techie (might not been as good as ur self but is good) who can use Registry / Group Policy to unblock the restrictions u placed on usb ports????????

I have tried out GFI's stuff and they are really cool.

Cheers man.


C0DE - 3

:shock:

Don't you lock your users out of that stuff?










There are a lot of useful things you can lock down already built into windows and the best part is you can configure it all to run from a command line. Keep in mind you can this is using group policy so you can keep everything on the administration accounts but user accounts get locked down to practically no ability to do anything.


Edit: after looking at the GFI product it does have some useful logging tools and also allows you to choose allowed devices vs completely shutting off storage access. The power of GFI isn't that it simply allows you to block access it's that it allows you to control and monitor access. (but I would still use the group policy editor in tandem with GFI as I'm sure there are options in the GPE that GFI may not handle as well)

Nevins what if u are dealing with people who need the run enabled? What if its a working place not a business place. Remember u don't want ur fellow colleagues to hate u cos u are some IT dude. (HR remember)! Sooner if the person on the system is the inquisitive type (IT or non IT), the person will find his way out. Is windows that secured?

Jester knows the people he is dealing with so most likely he knows why he is asking for something really tight in security.


Merci

C0DE - 3

Your right you do want to take users needs into consideration because they may NEED a functionality. Generally speaking I would have to say I'm pretty inflexible when it comes to employees WANTS because thats generally in direct contradiction to what they NEED (which is to get off facebook and do work before the HR people fire them). Ironically I find the HR people want to lock things down more than anyone else because part of their job is to insure people are doing their job correctly. Ideally your going to enable and disable features based on your best judgement of the situation. Keep in mind part of your job as an admin is to know when to allow/disallow users access to something. You don't have to be vindictive and mean about it but sometimes laying down policy is exactly what you have to do. Personally I would use both tools because I'm sure they both have features ideal for usage in any environment. If someone is messing around enough to bypass windows security on machine administered by me they don't need to be on it at all.

Don't get me wrong employees/users can have legitimate reasons or simply be privileged access based on management decision but you have to realize that your situation often requires you to put things in place in direct contradiction with what employees and sometimes even HR wants.

In Jesters case I would suggest it looks at both options and evaluates his needs based on his situation and the features provided by both methods.


I've had to make quite a few unpopular administration implementations but to be honest I've never had any issues with colleagues because they also generally understand it's part of the administrators job. However I will say that any sort of smoothing over you can do is generally appreciated and it's best not to take things away while people are actively trying to work and having management approve changes and send out a email explaining the changes generally keeps people from rioting or at the very least makes them riot to management instead of you.

Simply put there is a right way and a wrong way and knowing that per your particular situation is your responsibility.