کد:
http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-Control-Device-Management-Part1.html

PART-1


In this article I will show you how to control access to devices via group policy in Longhorn Server.

One particularly challenging aspect of Windows security has always been controlling the user’s access to the hardware on their workstation. Years ago, some of the more security conscious companies were removing CD-ROM and floppy drives from workstations. Today though, USB ports are an even more serious threat. Most electronics stores sell USB adapters for hard drives that allow the drives to be used externally. What this means is that it is easy for any user to plug in an external hard drive and copy all of the data that they have access to. I have known of companies to fill workstation USB ports with epoxy in an effort to prevent such intrusions.
If you don’t like the idea of permanently damaging workstation hardware, then there are a variety of third party products that are designed to help to restrict the user’s access to a workstation’s hardware. For example, GFI makes a product called GFI End Point Security (http://www.gfi.com/endpointsecurity/) that is designed to regulate which types of USB devices users are allowed to use. In Longhorn Server though, you will be able to regulate device management via group policy.
The Available Group Policy Settings

Longhorn Server offers several different group policy settings that can be configured in an effort to control device usage on workstations. If you open the Group Policy Editor, you can find the device installation related settings at Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restrictions. Figure A shows the group policy settings that are available. Before I talk about the individual group policy settings though, I should mention that these settings are only effective on computers running Windows Vista or Longhorn Server. They can not be used to lock down devices on computers running Windows XP.

Figure A: These are the available device installation related group policy settings
Now that you know which policy settings are available, I want to take a moment and talk about what each of the settings are used for. The first policy setting on the list is fairly self explanatory. The Allow Administrators to Override Device Installation Policy setting makes anyone who is a member of the Local Administrators group exempt from any device installation policies that you might establish.
The next policy setting on the list is Allow Installation of Devices Using Drivers for These Device Classes. This is just a complicated way of saying “restrict device by category”. A device class is nothing more than a device category. If you have ever opened the Device Manager, you probably noticed that devices are grouped by category, as shown in Figure B.

Figure B: The Device Manager groups devices by category
This grouping by category is more significant than you might at first realize. Each device class is a grouping of devices that are installed and configured in an identical manner. Devices within a class use the same co-installer when installed.
The reason why this is significant is because each device has its own Globally Unique Identifier (GUID) that identifies the device to the rest of the system. In addition, each device also has a GUID that corresponds to its class. This GUID lets Windows know what the device is so that the operating system knows how to interact with the device. If you can figure out a device’s GUID, then you can restrict or allow the uses of devices within that device class.
Of course the real trick is determining a device class’s GUID. To do so, open the Device Manager and right click on a device within the class that you want to obtain the GUID for. Select the Properties command from the resulting shortcut menu and you will see the device’s properties sheet. Now get to the properties sheet’s Details tab and select the Device Class GUID option from the Property drop down list, as shown in Figure C.

Figure C: You can get a class’s GUID from a device’s properties sheet
Now, go back to the Group Policy Editor and double click on the Allow Installation of Devices Using Drivers for These Device Classes setting. When you do, you will see the dialog box that’s shown in Figure D.

Figure D: This dialog box contains a Show button that you can use to show which device classes are allowed
This particular setting assumes that you have implemented a general block on device installations, but that you want to allow installations for one or more specific device classes. If you click the Show button, you will see a list of device classes that are currently exempt from the installation restrictions. Of course, no devices should be listed by default. Therefore, click the Add button and you will have the opportunity to enter the GUID for the device class of your choice. Click OK three times to close the various open dialog boxes and you are all set.
I just showed you how to allow device installations based on class. However, you can also do the opposite. The next group policy setting on the list is Prevent Installation of Drivers Matching these Device Setup Classes. This group policy setting works in exactly the same manner as the one that I just showed you, except that you use it to prevent the installation of devices within a class rather than allowing class based installations.
The next two available group policy settings are Allow (or prevent) Installation of Devices that Match any of these Device IDs. When we were working with device classes, we had to rely on the use of GUIDs. Although there are device level GUIDs, for some reason these particular group policy settings do not use them. Instead, they use the device’s plug and play ID.
You can find a device’s plug and play ID by right clicking on the device within the Device Manager and then selecting the Properties command from the resulting shortcut menu to reveal the device’s properties sheet. Next, select the properties sheet’s Details tab and then select the Hardware IDs option from the Property drop down list. The Hardware IDs will look something like what is shown in Figure E.

Figure E: You can use the Device Manager to gain access to a device’s hardware ID
As you can see in the figure, it is common for a device to have multiple hardware IDs. Furthermore, sometimes a single physical device will be listed as multiple logical devices. Sound cards are a classic example of such a device. The sound card itself will have its own hardware IDs, but so will the various logical devices listed under the sound card. Whether you are allowing or preventing a device, it is important to list all of the device’s hardware IDs.
As for the process of actually allowing or restricting a device, simply double click on the appropriate group policy setting, and you will see a dialog box similar to the one that’s shown in Figure F. As you can see in the figure, this dialog box is identical to the one that you saw when we were talking about device classes except that the example has changed to show you how you are supposed to enter a device’s hardware ID.

Figure F: This is the dialog box associated with entering hardware IDs
Conclusion

As you can see, the new device installation related group policy settings are very powerful. In Part 2, I will discuss the remaining policy settings as well as show you how to apply a blanket installation lockdown.


کد:
http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-Control-Device-Management-Part2.html

PART-2

In Part 1 of this article series, I showed you the majority of the group policy settings that can be used to control the installation of hardware devices on workstations. In this article, I will discuss the remaining group policy settings. Later, I will also show you how to create a blanket group policy that prevents the installation of all hardware devices on workstations.
Before I Begin

Just in case you missed part 1 of this article series, the group policy settings that I am discussing are unique to Windows Longhorn Server. These group policy settings can be used to secure workstations that are running Windows vista. However, these settings have no effect on systems running Windows XP, Windows Server 2003, or older versions of Windows. You can find the group policy settings that I will be discussing in the group policy tree at: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.
Preventing Installation of Removable Devices
As the name of this policy setting implies, the Prevent Installation of Removable Devices setting prevents users from installing removable devices. This policy is primarily designed to prevent users from attaching USB or Firewire based devices to their systems.
Prevent Installation of Devices Not Described By Other Policy Settings
The Prevent Installation of Devices Not Described by Other Policy Settings group policy setting is kind of a catch all setting. There are a couple of different ways that you can use this policy setting. One thing that you can do is to enable this setting, but not enable any other hardware installation related settings. In doing so, you will effectively prevent anyone from installing any hardware into systems to which the policy applies.
Another thing that you can do with this group policy setting is to use other policy settings to allow specific devices based on device ID or class and then enable this policy setting. In doing so, you will prevent the installation of any device that you have not specifically allowed users to install.
Preventing the Installation of All Devices

Now that I have discussed all of the various group policy settings related to device installation, I want to conclude this series by showing you how to perform a blanket denial of all device installations. If you are concerned about the installation of prohibited devices in your own organization, then this is the technique that you would most likely use.
The technique that I am about to show you not only prevents end users from installing hardware devices, but it also prevents them from installing or updating device drivers. Administrators may still install devices and / or device drivers in the usual manner.
Begin the procedure by navigating through the group policy console to Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. Next, right click on the Prevent Installation of Devices Not Described by Other Policy Settings container and select the Properties command from the resulting shortcut menu. When you do, Windows will display the Prevent Installation of Devices Not Described by Other Policies properties sheet, shown in Figure A. Now select the Enable option found on the Settings tab to enable the policy setting. Click OK to return to the main Group Policy Editor screen.

Figure A: The Prevent Installation of Devices Not Described by Other Policies properties sheet is a sort of catch all policy setting that restricts the installation of all devices that have not been specifically allowed by other policy settings
What we have done so far is to create a policy that prevents the installation of all devices. Now we need to tweak the policy so that Administrators still have the right to install devices. To do so, right click on the Allow Administrators to Override Device Installation Policies container and select the Properties command from the resulting shortcut menu. When you do, Windows will display the Allow Administrators to Override Device Installation properties sheet, shown in Figure B.

Figure B: The Allow Administrators to Override Device Installation properties sheet can be used to ensure that Administrators are still allowed to install hardware devices
You must now enable the policy by selecting the Enable option found on the Settings tab. Click OK to return to the main Group Policy Editor screen. When you look at the main Group Policy Editor screen, both of the policies that you have enabled should be listed as being enabled.
Now that you have enabled the necessary group policy settings, it is time to test those settings. To do so, log into the domain using a workstation that’s running Windows Vista. Initially, you should log in as a normal user. Remember that the policy that you have created only applies to Windows Vista. Therefore, you should log into a machine that’s running Vista, and is connected to a Longhorn Server domain with a domain user account.
After logging in, open the Control Panel and then click the System and Maintenance link. When the System and Maintenance screen appears, click on the Device Manager link. When you do, you should receive the following error message:
You do not have sufficient privileges to uninstall devices or to change device properties or device drivers. Please contact your site administrator, or logout and log in again as an administrator and try again.
This proves that the group policy settings that you have implemented are preventing users from installing devices. Now, you need to log in as a domain administrator and attempt to open the Device Manager. We have created a policy saying that Administrators are exempt from device installation restrictions, so you should be able to open the Device Manager with no problem.
Conclusion

In this article series, I have explained that users installing unauthorized devices can be a huge problem for a corporation. If for example, a user were to install a removable storage device, there is the potential for the user to copy sensitive data to the removable device. Even if your company’s data is not sensitive, allowing users to install their own hardware can increase support cost and can make it difficult to maintain an accurate hardware inventory (what belongs to the company and what belongs to the user).
In the past, solutions have included third party security products or making modifications to workstation hardware that make the installation of removable devices impossible. However, Windows Longhorn Server allows you to control who does and does not have the ability to install hardware via group policy settings. In this article series I have shown you these group policy settings and explained how they work



موضوعات مشابه: