Vista Leaves Some Out in Cold

 
 
By Andrew Garcia  |  Posted 2007-04-20 Email Print this article Print
 
 
 
 
 
 
 

European versions don't enable USB lockout by default.

With Vista, Microsoft revamped the Windows operating systems ability to natively lock out unapproved USB storage devices through some new policy items in its Group Policy. However, this capability requires a service that has quietly been denied to some customers by default—a casualty of Microsofts attempts to comply with the anti-competition dictates of the European Union. While such matters may not mean anything to U.S.-based customers, the fact that different versions of Vista will behave differently makes it hard to justify relying on the operating systems USB security features in an enterprise deployment.
In tests of the device lockout features, we experienced a mixed bag of results.
On the plus side, we found we could successfully block a user with limited rights from installing new USB drives onto a computer, while exempting local administrators from the policy. We could also successfully create exceptions that allowed us to standardize on a particular make and model of USB device while locking out other, unapproved drives. For example, we created a policy that allowed users to install only Kingston Technologys DataTraveler Elite devices while blocking out all others. (We also tested with several generic devices.) But when we tried to deny read/write access to already installed USB devices or even to CD/DVD writers, the policies did not work because they depend on whichever version of Vista is installed-specifically, the European "N" editions have been left out in the cold.
The ability to block read/write access to removable storage devices via Group Policy depends on the presence of the Portable Device Enumerator Service, which is not installed by default in the Vista Business N edition. We discovered this because we accidentally installed this version of the operating system on our test machines. Vista Business N is a Europe-only edition that complies with the EU mandate that Windows Media Player be decoupled from the operating system. Unfortunately, the Portable Device Enumerator Service comes with Windows Media Player rather than with the base Vista operating system, so the N versions of Vista wont get the feature without installing the Windows Media Player or kludging together a different workaround. Indeed, once we installed Windows Media Player 11 on our test system, the needed service installed and the Group Policy settings were immediately enforced. (We also verified that the policies worked on the standard Vista Business edition.) The fact that a core security feature of Vista is based on the presence of a rich media application underscores what a convoluted system Windows continues to be. Check out eWEEK.coms for Microsoft and Windows news, views and analysis.
 
 
 
 
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel