Disable Usage of USB storage Devices

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I want to disable the usb storage devices and the same time usb keyboard and
mouse should work. This will help to solve the security problem of data
transfer to and from usb storage devices. I don't want to use any thirdparty
softwares. If anybody knows how to do it in windows 2000 please share it.

Thanks & regards
Joby
 
In
Joby Emmanuel said:
Hi,

I want to disable the usb storage devices and the same time usb
keyboard and mouse should work. This will help to solve the security
problem of data transfer to and from usb storage devices. I don't
want to use any thirdparty softwares. If anybody knows how to do it
in windows 2000 please share it.

Thanks & regards
Joby
Click to expand...

A couple of days ago we had a similar question. The end result was that this
couldn't be done natively within the OS but could be done with third party
applications. However, in your case you don't want to be able to allow
administrators to use USB flash devices or the like so there might be a way.
What you could do, assuming the devices are currently installed, is simply
disallow the user groups to add hardware. How to do this?

Check this link:

http://windows.about.com/library/tips/bltip199.htm

It's a rather quick and dirty method of doing it but it should do the trick.

Galen
 
There is no effective solution using the native operating system. You might
look at using computer cases that block access to the usb ports while still
allowing the needed usb devices to be attached. There are also adapters that
allow usb keyboards and mice to work with ps2 ports so that you can then
disable usb ports in cmos or make sure that user does not otherwise have
access to the usb ports. Ultimately you need to trust your users to some
degree and have a user policy that is strictly enforced. A determined user
that wants the data will more than likely get it one way or another such as
emailing it to himself, using printscreen, digital camera,
stealing/borrowing hard drive, etc. There is a registry entry for XP SP2
that is supposed to prevent writing to usb drives/devices from the operating
system as shown below. Others claim to have created .adm files with registry
entries to disable usb storage based on suggestions in the KB link below.
When I tried them they did not work in a consistent manner which would be
unacceptable to me. Also beware that there are free third party bootable
operating systems on cdrom such as Knoppix and Bart's PE that could allow a
user to bypass any restriction of the authorized installed operating system.
You should prevent users from booting from any device other than the system
hard drive. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx
-- source of info below.
This feature provides the ability to set a registry key that will prevent
write operations to USB block storage devices, such as memory sticks. When
this registry key is enabled, the devices function only as read-only
devices. You can implement this setting as part of a security strategy to
prevent users from transporting data using these devices.

Who does this feature apply to?
. Users who do not want data to be written from their computer to a
USB storage device.

. IT professionals who want to implement organization controls over
the use of USB block storage devices


What settings are added or changed in Windows XP Service Pack 2
Setting name Location
Default value Possible values
WriteProtect
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies
DWORD=0
0 - Disabled

1 - Enabled
 
Hi Galen

Thanks for the info. I found another way to do it and I am testing it. Will
update you if it is working fine.
Regards
Joby
 
Hi Steven.

Thanks for the info. I found another way to do it and testing it. If
successful will update u.

Regards
Joby
 
In Joby Emmanuel <Joby (e-mail address removed)> had this to say:

My reply is at the bottom of your sent message:
Hi Galen

Thanks for the info. I found another way to do it and I am testing
it. Will update you if it is working fine.
Regards
Joby
Click to expand...

Joby,

I'd be interested in knowing what other solutions you come up with. Thanks
for offering to let us know. Really... This is an semi-oft asked question
and needs a good solid answer.

Galen
 
Hi Galen
After making the following registry changes none of the usb storage devices
are getting detected (usb keyboard+mice is working fine). Pls check it in ur
side and let me know whether it is working or not.

Regards
Joby

Set the follwoing reg key to 4( will dsable the startup mode for usb
storage service)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Type"=dword:00000001
"Start"=dword:00000003----> Change 3 to 4

and remove system account from usbstore security( add everyone read and
Administrators full controle)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR]
 
Back
Top