A company has an Active Directory Domain Services (AD DS) domain. All client computers run Windows 8.1.
You need to ensure that only administrators can access removable storage devices on client computers.
Which two Group Policy settings should you configure? (Each correct answer presents part of the solution. Choose two.)
A. Enable the Prevent installation of removable devices policy.
B. Disable the Allow only USB root hub connected Enhanced Storage Features policy.
C. Create an AppLocker deny rule with a path condition of %HOT%.
D. Start the Application Identity service.
E. Enable the Allow administrators to override Device Installation Restriction policies policy.
Correct Answer: AE
Explanation/Reference:
Prevent installation of all devices.
In this scenario, the administrator wants to prevent standard users from installing any device but allow administrators to install or update devices. To implement this scenario, you must configure two computer policies: one that prevents all users from installing devices (A) and a second policy to exempt administrators from the restrictions (E).
* A growing variety of external storage devices can be connected to personal computers and servers that are running the Windows operating system. Many users now expect to be able to install and use these devices in the office, at home, and in other locations. For administrators, these devices pose potential security and manageability challenge.
The Group Policy settings discussed in this section can be used to limit, prevent, or enable these situations. The default value for these policy settings is Not configured. These policy settings are located in the following locations under Computer ConfigurationAdministrative TemplatesSystem:
/ (E) Device InstallationDevice Installation Restrictions
Device RedirectionDevice Redirection Restrictions
Driver Installation
Enhanced Storage Access
Removable Storage Access
Reference: Threats and Countermeasures Guide: External Storage Devices
http://technet.microsoft.com/en-us/library/cc753539%28v=ws.10%29.aspx Prevent Installation of Removable Devices
You can use this procedure to prevent installation of any removable device. A device is considered removable when its device driver, or the device driver for the bus to which the device is attached, reports that it is a removable device.
If this policy is enabled, in addition to preventing installation of the affected devices, it also prevents users from updating the device drivers for already installed devices that match the policy.
http://technet.microsoft.com/en-us/library/cc753015%28v=ws.10%29.aspx Allow Administrators to Override Device Installation Restriction Policies
You can use this procedure to ensure that the device installation restriction policies you apply to a computer do not affect members of the Administrators group.
By default, a device installation restriction policy affects all users of the computer, including members of the local Administrators group. By enabling this policy, you exempt administrators from the effects of the policy, and allow them to do the device installation tasks they need to do.
Further Information:
http://www.group-policy.com/ref/policy/242/Allow_only_USB_root_hub_connected_Enhanced_Storage_devices Allow only USB root hub connected Enhanced Storage devices
..
If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
http://technet.microsoft.com/en-us/library/dd723678%28v=ws.10%29.aspx AppLocker
You can use AppLocker as part of your overall security strategy for the following scenarios:
Help prevent malicious software (malware) and unsupported applications from affecting computers in your environment.
Prevent users from installing and using unauthorized applications. Implement application control policy to satisfy security policy or compliance requirements in your organization.
http://technet.microsoft.com/en-us/library/ee791779%28v=ws.10%29.aspx Configure the Application Identity Service
The Application Identity service determines and verifies the identity of an application. Stopping this service will prevent AppLocker policies from being enforced.
