-1

I am new to system administration so please bear with me. I have a Lenovo laptop running Windows 10. There is highly sensitive information (media files) on the machine that I need another user to edit. However, I need to :-

a. Disable all external storage (USB, DVD etc. ) but still let the user use USB mice and other input devices.

b. Deny all network access (both LAN and Internet)

c. Disallow the user to meddle with these security settings.

  1. How do I accomplish the above on Windows 10?

  2. Is there any other security measure I need to take such as encryption? Bitlocker is not an option due to the configuration of my Windows 10 implementation. Will encrypting the hard drive (using say VeraCrypt) ensure safety of my data even if it is somehow stolen?

  3. Should I change any BOOT/BIOS settings to ensure I have the necessary "air-gapping" effect for the particular user?

EDIT: I am unable to install gpedit.msc using instructions available on this site Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it?

So, is editing the registry my option?

Community
  • 1
moonstar
  • 107
  • 2
  • @Ramhound Thanks. I tried the method suggested on the site but was unable to install group policy because I do not have a gpedit.msc file only a gpedit.dll in my WOW64 folder. 1. I tried getting into the BIOS (dont see many options), creating a user and changing their access(I am logged in as admin but cant find the buttons to grant/deny another user read/write access except to change the type of their a/c 2)But will my data at least be scrambled enough to not make sense if theft does occur 3) Looking for inputs that will help me decide. – moonstar Feb 22 '17 at 18:20
  • @Ramhound syswow only has the two folders, not gpedit.msc to copy over to system32. – moonstar Feb 22 '17 at 18:29
  • @Ramhound By linked package you mean the downloadable on deviantart website? I got it. I went through all the steps.Did not work. – moonstar Feb 22 '17 at 18:42

1 Answers1

1

We are always glad to help, but you actually have several somewhat related questions combined. It may be prudent to ask different questions accordingly, rather that something quite so broad in scope.

In the interim, I can definitely help you with one of them: is this a Windows 10 Professional (or Enterprise) machine? If so, you can utilize the Local Group Policy editor to disable external storage media. Search for gpedit.msc with elevated privileges and navigate to the following:

Computer Configuration\Administrative Templates\System\Removable Storage Access

Within there you will see several settings you can potentially enable that are related to disabling removable storage access. If you want to implement it for all of them, enable the following:

All Removable Storage classes: Deny all access

Once enabled, the USB and DVD external storage access will be disabled, but the user will still be able to use a USB mouse and keyboard. If they aren't an administrator, they won't be able to change those settings.

If it is Windows 10 Home, you should be able to achieve the same results by modifying the registry:

  1. Search for regedit with elevated privileges and navigate to the following:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

  2. NOTE: If RemovableStorageDevices is not there in the left pane, then right-click on Windows and click on New and Key. Type RemovableStorageDevices and press Enter.

  3. In the right pane of RemovableStorageDevices, right click on a empty area and click on New and DWORD (32-bit) Value and type Deny_All and press Enter.

  4. Right click on Deny_All and click on Modify.

  5. Type 1 and click on the OK button.

    Deny_All

  6. Close regedit accordingly.

(Source)

Run5k
  • 15,723
  • 24
  • 49
  • 63