Keychain Drive Restrictions

[Michael Plotner]

Hello all,

I'd like to know how I might use Group Policies to
prevent users from being able to install a USB Keychain
drive on a Windows 2000 or XP Pro workstation. Even with
limited User rights it seems one could plug in a 64MB USB
solid state drive and copy confidential company data.
Ignoring the novel concept of trustworthy employees and
assigning appropriate file permissions, *cough*, a minimum
of restricting read/write access to certain drive letters
(used and unused) would also be an acceptable preventive
measure. Is it possible to do this through Group Policies?

All help is appreciated,
Michael Plotner

 

[Tim Springston \(MSFT\)]

Hi Michael-

If your users have local Administrative access so that they can install
hardware then they will be able to do this.

The answer (I suspect you know this already) is to not allow local
Administrative access for the domain users.

You may consider editing the security settings in Computer
Management->Removable Storage->Properties->Security and removing or denying
access for all, but this is all or nothing for ALL removable storage. That
would prevent use of CD-ROM as well.

 

[Tim Springston \(MSFT\)]

I would recommend testing it, but I think that should work for you.
Unfortunately, I don't know of a way to distribute that setting, such as you
could do using group policy.