Comments on: Should users be allowed to run their USB flash sticks? (Reader submission) http://www.asktheadmin.com/2009/05/should-users-be-allowed-to-run-their-usb-flash-sticks-reader-submission.html Fri, 03 Feb 2012 06:08:50 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Karl L. Gechlik | AskTheAdmin.com http://www.asktheadmin.com/2009/05/should-users-be-allowed-to-run-their-usb-flash-sticks-reader-submission.html/comment-page-1#comment-10197 Karl L. Gechlik | AskTheAdmin.com Tue, 05 May 2009 18:17:40 +0000 http://www.asktheadmin.com/?p=1938#comment-10197 Thanks Aaron - if you are ever itching to blog. We would love to have you write some guest posts on your enviroment! Thanks for reading. Thanks Aaron – if you are ever itching to blog. We would love to have you write some guest posts on your enviroment! Thanks for reading.

]]> By: Aaron http://www.asktheadmin.com/2009/05/should-users-be-allowed-to-run-their-usb-flash-sticks-reader-submission.html/comment-page-1#comment-10195 Aaron Tue, 05 May 2009 14:43:43 +0000 http://www.asktheadmin.com/?p=1938#comment-10195 Sure Basically the same as you have listed, but with a couple of additions for the overkill feature :) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor Start = 4 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies WriteProtect = 1 Then I also stopped and disabled the "Removable Storage" service. Also I assigned the deny permission to all users including the system account (since the machine will use system if no user is logged on yet) on the files usbstor.inf and usbstor.pnf in the C:\Windows\INF folder to prevent initial installation. For removing CD burning features I added group policy "User Config / Admin Temp / Windows Components/Windows Explorer / Remove CD Burning features" and ensured that no burning software such as Nero, etc is installed. MS also has this KB for group policy template which I have not tried yet. http://support.microsoft.com/default.aspx?scid=kb;en-us;555324 Sure

Basically the same as you have listed, but with a couple of additions for the overkill feature :)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Start = 4
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
WriteProtect = 1

Then I also stopped and disabled the “Removable Storage” service.

Also I assigned the deny permission to all users including the system account (since the machine will use system if no user is logged on yet) on the files usbstor.inf and usbstor.pnf in the C:\Windows\INF folder to prevent initial installation.

For removing CD burning features I added group policy “User Config / Admin Temp / Windows Components/Windows Explorer / Remove CD Burning features” and ensured that no burning software such as Nero, etc is installed.

MS also has this KB for group policy template which I have not tried yet.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555324

]]> By: Karl Gechlik http://www.asktheadmin.com/2009/05/should-users-be-allowed-to-run-their-usb-flash-sticks-reader-submission.html/comment-page-1#comment-10194 Karl Gechlik Tue, 05 May 2009 14:13:36 +0000 http://www.asktheadmin.com/?p=1938#comment-10194 Care to share the keys with us you used to block burning? Care to share the keys with us you used to block burning?

]]> By: Aaron http://www.asktheadmin.com/2009/05/should-users-be-allowed-to-run-their-usb-flash-sticks-reader-submission.html/comment-page-1#comment-10193 Aaron Tue, 05 May 2009 14:03:29 +0000 http://www.asktheadmin.com/?p=1938#comment-10193 We use the registry to block all USB Memory sticks. Only users with a need such as a camera for work related pictures have it opened. We also disable CD burning, although CD read is still open for all. We use the registry to block all USB Memory sticks. Only users with a need such as a camera for work related pictures have it opened. We also disable CD burning, although CD read is still open for all.

]]> By: chugger http://www.asktheadmin.com/2009/05/should-users-be-allowed-to-run-their-usb-flash-sticks-reader-submission.html/comment-page-1#comment-8646 chugger Mon, 04 May 2009 08:01:14 +0000 http://www.asktheadmin.com/?p=1938#comment-8646 Dude, this is brilliant. Thanks!! Dude, this is brilliant. Thanks!!

]]>