How to disable USB sticks and limit access to USB storage devices on Windows systems

Hello All, Me too facing some problem during disabling USB Storage on network...lemme explain my scenario....we have windows 2003 Server as DC and workstation as win 2000 Pro, win XP Pro and aslo recently we have added couples of Win Vista machines. So, cud anyone suggest me how can i disable USB mass Storage devices on all systems thru GPO under User Configuration ...admin templates but dey still sud be able to use USB keyboard and mice. Thnx in adv, Sridhar

Pretty much. Once i have installed a verbatim USB, and after completing the instalation i tried with another USB that is of the same Verbatim type. The second USB could not install and so not work, while the first one was working fine.

was just wondering,tried this method on a test group,all looked good,but when I ran gpupdate,then gpresult,showed the GPO was rejected,empty,any idea's?

Try the following registry entry which allow only Read access to user.User can not copy the data from machin to any portable usb disk.but other usb device (KB,Mouse) were work fine. Make new key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies Create the following value (DWORD): WriteProtect and give it a value of 1. done! but this work only on windows XP sp2

Thanks for suggesting that method. Are you positive that it really only allows one type of USB device and not the entire class of devices supported by a driver? -- Hannes

To give usage to only one device i use this way. Fist you uninstall every device installed previously if there are. At cmd prompt you give these 2 commands: set devmgr_show_nonpresent_devices=1 start devmgmt.msc The fist commant will let you see installed driver that are not present at the system at that moment when you start the Device Manager which is done by the second command. When the DM is started you go to view - Show hidden devices and than at storage device you can see all the drivers that have been installed. Uninstall them all if there are any. After this you plug in the Device that you will use on that PC. after the driver is installed than you disable access to everyone on USBSTOR.* In this method you can not use the reg file since that will disable every USB device that has been installed. The good of this is that you let PPL use the USB and you also limit others from using USB's on that PC. Also the USB devices have each a their code of installation so even if they are the same type, only the allowed device can work on that PC.

We are small company wihtout IT department, and we want to block the evil USB port. Currently we block untrusted USB device by MyUSBOnly, found here. It works without an IT administrator, just prompt you for a password when untrusted USB is inserted into a computer.

At the office where I work, the admins use this software http://www.gfi.com/endpointsecurity/ and it seems to be doing the job! I can’t even connect my iPod to transfer some music and files to my office pc. L They can assign who can use external devices and what they use.

We use another way of blocking usb devices. Our desktop management system - desktop authority handles this task quite well. After upgrading to new version several weeks ago we have some nice new abilities for managing anuthorized access to usb ports. Now we can block or allow only particular devices by the serial numbers or manufacturer IDs.

Hi,
This is the exact post what I was trying to find. I did all the steps as mentioned above. It is not working for me.. I can see the 'Services und Drivers' under Administrative Templates. I can enable the 'USB Storage'. But it is in red color. But it is showing 'Enabled' under Settings. What could be the problem..? can u pls help me out...?

Hi Hannes and expert,
There is a system error 1058 has occured during execute "net start usbstor" on command prompt. The explanation given "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."

I have double confirmed the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start is set to 0x0000000(4) after reboot the machine.

Appreciate for you guys assistance on this matter.

Jeff Q

I can confirm this works - had to figure that out for myself but adding an additional line at the end corrects the above issue. If you follow the step-by-step guide (pcs 'must' be rebooted as the policy you are applying is to computers on the network and policies are applied on connection to a network which happens during the boot-up process).

FYI - running the 'net start usbstor' command will error if there is no USB device plugged in. Just run the command with the usb storage device plugged in and all should be well :)

Minh N.

Hi Jeff,

Are you by any chance using 2k3 with Group Management Console SP1? If so, try adding an empty line at the end of the ADM file. See this post for details. I also changed the file attached to this article to include a newline at the end.

-- Hannes

Hi Hannes,
The following error occured during i'm performing step 7 that written by you. The error message as below:
----------------------------------------------------------------------
\\domain.com\SysVol\domain.com\Policies\{02F4FCEF-6DF0-4030-961F-32A95E778085}\aDM\USBSTOR.ADM ONLINE 17:

eRROR 51 unexpected keyword

Found: CATEGOR
Expected: CATEGORY

The file can not be loaded
----------------------------------------------------------------------

I have double confirmed the "CATEGORY" is written correctly in usbstor.adm file (line 17) but no idea why system found it spell wrongly. Really appreciate ur assistance on this matter. Thanks

Jeff

Hi there,i read your article. Thanks for such wonderful efforts.I am creating an application in which I want to enable and disable USB drive. I tried it in following way. I changed the registry entries for start and image path under key HKEY_LOCAL_MACHINE/system/current control set/services/USBSTOR. But I need to restart the computer for these changes to take effect. How should I avoid the restarting of the system?Is there any windos service to be stopped? When I tried to use net stop usbstor ,it gives me error that cant execute this command.
Can you please let me know how can I do it?
My requirement is something like this.

(1) USB1 is inserted in USB port1.
(2) Run [my exe] USB.exe (Parameter as disable).
(3) Insert another USB i.e. USB 2 in usb port 2. It should be disabled.
(4) Again Run USB.exe (parameter as enable).
(5) Insert USB. It should be enabled.

Kindly reply as early as you can as this is very urgent for me.
Thanks in advance.
Abhijit

The solution described here did work for me. Otherwise I wouldn't have written this article. But everyone's mileage varies. I'm happy to hear that you found a solution that works for you.

-- Hannes

Yes, I was right, locking files won't work. Here's a kind of solution:
http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html
Drony

Hannes,
I think you are not quite right. I assume that PNP driver is installed by System account that has F rights to both registry and files mentioned. I'm still playing with it, but I can't stop USB from working under regular accounts.
Actually, the only thing we need is to prevent SYSTEM acc to write into HKLM\SYSTEM\CurrentControlSet\Services\USBStor\Start _value_, but we can restrict writing to the _key_ only, so SYSTEM would not be able to install driver even for permitted users.
So far I can't find the solution...
Drony

I am having some problems getting this to work. The GPO seems to be being applied correctly, the security permissions on the two files mentioned are correct, and the registry key is set to 4.
However, when I log on as a standard user the usb keys work. If I then log on as an administrator again, the key has changed back to 3.

Any ideas would be greatly appreciated

Alex

I don't quite agree with your line of reasoning here and usually I don't tolerate "URL drops" in comments but I'll make an exception this time because the software you mention seems legit and has its purpose.

-- Hannes

We don't want to roll out any settings through GPOs that aren't easy to roll back or control on a per-PC basis so we're gonna update our PCs remotely using a great FREE utility by IntelliAdmin:

http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html

It is free, changes the USBSTOR registry setting, and renames the usbstor.inf and usbstor.pnf files so the driver won't work. Also, it is easily reversible with the same utility and I don't have to leave my chair to hit every PC in the domain. I love it!

Unfortunately the block works fine for USB Pen Drives and Hard Disk, but today phones can be conected to syncronize with email and used as a storage device. Windows XP does not understand that phones are also storage devices.

Hi,

The USBstore.reg is really working for me, but on executing locall systems only, planning to convert the same to MSI package and implement through GP on 2003.

If it works it would be great for me.

Thanks & Regards,
Aravind

Have a look at www.securewave.com they have a tool called Sanctuary Device Control: it is extremely secure and allows customised access to certain brands / models of usb keys. it also allows you to encrypt usb keys as soon as they are plugged in. NICE!

I am having the same problem as Derek, my clients are XP machines and I can see that the GPO is being applied correctly but I can still add new USB devices to the computer.

You can grant users the right to control a service using the Security Settings - System Services setting of a Group Policy. This is a starter How To Configure Group Policies to Set Security for System Services

-- Hannes

Hello!

you say: "The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices." ok, but how can do that user what not a member administrators group? when login and type "net start usbstor" gave "access denied" message. and when i login with administrative rights message is: "service is disabled or..." ok its correct because in registry set 4 (disable). In this situation you must after "net start..." place new registry value, and (reboot is necesary?) then start service? so this article is good for completly disable USB storage - or meybe i'm not read carefully...

ps.
sorry english is not my natice langage
.

greets

Have you actually tried it? Because this article is about disabling usbstor.sys which stands for USB storage. Usbstor.sys is not responsible for talking to HID devices. I have used this method on plenty boxes with both USB mouse and keyboard. If it disables your USB mouse/keyboard you must have either picked the wrong file or something else is messed up on your system. Sorry.

-- Hannes

It seems this method also blocks USB-keyboards and USB-mice. Many PC's today do not have a PS2 port anymore for keyboard and mouse. Therefore an USB port must be used. How to distinguish between an allowed keyboard and a forbidden USB memory stick?

Sorry - just discovered the check box to un-check in 'View' - doh!

This is just what we are looking for. The only thing is the 'usbstor.adm' is not merging completely. The "Security and Devices" heading is going in, but no 'parts'. Also I noticed that the final line in the file was not 'terminated', so I just pressed 'Return' to go to a new line, then it went into AD, but still no 'parts'

I'm also facing same problem in windows 2003 server can u people help me out with this problem.

Hi Derek,

I have some troubleshooting tips for you. Verify the security settings of USBSTOR.INF and .PNF on the local hard drive. If they are readable by anyone without admin rights, the GPO is not applied correctly or the GPO's file system security settings are not setup properly. The reasons for a GPO not being applied are manifold. Microsoft's gpresult tool may help here.

Also verify that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start is really set to 4. If it isn't, either a reboot is necessary or the GPO is not applied.

Last but not least, if you're trying restrict access to USB storage connected to your server you do NOT need to use GPOs. The GPO solution is really only necessary for multiple clients. If you are trying to do this only for the server, it's enough to set the above registry value and restrict the security setting of USBSTOR.INF and .PNF on the server drive. OTOH, I have never used this on WS2003 so this technique might not work. But if your ARE doing this for many clients, you should do it via GPO's and in that case it doesn't really matter what OS the server runs, as long as the GPOs are applied.

-- Hannes

I have had some troubles getting this to work with Windows Server 2003 and active directory. Everything seems to install properly but the usb stick is still able to be used. My account does not have admin rights and is still able to use the USB stick. We also removed everyone and the only people that have access are the system and admins.

Derek Warner