This product evaluation topic for the IT professional describes the Enhanced Storage Access settings that are new in Windows 7 and Windows Server 2008 R2.
Enhanced Storage Accesssettings
Enhanced storage devices are devices that support the IEEE 1667 protocol to provide functions such as authentication at the hardware level of the storage device. These devices can be very small, such as USB flash drives, to provide a convenient way to store and carry data. At the same time, the small size makes it very easy for the device to be lost, stolen, or misplaced.
The Enhanced Storage Access settings in Windows 7 and Windows Server 2008 R2 enable you to use Group Policy to manage enhanced storage devices and administer policies for the Certificate and Password Authentication Silos in your organization.
For definitions of various storage devices, see Definitions for Storage Silo Drivers in the MSDN Library.
These Group Policy settings are located in Computer Configuration\Administrative Templates\System\Enhanced Storage Access.
Policy setting descriptions
The following Group Policy settings control the behavior of enhanced storage devices.
| Policy setting |
Description |
If not configured… |
|
Allow Enhanced Storage certificate provisioning
|
Allows users to provision certificates on devices supporting Certificate Authentication Silo.
|
Users cannot provision certificates on enhanced storage certificate silo devices.
|
|
Allow only USB root hub connected Enhanced Storage devices
|
Allows only enhanced storage devices that are connected to USB root hubs
|
USB enhanced storage devices connected to both USB root hubs and non-root hubs are allowed.
|
|
Configure list of approved Enhanced Storage devices
|
Allows you to configure a list of devices by manufacturer and product ID that are allowed on the computer.
|
All devices are allowed.
|
|
Configure list of approved IEEE 1667 silos
|
Allows you to create a list of approved silos that can be used on the computer.
The Certificate Authentication Silo is always on the approved list.
|
All silos are allowed.
|
|
Do not allow password authentication of Enhanced Storage devices
|
Permits the use of a password to unlock an Enhanced Storage device, or allow password authentication devices to be accessed on this computer.
|
Passwords can be used to unlock devices.
|
|
Do not allow non-Enhanced Storage removable devices
|
Limits the use of removable devices to Enhanced Storage devices.
Blocks the use of other storage devices on the computer.
|
Non-enhanced storage removable devices are allowed.
|
|
Lock Enhanced Storage when the machine is locked
|
Locks the device when the computer is locked.
|
The security state of the device remains unlocked even if the computer is locked with CTRL+ALT+DELETE.
|
Policy setting implementation
Enhanced Storage Access settings are administered in the same manner as any other Group Policy on the domain controller. When policy settings are enabled, the following actions are taken:
- The policy settings are periodically sent to the client computers that are members of the domain.
- The Group Policy service on the client computer creates registry keys corresponding to the policy settings.
- The enhanced storage components read the registry keys to determine which policy settings are enabled and then take actions to comply with the policy settings.