Should users be allowed to run their USB flash sticks? (Reader submission)
Unless there is an need for it, being an administrator I’d rather block it! they bring all kind of viruses to my children (the servers). Besides, it would make information leeks more easier (in my workplace only the managers get an external E-mail accounts+ internet access, while slaves get a foot print on their butts).
Now, How we can block memory sticks without stopping other USB devices (Keyboard, mouse, printer…etc.)
FOR FREE?
Plain and Simple:
Windows Registry, All you have to do is run (regedit) then browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Disable usb storge: set the key (Start) to 4
Enable usb storge: set the key (Start) to 3
Too geeky for you? there are some free cool tool with GUI interface that can share your burden called
USB Drive Disabler :
http://www.intelliadmin.com/Downloads.htm
Also to enable/disable remotely USB Remote Drive Disabler (You need Admin privilage of course)
There are also similar ones to enable/disable CD and floppy.
Ohhh and one more thing: if you want to enable USB storage but only for reading (said to be working on WinXP SP2 only) then browse to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
then Right click > new > DWORD Value name it WriteProtect and give it a value of 1 for read only, 0 for Read/Write.
Thanks Mohamed Alreafi for the awesome email! What do you guys do to block or lock down USB devices?
| Print article |
about 2 years ago
Dude, this is brilliant. Thanks!!
about 2 years ago
We use the registry to block all USB Memory sticks. Only users with a need such as a camera for work related pictures have it opened. We also disable CD burning, although CD read is still open for all.
about 2 years ago
Care to share the keys with us you used to block burning?
about 2 years ago
Sure
Basically the same as you have listed, but with a couple of additions for the overkill feature :)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Start = 4
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
WriteProtect = 1
Then I also stopped and disabled the “Removable Storage” service.
Also I assigned the deny permission to all users including the system account (since the machine will use system if no user is logged on yet) on the files usbstor.inf and usbstor.pnf in the C:\Windows\INF folder to prevent initial installation.
For removing CD burning features I added group policy “User Config / Admin Temp / Windows Components/Windows Explorer / Remove CD Burning features” and ensured that no burning software such as Nero, etc is installed.
MS also has this KB for group policy template which I have not tried yet.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
about 2 years ago
Thanks Aaron – if you are ever itching to blog. We would love to have you write some guest posts on your enviroment! Thanks for reading.