Sign in with
Sign up | Sign in
Your question

Disable Usage of USB storage Devices

Last response: in Windows 2000/NT
Share
Anonymous
a b G Storage
March 10, 2005 4:25:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I want to disable the usb storage devices and the same time usb keyboard and
mouse should work. This will help to solve the security problem of data
transfer to and from usb storage devices. I don't want to use any thirdparty
softwares. If anybody knows how to do it in windows 2000 please share it.

Thanks & regards
Joby
March 10, 2005 12:41:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In news:0175ED2E-8026-44A8-AD33-DA121BB36B61@microsoft.com,
Joby Emmanuel <Joby Emmanuel@discussions.microsoft.com> had this to say:

> Hi,
>
> I want to disable the usb storage devices and the same time usb
> keyboard and mouse should work. This will help to solve the security
> problem of data transfer to and from usb storage devices. I don't
> want to use any thirdparty softwares. If anybody knows how to do it
> in windows 2000 please share it.
>
> Thanks & regards
> Joby

A couple of days ago we had a similar question. The end result was that this
couldn't be done natively within the OS but could be done with third party
applications. However, in your case you don't want to be able to allow
administrators to use USB flash devices or the like so there might be a way.
What you could do, assuming the devices are currently installed, is simply
disallow the user groups to add hardware. How to do this?

Check this link:

http://windows.about.com/library/tips/bltip199.htm

It's a rather quick and dirty method of doing it but it should do the trick.

Galen
--
Signature changed for as a moment of silence.
Rest well Alex and we'll see you on the other side.
Anonymous
a b G Storage
March 10, 2005 2:59:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

There is no effective solution using the native operating system. You might
look at using computer cases that block access to the usb ports while still
allowing the needed usb devices to be attached. There are also adapters that
allow usb keyboards and mice to work with ps2 ports so that you can then
disable usb ports in cmos or make sure that user does not otherwise have
access to the usb ports. Ultimately you need to trust your users to some
degree and have a user policy that is strictly enforced. A determined user
that wants the data will more than likely get it one way or another such as
emailing it to himself, using printscreen, digital camera,
stealing/borrowing hard drive, etc. There is a registry entry for XP SP2
that is supposed to prevent writing to usb drives/devices from the operating
system as shown below. Others claim to have created .adm files with registry
entries to disable usb storage based on suggestions in the KB link below.
When I tried them they did not work in a consistent manner which would be
unacceptable to me. Also beware that there are free third party bootable
operating systems on cdrom such as Knoppix and Bart's PE that could allow a
user to bypass any restriction of the authorized installed operating system.
You should prevent users from booting from any device other than the system
hard drive. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
http://www.microsoft.com/technet/prodtechnol/winxppro/m...
-- source of info below.
This feature provides the ability to set a registry key that will prevent
write operations to USB block storage devices, such as memory sticks. When
this registry key is enabled, the devices function only as read-only
devices. You can implement this setting as part of a security strategy to
prevent users from transporting data using these devices.

Who does this feature apply to?
. Users who do not want data to be written from their computer to a
USB storage device.

. IT professionals who want to implement organization controls over
the use of USB block storage devices


What settings are added or changed in Windows XP Service Pack 2
Setting name Location
Default value Possible values
WriteProtect
HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies
DWORD=0
0 - Disabled

1 - Enabled




"Joby Emmanuel" <Joby Emmanuel@discussions.microsoft.com> wrote in message
news:0175ED2E-8026-44A8-AD33-DA121BB36B61@microsoft.com...
> Hi,
>
> I want to disable the usb storage devices and the same time usb keyboard
> and
> mouse should work. This will help to solve the security problem of data
> transfer to and from usb storage devices. I don't want to use any
> thirdparty
> softwares. If anybody knows how to do it in windows 2000 please share it.
>
> Thanks & regards
> Joby
Related resources
Anonymous
a b G Storage
March 11, 2005 7:51:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Galen

Thanks for the info. I found another way to do it and I am testing it. Will
update you if it is working fine.
Regards
Joby

"Galen" wrote:

> In news:0175ED2E-8026-44A8-AD33-DA121BB36B61@microsoft.com,
> Joby Emmanuel <Joby Emmanuel@discussions.microsoft.com> had this to say:
>
> > Hi,
> >
> > I want to disable the usb storage devices and the same time usb
> > keyboard and mouse should work. This will help to solve the security
> > problem of data transfer to and from usb storage devices. I don't
> > want to use any thirdparty softwares. If anybody knows how to do it
> > in windows 2000 please share it.
> >
> > Thanks & regards
> > Joby
>
> A couple of days ago we had a similar question. The end result was that this
> couldn't be done natively within the OS but could be done with third party
> applications. However, in your case you don't want to be able to allow
> administrators to use USB flash devices or the like so there might be a way.
> What you could do, assuming the devices are currently installed, is simply
> disallow the user groups to add hardware. How to do this?
>
> Check this link:
>
> http://windows.about.com/library/tips/bltip199.htm
>
> It's a rather quick and dirty method of doing it but it should do the trick.
>
> Galen
> --
> Signature changed for as a moment of silence.
> Rest well Alex and we'll see you on the other side.
>
>
>
Anonymous
a b G Storage
March 11, 2005 7:55:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven.

Thanks for the info. I found another way to do it and testing it. If
successful will update u.

Regards
Joby

"Steven L Umbach" wrote:

> There is no effective solution using the native operating system. You might
> look at using computer cases that block access to the usb ports while still
> allowing the needed usb devices to be attached. There are also adapters that
> allow usb keyboards and mice to work with ps2 ports so that you can then
> disable usb ports in cmos or make sure that user does not otherwise have
> access to the usb ports. Ultimately you need to trust your users to some
> degree and have a user policy that is strictly enforced. A determined user
> that wants the data will more than likely get it one way or another such as
> emailing it to himself, using printscreen, digital camera,
> stealing/borrowing hard drive, etc. There is a registry entry for XP SP2
> that is supposed to prevent writing to usb drives/devices from the operating
> system as shown below. Others claim to have created .adm files with registry
> entries to disable usb storage based on suggestions in the KB link below.
> When I tried them they did not work in a consistent manner which would be
> unacceptable to me. Also beware that there are free third party bootable
> operating systems on cdrom such as Knoppix and Bart's PE that could allow a
> user to bypass any restriction of the authorized installed operating system.
> You should prevent users from booting from any device other than the system
> hard drive. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
> http://www.microsoft.com/technet/prodtechnol/winxppro/m...
> -- source of info below.
> This feature provides the ability to set a registry key that will prevent
> write operations to USB block storage devices, such as memory sticks. When
> this registry key is enabled, the devices function only as read-only
> devices. You can implement this setting as part of a security strategy to
> prevent users from transporting data using these devices.
>
> Who does this feature apply to?
> . Users who do not want data to be written from their computer to a
> USB storage device.
>
> . IT professionals who want to implement organization controls over
> the use of USB block storage devices
>
>
> What settings are added or changed in Windows XP Service Pack 2
> Setting name Location
> Default value Possible values
> WriteProtect
> HKEY_LOCAL_MACHINE\System\
> CurrentControlSet\Control \StorageDevicePolicies
> DWORD=0
> 0 - Disabled
>
> 1 - Enabled
>
>
>
>
> "Joby Emmanuel" <Joby Emmanuel@discussions.microsoft.com> wrote in message
> news:0175ED2E-8026-44A8-AD33-DA121BB36B61@microsoft.com...
> > Hi,
> >
> > I want to disable the usb storage devices and the same time usb keyboard
> > and
> > mouse should work. This will help to solve the security problem of data
> > transfer to and from usb storage devices. I don't want to use any
> > thirdparty
> > softwares. If anybody knows how to do it in windows 2000 please share it.
> >
> > Thanks & regards
> > Joby
>
>
>
March 12, 2005 10:32:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In news:9269558B-7B7B-4E31-94BB-49CE2A230361@microsoft.com,
Joby Emmanuel <Joby Emmanuel@discussions.microsoft.com> had this to say:

My reply is at the bottom of your sent message:

> Hi Galen
>
> Thanks for the info. I found another way to do it and I am testing
> it. Will update you if it is working fine.
> Regards
> Joby

Joby,

I'd be interested in knowing what other solutions you come up with. Thanks
for offering to let us know. Really... This is an semi-oft asked question
and needs a good solid answer.

Galen
--
Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.
Anonymous
a b G Storage
March 13, 2005 12:05:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Galen
After making the following registry changes none of the usb storage devices
are getting detected (usb keyboard+mice is working fine). Pls check it in ur
side and let me know whether it is working or not.

Regards
Joby

Set the follwoing reg key to 4( will dsable the startup mode for usb
storage service)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Type"=dword:00000001
"Start"=dword:00000003----> Change 3 to 4

and remove system account from usbstore security( add everyone read and
Administrators full controle)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR]





"Galen" wrote:

> In news:9269558B-7B7B-4E31-94BB-49CE2A230361@microsoft.com,
> Joby Emmanuel <Joby Emmanuel@discussions.microsoft.com> had this to say:
>
> My reply is at the bottom of your sent message:
>
> > Hi Galen
> >
> > Thanks for the info. I found another way to do it and I am testing
> > it. Will update you if it is working fine.
> > Regards
> > Joby
>
> Joby,
>
> I'd be interested in knowing what other solutions you come up with. Thanks
> for offering to let us know. Really... This is an semi-oft asked question
> and needs a good solid answer.
>
> Galen
> --
> Signature changed for a moment of silence.
> Rest well Alex and we'll see you on the other side.
>
>
>
!