In part one of this series on preventing the access to removable storage devices, I explained the advantages of using Group Policy object settings to control the use of removable devices. In this article, I want to continue the discussion by explaining what the various Group Policy settings do. All of the settings that I describe in this article can be found in the Group Policy Object Editor under Local Computer Policy | Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restrictions.
Allow administrators to override device installation restriction policies
This is one of the most important devices related Group Policy settings. Although you presumably want to prevent your end users from installing new hardware devices, the network administrators and the help desk staff need to have the ability to attach external devices to workstations.
For example, in Company X, corporate policy forbids any of the workstations from having CD / DVD drives. When members of the help desk staff make a repair on a machine, they often have to plug an external DVD drive into the machine's USB port to facilitate loading the necessary software. A blanket denial of the use of external devices for everyone in the company would be a big problem in situations like this one.
Allow installation of devices for drivers that match these device setup classes
When you want to allow the use of a device, this Group Policy setting lets you specify the device ID. For example, one option for Company X would be to block the installation of such devices, except for that specific device.
One caveat: This Group Policy setting is only intended to be used when the setting Prevent Installation of Devices Not Described By Other Policy Settings is used. I will talk more about this setting later on.
Prevent installation of devices using drivers that match these device setup classes
This setting allows you to specify the types of devices that cannot be installed on the system. Unfortunately, you don't have the option of simply selecting which types of devices you do and do not want to allow. Instead, you will have to supply the GUID that's associated with the device's class type that you want to block.
Please note: The Device Manager groups these devices by type. Each device type is assigned a class GUID in the registry. You can look up the GUID for each class in the system registry under HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Class.
Keep in mind that making modifications to the registry can be dangerous. Incorrect modifications can destroy Windows and/or your applications. If you just want to look up class GUIDs, you should not have to make any registry modifications; however, I recommend making a full system backup anyway, just to be safe.
Display a custom message when installation is prevented by a policy (balloon text)
Enabling this policy setting allows you to display a custom message any time a user attempts to install an unauthorized device and lets you assign a custom title to your custom message.
Allow installation of devices that match any of these device IDs
With this Group Policy setting, you specify which devices can be used. Every plug-and-play device is assigned one or more hardware IDs. By entering those hardware IDs into this Group Policy setting, you can make sure that users are not prohibited from using the corresponding hardware.
To locate the hardware IDs for a specific device, open the Device Manager, right click on the device that you are interested in and select the Properties command from the resulting shortcut menu. Upon doing so, you will see the device's properties sheet. Now, go to the properties sheet's Details tab and select Hardware IDs from the Property drop-down list. The tab will now display the device's hardware IDs. I will discuss this process in more detail in the third part of this series.
Prevent installation of a device that matches any of these device IDs
Just as you can allow specific devices to be used, you can also prevent them. Like the aforementioned policy, this Group Policy setting requires you to enter the hardware IDs for devices you don't want users to install.
Prevent installation of removable devices
With this setting, you can prevent the use of removable devices, but keep in mind that enabling this policy will only prevent users from installing new removable devices. They can continue to use previously installed removable devices (unless those devices are blocked by another policy setting), but users will be unable to update the drivers for those devices.
Prevent installation of devices not described by other Group Policy settings
Most of the settings I have talked about focus on specific devices or device classes. However, it is impossible for an administrator to know about every hardware device in existence. That being the case, Microsoft has created this Group Policy setting as a catch all that allows you to block the installation of any device types that you have not specifically chosen to allow.
In the third tip in this series, I will show you how to locate removable device IDs for Group Policy settings.
Windows network security extras
- Network Access Control Learning Guide
- Protecting against anonymous connections using GPOs
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.