大家好,我有以下问题,请帮忙看看:
公司要求禁用USB储存设备,交给我来做这个事。
请问怎样才能“禁用USB存储设备而不影响USB键鼠使用”呢?我在BIOS中设置了禁用USB设备后,USB键鼠也就无法使用了。
网上查过资料,虽然说在注册表中的“USBSTOR”部分可以设置,但据说重启电脑后又恢复了;
即使可以用什么方式固定注册表的这种方式,但如果某些电脑重新安装了系统后,可能就会忘记修改注册表,也不是最适合的解决方案吧。
谢谢!
------解决方案--------------------------------------------------------
策略中禁止盘符的增减变动.
------解决方案--------------------------------------------------------
1.如果是每个PC都封,而且一次性解决的话,不太现实,还不如统一换成使用终端,除键盘鼠标显示器其他什么都没有;
2.如果是防止数据外泄的话,这并不是一个好办法.邮件,外网空间,打印成文档都可能造成数据流失,只能用管理办法.
需求决定设备,通过改造设备来满足需求是很费事的,效果也不会怎么好..
------解决方案--------------------------------------------------------
我们现在用的一套电脑使用行为管理软件可以实现这个功能,LZ不妨考虑一下
------解决方案--------------------------------------------------------
收藏了 谢谢 分享
------解决方案--------------------------------------------------------
我机器被人使用后,每次插移动存储设备驱动都得自动重新安装一次,你提供的是个方向.
域是个很好的管理办法.
感谢提供解决方法.
现全盘转载如下:
How to disable USB Drives (jump/flash/external/etc.)
This explains how to disable ONLY USB storage devices(flash/Jump/external HD's) completely without disabling keyboards, mice, etc.
I decided to go this route after trying every other option I could find on the internet. So far this is the only way I have found to completely kill USB drives without ways to get around restrictions. edit: WITHOUT PURCHASING THIRD PARTY SOFTWARE
First thing to do is this:
1.Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor.
2.Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesnt exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine. ((As most of you know this a Microsoft suggestion, which does work perfectly at disabling previously installed devices, however, this alone will not disable USB storage completely. If a user plugs a new USB storage device into the machine the device will install and the dword value will be reset to 3. Now if you incorporate adding this into a script it alone will disable USB drives, but only after a user plugs a device in, removes it without uninstalling it, logs off then logs back on, thereby running the script. This means that there is a window of opportunity for users to have access to new devices, this may be acceptable for some, but not for others.))
3. The next thing to do is to change the permisions on the USBSTOR key. You need to DENY full control on the "system" group.
((What this does is denies everyone the ability to access the USBStor key, effectively killing the ability for any user (including admins) to install USB storage devices. Now the reason you deny the "system" group is because windows will use this account if no one is logged onto the machine yet. What I mean by this is if say you want to deny a group of users called "staff", you would need to deny them using GP or a logon script. This will work great, but, if a "staff" group user plugs a USB drive in before logging in to Windows the device will be installed using in the backgroud using the "system" group, then when the user logs in the "staff" group policy is applied dening the user access to the USBstor key, but by this point it makes no difference because the devices is already installed and accessible and once a device is installed the usbstor key is no longer used.))
3. So now that these two steps are are done, *NO ONE* will be able to install USB drives.
If a user tries to use a previously installed drive the device will be blocked and nothing will happen, no prompts, nothing. This is accomplished through step 1, the dword value.