Prevent Installation of Removable Storage Devices

[star_topology]

As some of you may know, *looks for Inaris* I've been working on a pretty extensive Group Policy. It is in the early stages of implementation, and I would like to prevent the automatic installation of drivers for removable storage devices (USB pen/jump drives).

I looked around the GPEdit and found a security setting that might be it, but I'm not sure. I've also Googled it and only found software programs that accomplish what I want to do through simple policy... It's funny how companies produce software that automatically complete tasks that a network admin could do in a few minutes after a little research. But I digress...

How can I keep my lovely little users (they are high school students) from popping in a USB storage device and prevent Windows XP Pro from automatically installing it and allowing them to play their SNES emulators, music videos, etc?

 

[Osiris]

Blocking access to USB storage devices is done in one of two ways. The first procedure is for systems that have not had a USB storage device installed yet, and the second for ones where a USB device has already been installed.

On Windows XP systems, the easiest way to check whether a USB storage device has already been installed is to fire up Regedit and browse to HKLM\SYSTEM\CurrentControlSet\Services. If you find a “key” (folder) here named USBSTOR, a USB storage device has already been installed.

Assuming that one hasn’t been installed, disabling future installations is quite simple. Just browse to the %systemroot%\inf folder, and look for 2 files – usbstor.inf, and usbstor.pnf.

To stop users from installing USB storage devices, open the Properties of these files to the Security tab, and then Deny the Full Control permission to the users or groups that you donÂ’t want to be able to attach a USB drive to the system. ItÂ’s that simple.

If you find the USBSTOR key already present in the Registry, a device has already been installed. To stop these devices from functioning, you’ll want to switch its value from 3 (in hexadecimal) to 4, as shown below. Don’t forget that all the normal Registry warnings apply here – back it up first, you do this at your own risk, your computer might explode, etc.

Now, it’s obvious that this “manual” method won’t be of much help in very large environments, but it shows you how the mission is accomplished. If you want to go further with things, you could always create a fancy script to deploy these Registry and permission settings via a logon script or even Group Policy.

 

[brady]

warez knows all !

 

[Inaris]

well, from what I can find, i would do this...

Enable a software restriction policy on the DLL's themselves, thus stopping them from running at all.

That would be the way I would do it. Then to be safe, I would stop explorer, manage and hardware from running from my computer/control panel on the machines too.

I have not looked into this too much, but by blocking the usb dlls, you prevent the usb subsystem from loading. This is the only way I can find in GP that can control it without changing rights to files and indiviual registry keys.

Good luck

FYI, warez knows how to use google...
Text is from here...
http://www.2000trainers.com/article.aspx?articleID=318&page=1

also found this...
http://www.networkworld.com/news/2005/080805-usb-blocking.html