Check out the first part of this series on using Group Policy to increase security for removable devices in Windows Vista. Also, check out part two of this series to learn how to use Group Policy settings to prevent the use of removable devices.
Windows Vista makes it easy to prevent the installation of specific types of hardware devices or to block the use of removable storage devices. The trick to making it all work is knowing where to find a device's Hardware ID, Compatible ID and Device Class GUID.
In the first two articles in this series on preventing removable storage device usage via Group Policy settings, I explained that some of the various Group Policy settings require you to identify hardware devices by Hardware ID, Class ID or Class GUID. Here, I will show you how to locate these types of device identifications.
Device IDs, Compatible IDs and Hardware IDs
Hardware manufacturers assign their devices a Device ID, one or more hardware IDs and one or more Compatible IDs. These IDs are used to match a hardware device to a device driver. The Device ID is the most specific type of ID and each device is assigned only one Device ID. It is used as a proof-positive way of identifying a device. Sometimes, though, a hardware device is compatible with multiple drivers, and this is where the Hardware ID list comes into play.
There are several Group Policy settings that make use of the hardware ID. These policy settings include:
- Allow Installation of Devices that Match any of these Device IDs
- Prevent Installation of Devices that Match any of these Device IDs
- Prevent Installation of Devices Described by Other Policy Settings
Each hardware device will have at least one hardware ID. You can locate the hardware ID by following these steps:
- Open the Control Panel.
- Click on System and Maintenance.
- Click on System.
- Click the Device Manager link.
- When the Device Manager opens, right click on the hardware device that you are interested in, and select the Properties command from the resulting shortcut menu.
- Go to the Details tab on the device's properties sheet.
- Select the Hardware IDs option from the Property drop down list.
- The Value field will display the device's Hardware ID. As you can see in Figure A, there may be more than one hardware ID for a specific device.
A device may have multiple hardware IDs.
The first ID on the list is actually the Device ID. After that, hardware IDs are listed in order of decreasing suitability.
Compatible IDs are very similar to Hardware IDs. They tell Windows which device drivers are compatible with a particular device. The steps for determining a Compatible ID are identical to those used to find the Hardware ID. The exception is that you would choose the Compatible IDs option from the Property drop down list shown in Figure B.
Each device has a list of Compatible IDs Class GUIDs.
While many of the Group Policy settings I have discussed in previous tips are based on Hardware ID or Compatibility ID, the following policies are based on Class GUID:
- Allow Installation of Devices Using Drivers that Match These Device Setup Classes
- Prevent Installation of Devices Using Drivers that Match These Device Setup Classes
As the name implies, a class GUID is a globally unique identifier that is assigned to a class of devices. You have probably noticed that the Device Manager organizes devices by category. Each of the categories is identified by a unique class GUID. Therefore, by preventing the use of a particular class GUID, it effectively blocks the use of any device associated with that device category.
You can find a class GUID by following the same steps you used to locate a device's Hardware ID. Rather than selecting Hardware ID from the Property drop down list, though, choose the Device Class GUID option instead, as shown in Figure C.
The Device Class GUID represents the device's category.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.