.NET to the rescue

Recently, there have been a lot of security guidelines being passed down from the various security related agencies and from the auditors about USB thumb drives and HDD drives being plugged into the workstations or notebooks.  Their concerns are that restricted information may be copied out to these removable media and taken out of the office.

Well, in Windows XP SP2, I have implemented USB restrictions to prevent users from plugging in their removable USB media and also disallow them from burning into writeable CDs and this was done long time ago and recently because of this I have to go back and dig out this piece of information.

Hope this saves you some time having to ask Mr. Google.

1. How to disable USB ports to prevent Removable Storage Devices from connecting

You want to prevent users from connecting their removable medias to the USB ports.  This procedure will show you how to disable USB ports to prevent Removable Storage Devices from connecting. E.g. USB Thumb drives, External HDD. But not to worry, it will allow USB Mouse operation.

1. Deny permission on the files usbstor.pnf and usbstor.inf, located at %systemroot%\inf (Note that this folder is hidden, you will need to "Show all hidden files" in File Explorer)

* Remove all users from the permission lists and add "System" to "Deny All"

2. Set the Start value to hexadecimal 4 in the Registry at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

2. Disabling CD-ROM & Floppy Drives

2.1 How to disable CD-ROM

Set the Start value to hexadecimal 4 in the Registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom

This will also disable user from connecting an external USB CD/DVD-Writer to the system.

2.2 Remove CD Burning Features

Use GPO settings to remove CD burning feature:

Local Computer Policy\User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove CD Burning features

* Windows Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.
* If you enable this setting, all features in the Windows Explorer that allow you to use your CD writer are removed.
* If you disable or do not configure this setting, users are able to use the Windows Explorer CD burning features.

• Note: This setting does not prevent users from using third-party applications to create or modify CDs using a CD writer.

2.3 How to disable Floppy Drive

Set the Start value to hexadecimal 4 in the Registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk

3. Prevent Writing to USB Storage Devices

If you still want to allow your users to connect their USB media but prevent them from writing, this is what you will have to do.

Prevent Writing to USB Storage Devices via registry setting. Only works for Win XP SP2.
1. Start the Registry Editor
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key
3. If there is no key called StorageDevicePolicies, create it. You do this by right-clicking the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key, and selecting New > Key from the menu.
4. Select the StorageDevicePolicies key
5. From the menu select Edit > New > DWORD Value
6. Name the new value WriteProtect
7. Right-click the WriteProtect value and choose Modify
8. In the Value Data: box enter 1
9. Exit the registry editor, and restart your computer

VMware is one of the hottest technologies in 2009.  There are now many companies embarking on virtualization to reduce DC space and also to reduce cost.

• There are only 2 channels to purchase VMware. It’s either via OEM manufacturers like Dell, HP, IBM or via re-seller like Ingram Micro.
• There are 3 main products that will be mostly used by customers. They are “VMware Infrastructure 3”, “VMware vCenter Server” and “VMware ESXi”.
• General guideline for a 2 socket Quad Core server, it is able to run 40 Windows XP virtual machines.
• Only runs on x86 architecture.

Virtual Infrastructure Editions

ESXi Basic

VI Foundation
- License cost: US$995
- Supports 2 core CPU
- Additional components: “VC Agent”, “Update Manager”, “Consolidated Backup”
  - Consolidated Backup
    - Remove the need to install backup agent into each VM. 
    - Eg. Windows Server 2003, it uses Shadow Services to present a snapshot of the OS for the backup software to perform a backup.

VI Standard
- License cost: US$2,995
- Additional components: “High Availability”
- HA: Provides VMware clustering by moving the VM to other physical boxes (but still got downtime)

VI Enterprise
- License cost: US$5,750
- Additional components: “VMotion”, “DRS”

Miscellaneous

VMotion
- Need to adhere to same CPU architecture (eg. Opteron to Opteron)
- Can only move from virtual to virtual

Storage VMotion
- Can move from physical to virtual
- Good for situation whereby need to increase HDD space

VMware Converter
- 3rd generation tool that automates machine format conversions to VMware VMs
- Good for situation like Windows NT 4.0

If you are like using Windows Server 2008 as your primary OS for your daily usage, you might want to enable the following to turn it into a workstation.

Tip #1: Enable Wireless Networking
1. Start the Server Manager by clicking the Server Manager icon in the systray, or the Server Manager shortcut in directly the Start menu or in the menu Administrative Tools

2. In the Server Manager scroll down to Features Summary and click Add Features. In the Add Features Wizard window scroll down, check Wireless LAN Service and click Next.

3. At the Confirm Installation Selections page click Install.

4. Click Close to finish the installation. Now you have wireless support in Windows Server 2008!

Tip #2: Enable Desktop Experience
Desktop Experience includes features of Windows Vista such as:

• Media Player
• Desktop Themes
• Photo management

Some of the issues this service will solve are:

• Being able to install the camera driver for your iPhone so that you can copy your pictures out via File Explorer
• Able to map to your iPhone via WebDav via applications like “Air Sharing”

Steps on installing Desktop Experience:
1. Repeat the above steps in Tip #1 to get into the “Add Features”

2. This time select “Desktop Experience”