Disabling USB Storage With Group Policy
by Mitch Tulloch11/15/2005
The security threat posed to companies by USB flash drives has been known for some time now. LabMice has a good summary of both the tremendous usefulness of these devices and the dangers they pose to businesses, both in terms of being a potential malware vector and a channel for stealing sensitive information from companies. What can be done to prevent such misuse of technology?
Policy First
Start by updating your company's security policy to provide guidance to employees concerning the proper use and misuse of USB storage devices. If you want to allow employees the convenience of using these devices, you need to give them clear guidance on what management expectations are for using them and what the consequences will be for misuse. The misuse of technology like this is generally not something you solve by more technology -- it's fundamentally a management issue and needs to be addressed at the policies and procedures level first.
When your boss hears that anyone can now walk into an office and take a USB key from his pocket and grab megabytes of confidential business data and walk out with it undetected, her first response might be to ask, "How can we lock down our computers to prevent this from happening?" The networking staff then run around looking for some commercial product to buy that blocks use of USB drives, and suddenly you're adding another layer of software on top of your network, increasing complexity and making it harder to maintain. If your boss reacts like this, you need to respond by pointing out that USB storage technology can have significant benefits for worker productivity and that the risks posed by this technology are not fundamentally different than those of floppy drives and CD burners (though the small form factor of USB keys makes them a bit easier to hide). Then after your boss has dialed down, you need to point out that what really needs to be done is to make a management decision concerning what constitutes acceptable use for this technology and then update the security policy and communicate the changes to employees.
|
Related Reading 
Windows Server Hacks |
Of course, the reality sometimes is that maybe you don't have a written security policy for your company, or maybe you have one but management won't buy into it and violations are never punished. Perhaps your boss says, "It's your problem, you're the admin -- fix it" and walks away. In that case, your next step might be to update your resume. On the other hand, if you're the All-Powerful Administrator of your network, then you may simply decide to disable use of USB storage devices completely on all your computers. Where do you start?
Ways of Disabling USB Storage
There are commercial products that can solve your problem, and a good example of one is IntelliPolicy for Clients from FullArmor. While this is a great product, it should not be thought of as a solution to the problem of disabling USB storage capability on your computers. That's because you don't buy a powerful, full-featured product like this simply for a single feature it can offer. Instead, you buy a product like IntelliPolicy as part of your overall planning for building a security architecture that can help you manage the real risks your network faces. So if your network needs a security overhaul, take a good look at a product like this and evaluate its usefulness. But if you already have a robust security architecture in place and just want to add one extra piece of functionality like disabling USB storage capability, you should look elsewhere.
As it turns out, a simple solution is to extend Group Policy to handle the problem of disabling USB storage on Windows machines. Group Policy is the de facto tool for managing the configuration of machines on Windows-based networks (that is, networks that have Active Directory deployed). And Simon Geary, a Microsoft MVP (Most Valuable Professional) in the area of Directory Services, has come up with a simple illustration of how powerful Group Policy is and how easily it can be extended. All you need to do is create a new administrative template (.adm file) that defines a policy setting for disabling the usbstor.sys driver on Windows machines. Then you import your .adm file into a Group Policy Object (GPO) and you now have the option as administrator for disabling USB storage on any domain or organizational unit to which your GPO is linked. Here's a knowledge base article that contains the code for the .adm file, and below is a figure showing what the new policy setting looks like:
Figure 1. The new policy setting to disable USB drives
Simon's work is typical of many others in the Microsoft MVP program, which recognizes outstanding individuals who contribute their time and energy to the worldwide user community by answering questions, offering advice, and sharing their knowledge in a professional manner. If you have technical questions concerning any Microsoft platforms or products, a good place to get your questions answered is by posting them to an appropriate newsgroup on Microsoft Technical Communities, where MVPs generally hang out and are eager to answer your questions. You can access these newsgroups using either your web browser or a NNTP newsreader.
I may sound a bit like an advertisement for the MVP program, and I am, but I've been tremendously impressed by the members of this community since I joined it, and I'm honored to know many of these people including Rodney and Mark who live right here in my own home town of Winnipeg, Canada. And they even like beer!
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 41 of 41.
-
Disable the write functionality for USB storage
2007-04-11 23:29:12 aburrow [Reply | View]
Using this .adm file I can successfully disable USB Storage devices. But is there a way to prevent write access to them without disabling the read functionality.
We have a number of kiosk machines that allow users to display powerpoint presentations etc. We'd like to still allow this but prevent people from taking files off the machines.
Thanks
-
Disable only user access not admin?
2007-02-20 13:23:36 UNTEagle [Reply | View]
Hi. I loaded the *.adm on my WinXP system and everything appears as it should in the group policy editor. I placed the custom policy under Computer Configuration, not User Configuration. But still when I "enable" the "Disable floppy" it doesn't work. I can still use the floppy drive. And I tried it with all the other drives as well. This template does work with XP doesn't it? I don't know much about group policies, is there some other setting I need to fix?
Also, I am wondering does this template disable the drives completely, I mean for all users? I want the admin to still be able to use those drives. If this template won't do that, does anyone know of something (other than purchased software) that will do the job? Thanks for your help.
-
qustion
2007-01-27 17:06:12 yahvone@yahoo.com [Reply | View]
i have tryed everything to disable the administrator from my computer. nothing workin for me. ihave try mmc, debugger.i have went into so many thins to find the right one to disable the administrator and it wot let me. can you PLEASE.help me dis able this thing. i can run, download, get into my own account without permisson.all i need is somethin easy for me to do this.tell me how to run it or open a file that has it.
-
Disable at user level
2007-01-16 00:15:56 franck_julliard [Reply | View]
I use this method to disable the USB strorage device, floppy, CD-Rom in my company and it's work very well.
This policy need to be applied to computer in order to work. I would like to give this kind of permission at a user level. As far as this registry key are in the Local Machine, I guess that it's something that we can't do at user level.
Do you know if there is another way to do it using current user key ?
Thanks a lot,
-
Disable USB & CD ROM Drives
2006-12-28 02:50:50 Murugavel [Reply | View]
Have a nice day
I import usb disble adm in loacl policy windows XP machine, it working fine.
But i tried in windows 2000 Domain group policy same procedure , but its not working in the domain policy. Wht shall i do to work in windows 2000 domain policy. Kind help out to slove this problem.
-
Reg disable USB, CD-ROM, Floppy Disk (restrict drives, but i'm not able see in right side setting contents)
2006-12-22 20:31:30 Murugavel [Reply | View]
Have a nice day,
I copyied following text matter in notepad & save as .adm in windows folder/inf -folder. After that Administrative Templates under computer Configuration, and then click Add/Remove Templates in group policy add usb.adm then give ok, i'm able see custom policy * restrict drives, but i'm not able see in right side setting contents. Please help to resolve this problem. I'm waiting for yours valuable reply.
Please see copied content
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
-
Reg disable USB, CD-ROM, Floppy Disk (restrict drives, but i'm not able see in right side setting contents)
2007-05-23 03:49:36 dhaval1981 [Reply | View]
Have a nice day,
I copyied following text matter in notepad & save as .adm in windows folder/inf -folder. After that Administrative Templates under computer Configuration, and then click Add/Remove Templates in group policy add usb.adm then give ok, i'm able see custom policy * restrict drives, but i'm not able see in right side setting contents. Please help to resolve this problem. I'm waiting for yours valuable reply.
-
Reg disable USB, CD-ROM, Floppy Disk (restrict drives, but i'm not able see in right side setting contents)
2007-03-05 02:53:08 leonatavares [Reply | View]
yes i am also facing the same problem!!!! Can anyone help me to solve this problem!!!
Waintng for a reply
thanks
-
Reg disable USB, CD-ROM, Floppy Disk (restrict drives, but i'm not able see in right side setting contents)
2007-03-09 07:25:58 FS-CTI [Reply | View]
In the GPO Editor you are using, select View>Filtering and uncheck the "Only show policy settings that can be fully managed" checkbox. You will no be able to see the new settings in the right hand pane.
-
Desktop Authority
2006-11-23 07:52:34 Safriduo [Reply | View]
One more way is by using Desktop Authority.
http://www.scriptlogic.com/products/DesktopAuthority/
You can disable some other devices like fdd, cd-rom or, for example, if you have cd/dvd burner you can permit only reading. This settings can by simply applied to any computer or user.
-
disable usb storage device
2006-10-19 13:30:26 cmahadeo [Reply | View]
I was able to import the *.adm file successfully. However, the policy isn't working. My environment is window xpsp2 and windows 2000 sp4.
Can you provide me with a solution since I need to disable the above in my organization -
disable usb storage device
2006-10-23 18:34:52 csh@rp [Reply | View]
As already mentioned this will only work on new USB devices.
You can however create a gpo to set permisions on the usbstor.pnf + use the gpo to create the usbstor reg key, in the gpo you deny a group access to the key and the file.
Setting permissions on the usbstor.pnf will take care of any new devices.
The reg key will overwrite the existing key.
The dword start located in "hklm\system\currentcontrolset\services\usbstor\" will not exist so the user will not be able to use the device and will not have permissions to change the key either.
Chad
-
Why do people focus on USB drives only?
2006-09-27 07:53:26 John@FE [Reply | View]
I continually see articles touting the evils of USB drives. From a data loss / malicious code introduction vector, how exactly are they different than:
a) parallel ports open for ZIP drives?
b) CD-Rom drives (malicious code ingress)
c) CD-Burners (data leakage)
d) Floppies
e) Web sites that allow posting from within corporate boundaries, like this forum (data leakage)
f) Inbound and outbound e-mail
g) Employees that copy data to their laptops, take them home, and can copy data off them there onto their home networks.
h) Printers (data leakage) - do you really monitor the paper your employees take off site?
i) opening the shell of a PC and taking the hard disk home
j) iPods/PDAs/Digital Cameras, all with storage
k) probably a hundred other vectors
Once one has taken care of all those vectors, it might be worth worrying about USB drives.
-
This does not work
2006-08-01 03:01:23 Rachelb [Reply | View]
Added this template on my Win2K server; Enabled 'Disable USB drives'. Still, my XP clients detect USB flsh drives.
Any help is appreciated.
Thanks -
This does not work
2006-08-01 03:16:23 Serpico [Reply | View]
This will only work for New USB flash devices that are plugged into the machine. To fully disable the USB Storage driver, you'll need to do the following:
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
Locate the following value (DWORD):
Start
and give it a value of 4.
Close Registry Editor. You do not need to reboot the computer for changes to apply.
To re-enable the setting, go to the Reg Key above and give the Start Dword a value of 3 -
This does not work
2007-03-26 18:12:14 andy10 [Reply | View]
Hi Serpico ,
I think your message is what i was looking for.....i have to re-enable two usb storage port
for two users on two computers, but i do not know how they disable it.....i do not know if they use gp or whatever to disable this evil.....i'm gonna try your tip.......the company has more 9000 users......maybe in the future the security department gonna allow many users to be re-enabled, in this happen it will be difficult to go from computer to computer, or to connect remotely to each computer to do the job..
thanks for your reply
-
About ADm File
2006-07-23 09:19:07 Hosseinbarati [Reply | View]
I import this adm file
and change disable usb to Enable
But windows detect usb mass storage in clients
Why ?
-
Problem with adm file
2006-07-23 08:51:10 Hosseinbarati [Reply | View]
http://www.windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html
I import adm file into group policy in win 2000 server but i have not any filtering in group policy editor .
but in win xp with filtering I see that item
Regards
-
This doesnt work :(
2006-05-22 07:22:24 David_smith_909 [Reply | View]
Iv been trying to get this working for days now, have imported the file, got the settings, enabled the USB policy so it disables all USB CDROMS, Floppy's etc and tried the policy on myself
All the settings are the same as the code on the website etc and it just doesnt work, has anyone had this working ???
-
Hmmm Not Working
2006-05-09 10:57:58 anNIALLator [Reply | View]
OK imported this ok got to unhide it ok. Set everything to enable then inside each policy set every thing to enable. Have i just enabled or disabled USB keys and floppies etc or is there a double negative going on here. Also it seems to have stop the login script specified in AD from running. OW! Have now set only USB to enabled and enabled in side the policy. It no longer stopping my login scrpt from working but the usb sticks are still working. Oh well praps we'll have to wait till Vista for this one.
-
can't see any items
2006-05-02 01:18:44 bossa1985 [Reply | View]
i completely import the .adm file and it shows Asministrative Templates/Custom Policy Settings/Restrict Drivers already. But it says "there is no item to show in this view."
what should i do
-
can't see any items
2007-05-23 03:48:55 dhaval1981 [Reply | View]
Have a nice day,
I copyied following text matter in notepad & save as .adm in windows folder/inf -folder. After that Administrative Templates under computer Configuration, and then click Add/Remove Templates in group policy add usb.adm then give ok, i'm able see custom policy * restrict drives, but i'm not able see in right side setting contents. Please help to resolve this problem. I'm waiting for yours valuable reply.
-
USB disable
2006-04-18 13:00:56 fishbelly [Reply | View]
Will this GP shut off the USB ports or just memory sticks using USB? I have bar code devices that I can't eliminate but the 1gig sticks must go.
-
can not see the policy
2006-03-21 04:32:34 simonbroadhead [Reply | View]
hello I have looked at the KB page for the code, I have created the .adm file. when I go in to group policy and add it I can see the folders but no content. I cut and pasted the code in to notepad and saved it as a .adm file, so any ideas would be great.
-
Link to missing KB article
2005-11-15 19:03:05 Mitch Tulloch [Reply | View]
Sorry, this went missing during the editorial process for the article. The link to the KB article is http://support.microsoft.com/kb/555324 -
Link to missing KB article
2008-04-30 22:56:05 RafiQuadri [Reply | View]
Hi,
The article describes at the end of page that:
PPLIES TO
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Does this mean that we cannot use this ADM file for XP SP2.
I just want to let the users to run programs from the USB......
Thanx in Advance
Regards
Vishwa