Prevent Installation of Removable Storage Devices - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
Thread Tools Display Modes
Old 09-07-2005, 03:52 PM   #1 (permalink)
True Techie
Join Date: Feb 2004
Posts: 195
Question Prevent Installation of Removable Storage Devices

As some of you may know, *looks for Inaris* I've been working on a pretty extensive Group Policy. It is in the early stages of implementation, and I would like to prevent the automatic installation of drivers for removable storage devices (USB pen/jump drives).

I looked around the GPEdit and found a security setting that might be it, but I'm not sure. I've also Googled it and only found software programs that accomplish what I want to do through simple policy... It's funny how companies produce software that automatically complete tasks that a network admin could do in a few minutes after a little research. But I digress...

How can I keep my lovely little users (they are high school students) from popping in a USB storage device and prevent Windows XP Pro from automatically installing it and allowing them to play their SNES emulators, music videos, etc?

*\'Failure\' is not a four-letter word.
star_topology is offline  
Old 09-07-2005, 03:57 PM   #2 (permalink)
Techie Beyond Description
Osiris's Avatar
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris

Blocking access to USB storage devices is done in one of two ways. The first procedure is for systems that have not had a USB storage device installed yet, and the second for ones where a USB device has already been installed.

On Windows XP systems, the easiest way to check whether a USB storage device has already been installed is to fire up Regedit and browse to HKLM\SYSTEM\CurrentControlSet\Services. If you find a “key” (folder) here named USBSTOR, a USB storage device has already been installed.

Assuming that one hasn’t been installed, disabling future installations is quite simple. Just browse to the %systemroot%\inf folder, and look for 2 files – usbstor.inf, and usbstor.pnf.

To stop users from installing USB storage devices, open the Properties of these files to the Security tab, and then Deny the Full Control permission to the users or groups that you don’t want to be able to attach a USB drive to the system. It’s that simple.

If you find the USBSTOR key already present in the Registry, a device has already been installed. To stop these devices from functioning, you’ll want to switch its value from 3 (in hexadecimal) to 4, as shown below. Don’t forget that all the normal Registry warnings apply here – back it up first, you do this at your own risk, your computer might explode, etc.

Now, it’s obvious that this “manual” method won’t be of much help in very large environments, but it shows you how the mission is accomplished. If you want to go further with things, you could always create a fancy script to deploy these Registry and permission settings via a logon script or even Group Policy.

Osiris is offline  
Old 09-07-2005, 04:14 PM   #3 (permalink)
S e c u r e d
Join Date: Feb 2005
Location: Somewhere Sunny
Posts: 3,760

warez knows all !
brady is offline  
Old 09-07-2005, 04:27 PM   #4 (permalink)
Master Techie
Join Date: Oct 2003
Posts: 2,258

well, from what I can find, i would do this...

Enable a software restriction policy on the DLL's themselves, thus stopping them from running at all.

That would be the way I would do it. Then to be safe, I would stop explorer, manage and hardware from running from my computer/control panel on the machines too.

I have not looked into this too much, but by blocking the usb dlls, you prevent the usb subsystem from loading. This is the only way I can find in GP that can control it without changing rights to files and indiviual registry keys.

Good luck

FYI, warez knows how to use google...
Text is from here...

also found this...
Inaris is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 11:01 PM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.