如何通过组策略阻止Windows 7中的USB端口和CD-ROM？

Question

默认情况下，组策略不提供轻松禁用包含可移动介质的驱动器（如 USB 端口、CD-ROM 驱动器、软盘驱动器和高容量 LS-120 软盘驱动器）的功能。但是，可以通过应用 ADM 模板将组策略扩展为使用自定义设置。本文中的 ADM 模板允许管理员禁用这些设备的相应驱动程序，确保它们无法使用。将此管理模板作为 .adm 文件导入组策略。如果您不确定如何执行此操作，请参阅“更多信息”部分中的链接。

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
 PART !!labeltextusb DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
 END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
 PART !!labeltextcd DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 1 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
 END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
 PART !!labeltextflpy DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
  END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
 PART !!labeltextls120 DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
  END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

参考：微软

有关应用管理模板文件的更多信息，包括如何使用上述模板的说明，请从此处下载 Microsoft 白皮书“使用基于注册表的组策略的管理模板文件”。

http://www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en

Answer 1

默认情况下，组策略不提供轻松禁用包含可移动介质的驱动器（如 USB 端口、CD-ROM 驱动器、软盘驱动器和高容量 LS-120 软盘驱动器）的功能。但是，可以通过应用 ADM 模板将组策略扩展为使用自定义设置。本文中的 ADM 模板允许管理员禁用这些设备的相应驱动程序，确保它们无法使用。将此管理模板作为 .adm 文件导入组策略。如果您不确定如何执行此操作，请参阅“更多信息”部分中的链接。

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
 PART !!labeltextusb DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
 END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
 PART !!labeltextcd DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 1 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
 END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
 PART !!labeltextflpy DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
  END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
 PART !!labeltextls120 DROPDOWNLIST REQUIRED

   VALUENAME "Start"
   ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
   END ITEMLIST
  END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

参考：微软

有关应用管理模板文件的更多信息，包括如何使用上述模板的说明，请从此处下载 Microsoft 白皮书“使用基于注册表的组策略的管理模板文件”。

http://www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en

如何通过组策略阻止Windows 7中的USB端口和CD-ROM？

答案1

相关内容