Prevent users from connecting to a USB storage device

on
To prevent users from connecting to USB storage devices, use one or more of the following procedures, as appropriate for your situation.

If a USB storage device is not already installed on the computer

If a USB storage device is not already installed on the computer, assign the user or the group Deny permissions to the following files:
  • %SystemRoot%\Inf\Usbstor.pnf
  • %SystemRoot%\Inf\Usbstor.inf
When you do this, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
  1. Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
  2. Right-click the Usbstor.pnf file, and then click Properties.
  3. Click the Security tab.
  4. In the Group or user names list, click the user or group that you want to set Deny permissions for.
  5. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

    Note Also add the System account to the Deny list.
  6. Right-click the Usbstor.inf file, and then click Properties.
  7. Click the Security tab.
  8. In the Group or user names list, click the user or group that you want to set Deny permissions for.
  9. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

If a USB storage device is already installed on the computer


If a USB storage device is already installed on the computer, you can change the registry to make sure that the device does not work when the user connects to the computer.

To fix this problem automatically. Download from microsoft .
Notes
  • This wizard is temporarily in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.

To fix this problem manually ,
If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do this, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
  4. In the details pane, double-click Start.
  5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
  6. Exit Registry Editor.

APPLIES TO
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)

Comments

Dynamics AX associate said…
This could be very handy if you are responsible for the computing environment of an organisation. I supposed USB Storage is the most vulnerable entry point for malicious software.

However, it is good to have the ban included in your Acceptable Use Policy. Otherwise, you may get endless calls claiming the system is faulty.
March 19, 2009 at 3:32 AM
Post a Comment