Documente Academic
Documente Profesional
Documente Cultură
Suggestions?
Mark Heitbrink describes how to disable USB storage devices entirely on all or some
computers in the network. He employs an ADM template in a group policy object that
disables the USB storage driver (USBSTOR). The ADM template simply sets the registry
value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 4
(Disable). But his technique has a serious drawback. It only works if the USB storage driver is
already installed. If it has not yet been installed, Windows' plug & play subsystem
automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB
storage device is plugged in for the first time. In that case, USBSTOR remains enabled until
the GPO is re-applied, usually at the next reboot. If the storage device is plugged in during
that reboot, it will still be available because the USBSTOR driver is started before any GPOs
are processed.
The Howto!
If we combine Mark Heitbrink's approach with the one outlined in knowledge base article
823732, we get a more reliable solution. Firstly, we need to prevent USBSTOR from being
installed unless the currently logged on user is allowed to use USB storage. We do that by
restricting access to USBSTOR.INF and USBSTORE.PNF in a GPO such that PNP can't
automatically install the driver. This is possible because when PNP installs a driver, the
installation is performed using the priviledges of the currently logged on user. Secondly, we
need to make sure that USBSTOR is not started when a USB storage device is plugged in. For
that we use Mark's ADM template. The only minor drawback of my solution is that users with
access to USB storage need to manually start USBSTOR before connecting USB storage
devices.
1. In Active Directory Users and Computers, open an existing GPO or create a new one
and open it. Use the security settings of that GPO to specify which computers it
affects.
3. Change the security settings of the new entry. The security settings that you specify
here will be enforced on the USBSTOR.INF of every computer to which the GPO is
applied. This process is not additive, which means that the previous security settings
of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore
recommended to grant full control to SYSTEM and local administrators. But unlike in
the default security settings of USBSTOR.INF, you should not grant any priviledges to
Everybody. You do not need to explicitly deny access just omit an entry for
Everybody. Optionally, you can grant read access to a certain group. Members of this
group will be able to use USB storage.
5. Download USBSTOR.ADM.
7. You should now have an additional entry called Services and Drivers in
Administrative Templates. Click on it. If it is empty, select View from the menu and
uncheck Show Policies Only. Click back on Services and Drivers in Administrative
Templates. It should now show the USB Storage policy. Double click it, select
Enabled and pick Disabled from the Startup Type drop down. Again, the policy must
be enabled wheras Startup Type must be Disabled.
8. Close the dialog as well as the GPO and boot/reboot one of your workstations. Make
sure no USB strorage device is connected to that computer. Log on with administrative
privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the
value of the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It
should be 4. It is also ok if the UsbStor key doesn't exist at all.
9. On the same workstation, log off and back on as a user that should not have access to
USB storage. Connect a USB memory stick or a similar device. Nothing should
happen. Remove the memory stick.
10. Log on as a user that should have access to USB storage and execute net start
usbstor in a command shell or at Start Run before connecting the memory stick.
The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to
start, it's probably because this is the first time a memory stick is plugged into the
workstation in which case USBSTOR is not yet installed. Nevertheless, the memory
stick should be initialized and mapped correctly but you need to reboot in order to
reapply the administrative template such that USBSTOR is disabled again.
Alternatively, you can disable it manually by downloading and double clicking
USBSTOR.REG as well as executing net stop usbstor.
11. Instruct the users with access to USB storage that they need to execute net start
usbstor before they can connect a USB storage device.
Attachment Size
usbstore.adm 530 bytes
usbstore.reg 258 bytes
add new comment
( categories: Windows | Administrator )
29
It seems Microsoft has changed this for Windows 7... and almost none of the sites with
instructions have been updated to include the new 7-specific instructions (the old method--
even for Vista--didn't work in 7). Here are the new GPO settings you also need to use if you
have Windows 7 clients:
Computer Configuration > Policies > Administrative Templates > System > Removable
Storage Access