I recently got asked to show how someone could use Quest’s ActiveRole Server to temporarily grant access to a CD drive, or USB storage device to a select set of users.  I knew it could be done, and didn’t think it would take too long to demonstrate.  However, I’m now on my 3rd day of devoting some time to this, and it’s turning out to be a tad bit more difficult than I thought.  The problems are mostly with the logistics, and configurations, as you’ll see if you continue reading.

The first problem was that I was using VMs (virtual machines), and the USB and CD-ROM are virtualized.  That made me nervous about making sure that it will actually work ‘as advertised.’ So I went and got a Windows 7 laptop, joined to my lab domain, to convince myself that what I was doing would work in the ‘real world’ since we’re talking about desktops here.  The short version – it does, indeed, work in both cases.

After that, I had to find the specific setting.  It turns out there is a lot of information out there, including a few KBs from Microsoft themselves, but nothing really summarizing all the gotchas.  So here is my list, assuming this is all done with native tools and without a COTS (Commercial Off-The-Shelf) product:

1. The only reliable way to block the CD-ROM or USB drive on a large number of machines is through an ADM template that disables access by the system itself to a critical driver.
2. That access will be blocked for all users on the machine; there is no way to fine grainly select which users can use which devices on a given machine.  The GPO is applied to the computer object, not the user object.
3. The ADM template uses double-negatives.  You ‘Enable’ the ability to set the setting and then set it to ‘Disabled’ to turn off the specific drive.  I’ll explain with a short video below.
4. The ADM template will ‘tattoo’ the machines it is applied to. Tattoos are permanent and so is this setting.  Which means that the setting will persist on the machine, even if the GPO is removed/deleted.  It also means that if you apply a setting, you will have to apply another GPO to explicitly reverse the setting.  You’ll see this mentioned by Microsoft as a ‘preference’ rather a policy in their link below.
5. For those of you that do not know, GPOs are not instantaneous.  You do not edit a setting, run to a machine, and see the results right away.  Machines actually PULL settings down, and Active Directory DOES NOT push them by default.  This can be overcome, of course, but the default behaviour is the pull.
6. Because of the pull, and several other factors, it can take minutes and possibly hours to get a setting to a machine.  In the case of hours, it may be that you have to wait for replication to occur from the server where the GPO was edited to the server (domain controller) that your computer is working with.

With all those constraints, I set out to put together the recordings below showing how it can be done.  So what I ultimately have is a group where a machine is added and removed as needed to have these settings applied.  Again, the settings, once applied, cannot be removed, but can be toggled from ‘enabled’ to ‘disabled’ and vice versa.

I got my adm template together, and went ahead and imported it in.  The template I used can be downloaded here (http://www.idmwizard.com/quest/wb/block_drives.zip).  However, after I imported, I found I couldn’t edit it in GPO Editor.  Specifically, I couldn’t see the settings I needed to edit. So with some more searching, I discovering that I had to disable some filters in the view.  Here is a video where I do all this, starting with the text of the ADM copied and pasted into Wordpad:

http://www.idmwizard.com/quest/wb/add_adm.mp4

Next, I actually looked at how computers could be added to groups in 2 different ways.  The easiest way is through regular group membership.  So in this video, I will simply show a computer getting added and removed from a group.  The difference from native tools is where ActiveRoles Server comes in.  You will see in the video that I can select a machine to be added temporarily.  I can set the addition, and the removal into the future, allowing me to only have the membership be active for a limited amount of time:

http://www.idmwizard.com/quest/wb/temp_group_membership.mp4

Another option, though, is through a dynamic group.  Dynamic groups are also an ARS feature which allows you to construct a query-based group.  The cool thing in this next video is that I also use a Virtual Attribute.  That is, I create a flag for the policy to be applied to the Computer object class, but there is no schema extension involved.  ARS keep the attribute tied to the AD object internally, and allows you to work with it as if it were any other property of the particular class.  This is cool because you can have someone toggle this setting to put the machine in as needed:

http://www.idmwizard.com/quest/wb/dynamic_group_membership_with_VA.mp4

Having shown all this, I still need to point out that a CD-Burner or a USB device is not the only way to get data out of a building.  Most desktops still have a floppy drive (which is also covered by the policy), a printer (local or networked) and some additional ports in the back.  That parallel port can still take some older devices, such as those Iomega Jazz and Zip drives I used back in the day to make backups.  And then you have all sorts of other devices, like smartphones, that may use different drivers, as well as have cameras built into them to take ‘screen shots’ if push comes to shove.  If you know the driver to target, you can always disable it, but it feels like an arms race, to some degree.

After all of this, I’d probably suggest that you just look at something like ScriptLogic’s Desktop Authority for doing this (full disclosure – ScriptLogic is owned by Quest Software).  That tool may seem like overkill for this sort of task, but with all of the hoops one has to jump through to make it happen, it’s much simpler to use a COTS product, and get onto other things.  It won’t cover the ‘someone taking a picture of the monitor’ scenario’ but it holds up much better than my demonstration which was quite cumbersome to work out and deploy.  Plus, it will let you roll things out closer to ‘real time’ rather than waiting for group policies to be replicated and applied.

As for a list of references, there are a number that I could list, but this page was the most useful, not just for the article but for the comments as well: http://oreilly.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html

The MS KB article that everyone references can be found here: http://support.microsoft.com/kb/555324 and this is where I got my ADM template.

I posted the following in an entry quite some time ago, but thought it made sense to break out just the VAS ones into a separate post for easier searching.  And so I can reference it in the VAS 4.0 blog post I’m about to put up after this one.

All of the following videos are 1-3 minutes in length, with no audio.  They show some of the core VAS functionality which is found across the board on all operating systems supported by VAS:
http://www.idmwizard.com/quest/vas/vas35-01-preflight/index.html
http://www.idmwizard.com/quest/vas/vas35-02-install_and_join/index.html
http://www.idmwizard.com/quest/vas/vas35-03-installation_of_quest_ssh_and_getting_sso_through_it/index.html
http://www.idmwizard.com/quest/vas/vas35-04-unix_enable_user_and_group-password_change-sso_via_ssh/index.html
http://www.idmwizard.com/quest/vas/vas35-05-sudo_group_policy_usage_and_config/index.html
http://www.idmwizard.com/quest/vas/vas35-06-file_copy_policy_with_replacement_macro/index.html
http://www.idmwizard.com/quest/vas/vas35-07-access_controls_via_user_files/index.html
http://www.idmwizard.com/quest/vas/vas35-08-access_controls_via_windows_group_policy/index.html
http://www.idmwizard.com/quest/vas/vas35-09-self_enrollment-automatic_local_to_AD_mapping/index.html

If you happen to have NIS running in your environment, you’ll want to have a look at the next set of videos that target NIS maps, and how VAS brings them directly out of AD and onto your *nix hosts:

http://www.idmwizard.com/quest/vas/vas35-10-installing_vasyp_proxy-getting_yp_maps_from_AD/index.html
http://www.idmwizard.com/quest/vas/vas35-11-using_the_nis_editor/index.html
http://www.idmwizard.com/quest/vas/vas35-12-importing_a_new_nis_map_via_windows/index.html
http://www.idmwizard.com/quest/vas/vas35-13-importing_a_new_nis_map_via_unix_nisedit/index.html
http://www.idmwizard.com/quest/vas/vas35-14-importing_and_enabling_users_with_vastool_load/index.html

For a nice, complete 18 minute long NIS migration video (with audio!!!!) here is one that I recorded for a particular customer:
http://www.idmwizard.com/quest/vas_nis_migration/index.html

Here are some additional random VAS videos that I’ve recorded that are good to keep together.  People often have questions on what the VAS install looks like on the mac – here are 2 videos of that:
http://www.idmwizard.com/quest/vas35_mac_install/index.html
http://www.idmwizard.com/quest/vas35_mac_install_manual/index.html

Lastly, here is VAS’ self-enrollment feature on Solaris 10:
http://www.idmwizard.com/quest/Sol10-VASSelfEnrollment/Sol10-VASSelfEnrollment.html

A long time, when dotcoms rules the land, I was a Dev Manager for www.eTour.com (don’t bother following the link – they’re gone). In those days, we were still trying to introduce people to the web and there was a buzz in the industry that I hadn’t seen before or since. And one that will probably never occur again.

Well, one of the funniest, yet instructional moments came during our death throes. The conversation with the Product Manager went something like this:

Brian: Dmitry, check this out – we need to do this one the site.

Dmitry (walking over): BC, put that site away – this is the workplace – go look at that stuff at home.

BC: no, look at this (closes browser window). See that? There’s another window under it.

DK: yeah, ok. A porn site with pop-ups – what’s your point?

BC: No – check it out.  They manage to put the pop-up under the main window.  Watch again.

DK: OK – I see.  Definitely interesting . . . send me the URL and we’ll figure it out.

Plain and simple, they came up with the ‘pop under’ which was much less obnoxious than the ‘pop-up’ that was so prevalent at the time.  I then had to go to one of our (female) developers and ask her to reverse engineer how it was done.  It turns out it was a simple call to a window.blur() function.

Its interesting that porn (followed by gambling) lead innovation in terms of technology.  It certainly was the only thing making money at the time of the dotcom meltdown and a lot of the things you now see with streaming video (a la YouTube) was not developed by Google or some other well-known company, but by those in the ‘seedy part’ of the internet.

What does this have to do with ‘Identity Management?’ I’m not sure, but I’m willing to bet they will continue to innovate, and it will have some sort of impact on the rest of the computing field.