Best Practice: How to use Group Policy to disable USB drives on Windows XP


In my previous article “How to use Group Policy to make USB drives read only on Windows XP” I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices.

Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices

 

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEMCurrentControlSetServicesUsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.

image

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.

Key: HKLMSYSTEMCurrentControlSetServicesUsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices

 

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:WindowsInf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

image

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.

Click “Yes” to the security warning.

image

Then click OK.

Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

image

Now repeat the steps above and this time select “C:WindowsInfUsbstor.pnf”

You should see something like the images below in your group policy.

image

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: