Should users be allowed to run their USB flash sticks? (Reader submission)
Unless there is an need for it, being an administrator I’d rather block it! they bring all kind of viruses to my children (the servers). Besides, it would make information leeks more easier (in my workplace only the managers get an external E-mail accounts+ internet access, while slaves get a foot print on their butts).
Now, How we can block memory sticks without stopping other USB devices (Keyboard, mouse, printer…etc.)
FOR FREE?
Plain and Simple:
Windows Registry, All you have to do is run (regedit) then browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Disable usb storge: set the key (Start) to 4
Enable usb storge: set the key (Start) to 3
Too geeky for you? there are some free cool tool with GUI interface that can share your burden called
USB Drive Disabler :
http://www.intelliadmin.com/Downloads.htm
Also to enable/disable remotely USB Remote Drive Disabler (You need Admin privilage of course)
There are also similar ones to enable/disable CD and floppy.
Ohhh and one more thing: if you want to enable USB storage but only for reading (said to be working on WinXP SP2 only) then browse to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
then Right click > new > DWORD Value name it WriteProtect and give it a value of 1 for read only, 0 for Read/Write.
Thanks Mohamed Alreafi for the awesome email! What do you guys do to block or lock down USB devices?
May 4, 2009 - 12:01 am
Dude, this is brilliant. Thanks!!
Click to Reply to This Comment.
May 5, 2009 - 6:03 am
We use the registry to block all USB Memory sticks. Only users with a need such as a camera for work related pictures have it opened. We also disable CD burning, although CD read is still open for all.
Click to Reply to This Comment.
Karl Gechlik Reply:
May 5th, 2009 at 6:13 am
Care to share the keys with us you used to block burning?
Click to Reply to This Comment.
May 5, 2009 - 6:43 am
Sure
Basically the same as you have listed, but with a couple of additions for the overkill feature :)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Start = 4
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
WriteProtect = 1
Then I also stopped and disabled the “Removable Storage” service.
Also I assigned the deny permission to all users including the system account (since the machine will use system if no user is logged on yet) on the files usbstor.inf and usbstor.pnf in the C:\Windows\INF folder to prevent initial installation.
For removing CD burning features I added group policy “User Config / Admin Temp / Windows Components/Windows Explorer / Remove CD Burning features” and ensured that no burning software such as Nero, etc is installed.
MS also has this KB for group policy template which I have not tried yet.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
Click to Reply to This Comment.
Karl L. Gechlik | AskTheAdmin.com Reply:
May 5th, 2009 at 10:17 am
Thanks Aaron – if you are ever itching to blog. We would love to have you write some guest posts on your enviroment! Thanks for reading.
Click to Reply to This Comment.