Just in case you missed part 1 of this article series, the group policy settings that I am discussing are unique to Windows Longhorn Server. These group policy settings can be used to secure workstations that are running Windows vista. However, these settings have no effect on systems running Windows XP, Windows Server 2003, or older versions of Windows. You can find the group policy settings that I will be discussing in the group policy tree at: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.
Preventing Installation of Removable Devices
As the name of this policy setting implies, the Prevent Installation of Removable Devices setting prevents users from installing removable devices. This policy is primarily designed to prevent users from attaching USB or Firewire based devices to their systems.
Prevent Installation of Devices Not Described By Other Policy Settings
The Prevent Installation of Devices Not Described by Other Policy Settings group policy setting is kind of a catch all setting. There are a couple of different ways that you can use this policy setting. One thing that you can do is to enable this setting, but not enable any other hardware installation related settings. In doing so, you will effectively prevent anyone from installing any hardware into systems to which the policy applies.
Another thing that you can do with this group policy setting is to use other policy settings to allow specific devices based on device ID or class and then enable this policy setting. In doing so, you will prevent the installation of any device that you have not specifically allowed users to install.
Preventing the Installation of All Devices
Now that I have discussed all of the various group policy settings related to device installation, I want to conclude this series by showing you how to perform a blanket denial of all device installations. If you are concerned about the installation of prohibited devices in your own organization, then this is the technique that you would most likely use.
The technique that I am about to show you not only prevents end users from installing hardware devices, but it also prevents them from installing or updating device drivers. Administrators may still install devices and / or device drivers in the usual manner.
Begin the procedure by navigating through the group policy console to Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. Next, right click on the Prevent Installation of Devices Not Described by Other Policy Settings container and select the Properties command from the resulting shortcut menu. When you do, Windows will display the Prevent Installation of Devices Not Described by Other Policies properties sheet, shown in Figure A. Now select the Enable option found on the Settings tab to enable the policy setting. Click OK to return to the main Group Policy Editor screen.
Figure A: The Prevent Installation of Devices Not Described by Other Policies properties sheet is a sort of catch all policy setting that restricts the installation of all devices that have not been specifically allowed by other policy settings
What we have done so far is to create a policy that prevents the installation of all devices. Now we need to tweak the policy so that Administrators still have the right to install devices. To do so, right click on the Allow Administrators to Override Device Installation Policies container and select the Properties command from the resulting shortcut menu. When you do, Windows will display the Allow Administrators to Override Device Installation properties sheet, shown in Figure B.
Figure B: The Allow Administrators to Override Device Installation properties sheet can be used to ensure that Administrators are still allowed to install hardware devices
You must now enable the policy by selecting the Enable option found on the Settings tab. Click OK to return to the main Group Policy Editor screen. When you look at the main Group Policy Editor screen, both of the policies that you have enabled should be listed as being enabled.
Now that you have enabled the necessary group policy settings, it is time to test those settings. To do so, log into the domain using a workstation that's running Windows Vista. Initially, you should log in as a normal user. Remember that the policy that you have created only applies to Windows Vista. Therefore, you should log into a machine that's running Vista, and is connected to a Longhorn Server domain with a domain user account.
After logging in, open the Control Panel and then click the System and Maintenance link. When the System and Maintenance screen appears, click on the Device Manager link. When you do, you should receive the following error message:
You do not have sufficient privileges to uninstall devices or to change device properties or device drivers. Please contact your site administrator, or logout and log in again as an administrator and try again.
This proves that the group policy settings that you have implemented are preventing users from installing devices. Now, you need to log in as a domain administrator and attempt to open the Device Manager. We have created a policy saying that Administrators are exempt from device installation restrictions, so you should be able to open the Device Manager with no problem.
No comments:
Post a Comment