Allow CD/DVD drives, but block USB drives

Hello,

I want to block USB drives, but allow Read-Only access to IDE CD/DVD drives.

For some people the CD drive is D:, for others it is either E: or F:...

On my computer, where I access the RAC, they are T: and U:...

How can I allow the CD/DVD drives, while still blocking USB thumb drives?

 

I think you can handle that with the "Exceptions" under the Block Media option and select only the ports/drives to be scanned.

 

I know about that, but as I said -

I am trying to do this via a policy, and the RAC GUI only allows you to add drive exceptions that *exist* *on* *my* PC*. The problem is, the CD drives on *my* computer are T: and U:, but the drives on everyone else's will be either D: or E:...

HELP!!!

 

Ah, sorry about that. It wasn't clearly stated that is what you were trying to do.

Can you go to one of the Clients that has the D: and E:. Setup the exceptions and export the config file. You should then be able to import the config file into the Policy Editor in ERAC and it will have the exceptions from the Client machine.

 

USB drives are unequivocally identified by their names in the device manager, the drive letter doesn't matter. An example of such an xml:
<NODE NAME="@My profile" TYPE="SUBNODE">
<NODE NAME="ExceptionDevicesList" TYPE="SUBNODE">
<NODE NAME="27" NAMEVIEW="Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293A" CHECKED="1" TYPE="SUBNODE">
<NODE NAME="28" NAMEVIEW="Root Hub" CHECKED="1" TYPE="SUBNODE">
<NODE NAME="29" NAMEVIEW="[Port1] " CHECKED="0" />
<NODE NAME="30" NAMEVIEW="[Port2] " CHECKED="0" />
<NODE NAME="31" NAMEVIEW="[Port3] " CHECKED="0" />
<NODE NAME="32" NAMEVIEW="[Port4] " CHECKED="0" />
<NODE NAME="33" NAMEVIEW="[Port5] " CHECKED="1" />
<NODE NAME="34" NAMEVIEW="[Port6] " CHECKED="1" />
</NODE>
</NODE>
</NODE>

 

Hi Marcos,

Ummm... ok, thanks for the reply, but I'm at a loss as to how I could use that to accomplish what I'm trying to do.

Could you elaborate on how I might actually implement such a policy, that would block all USB drives, but still allow CD/DVD ROM drive access?

Thanks,

Charles

 

I assume that the CDROM is not connected via USB so this feature has absolutely no effect on it. If the same hardware is used on all computers, you can download the configuration from one machine, mark all ports on all usb controllers in the cfg editor and push the configuration back to all clients.

 

Ok, but I don't understand *where* I'm supposed to put those.

I can block ALL removable media, and add *exceptions*, but this would be the *opposite* of that...