Disable Adding USB Drive and Memory Sticks via Group Policy and Group Policy Preferences


If you do not have Group Policy Preferences installed see Install Group Policy Preferences. This link tells you how to do it in a 2003 domain.  In a 2008 domain it is much easer as all you have to do is enable the feature.  See “The Steps” section below if you need a step by step. 


Our objective is to prevent users from being able to take data away with them by plugging in a USB drive or memory stick. Due to the way that windows works and specifically order of precedence on when things run we have to “lock down” two different components.


A) Group Policy Preference:

Group Policy Preference: Change Registry Value: HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start (4=Disable USB Drives; 3=Enable USB Drives). This setting will change the registry USB Drive Start Value to 4 which is disabled. Thus, the USB Drive is not allowed to be installed. There is a limitation of this policy. That is, it only does it’s job if the driver is already installed. If the driver is installed after the policy is executed, windows automatically changes the value back to 3 upon driver installation. Therefore, when using this setting, you must also pair it with the setting to disable the installation of the driver USBSTOR.


How to do this: From your Vista machine with Group Policy Preferences installed or from a Windows Server 2008 machine with Group Policy Management Tools Installed. Start\Control Panel\Administrative Tools\Group Policy Management Tools. Open a group policy that you want to add these setting to (or create a new one). Edit the policy and expand User Configuration\Preferences\Windows Settings. Right-Click on Registry select New from the drop down menu then select Registry Item. In Fill out the form as indicated in the screen shot of Group Policy Preference A Main .  The items you need to select are as follow:


General Tab:



  • Action: Replace

  • Hive: HKEY_LOCAL_MACHINE

  • Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR

  • Value Name: Start

  • Value Type: REG_DWORD

  • Value Data: 4    -> if you want to turn this off later, change the value back to 3

Common Tab:



  • Description: 

    Changes Registry Value: SYSTEM\CurrentControlSet\Services\USBSTOR\Start   (4=Disable USB Drives; 3=Enable USB Drives)


    This setting will change the registry USB Drive Start Value to 4 which is disabled. Thus, the USB Drive is not allowed to be installed. There is a limitation of this policy.  That is, it only does it’s job if the driver is already installed.  If the driver is installed after the policy is executed, windows automatically changes the value back to 3 upon driver installation.  Therefore, when using this setting, you must also pair it with the setting to disable the installation of the driver USBSTOR.INF.  This can be done via group policy “Computer Configuration\Policies\Windows Settings\Security Settings\File System” and denying access to users that should not have access to drives.


    See http://blogs.technet.com/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx for details


  • Turn On Item-Level Targeting and click Targeting

  • At the top of the targeting editor screen click New Item then Select Security Group

  • On the Targeting Editor Screen for Security Groups click the Browse button and type in the group of users (in my case “Deny USB Drive“) that you want this to apply to then click Check Names

  • Click OK all the way out

Click the links for screen shots:



I strongly recommend you click on the Common tab and copy and paste the description above into the description field


B) Group Policy:

This can be done via group policy “Computer Configuration\Policies\Windows Settings\Security Settings\File System” and denying access to users that should not have access to drives.  At this location add the files “%SystemRoot%\inf\usbstore.inf” and “”%SystemRoot%\inf\usbstore.pnf” and set permissions so users that you do not want to be able to install drives, cannot read the files.  You can do this this second piece in one of two ways.  You can deny access by adding the group and selecting deny or you can simply not allow access by removing the users from the security list.  Keep in mind that when you apply this policy it will OVERWRITE the permissions on these files for all machines where the policy is applied. For this reason, you will no longer have “local” access to the files when you login using a non-domain account.  Usually when you want to turn this setting on this is an acceptable side effect because you do not want to give users any method of getting there including logging in as a non-domain user.  Click link for screen shot of Group Policy Preference B 


I have been thinking about created a step by step video of this process.  If that would be beneficial to you, let me know and I will try to make it happen.  In a nutshell the process is as follows:


The Steps:


  1. Install Group Policy Preferences (if they are not already installed).  If you are on a Windows 2008 domain you only need to add the Group Policy Management feature using server manager.

  2. Make sure all clients have Group Policy Preferences in Windows Server 2008 Client Side Extensions installed

  3. Create a security group of “users or computers” that will have USB drive install blocked.  In my example I called it “Block USB Drive Install”. Add computers and users to above group – This group will be used in Item Level Targeting

  4. Create a group policy with the settings outlined in Section A and B above

  5. Setup the Links and Security of the Group Policy to apply to the proper users and computers

  6. Apply the group policy (apply to a test group / OU first) test and let me know if you have any problems with these instructions

  7. Make sure that you reboot the destination computers before testing.  The “policy” part of this will only be applied after a reboot.

Additional Comments and Security Alerts:

By using this method of applying the policy, a non-deny user can login to the machine and run the “Net Start USBStor” from the command line and then insert the USB drive and it will work.  Be advised though that the Computer part of the policy applies prior to login so you will have to login with the correct credentials of a user that has access and then reboot the computer (or do “gpupdate /force” from the command line).  However, when you are done, remember that the computer setting is done before you login so the next time a deny user logs in they may have access to these features until they reboot the computer and the policy is “re-applied” with their credentials.  To avoid this situation, I recommend you try to avoid using USB drives from a machine where the typical user does not have access to USB.  This way you will not “accidentally” give them temp access to the feature.  If you must use a USB drive on this system just remember to login as a deny user and then “reboot” the workstation to confirm that the security profiles are correct.


If you need to remove the Group Policy, remember the security rights of the files that you changed the security of will NOT change back to the original.  Therefor, you will want to change the policy to remove the deny user group and make sure the policy gets applied to all workstations before removing it.  Even if you do this, the “local Users” will not necessarily have rights unless you specifically go back to the machine and give them rights.


A Knowledge Base article was posted with the manual steps to disable adding usb drives to a machine. However, I wanted to share a way to “automate” this process using Group Policy and Group Policy Preferences. There are more ways to accomplish this task but this one is easy to implement and will teach you about some features in Group Policy and in Group Policy Preferences that are not often used. If you want to see the manual process for disabling access or install of USB drives (memory sticks, etc) check out KB article 823732 from http://support.microsoft.com/kb/823732


So that you have the text from the GP that I created in preparing this content, I have put a copy of the report of the resulting GPO below


 









Happy Configuring!!!








Block USB Drive Install



General


Details




























Domain DanDemo.loc
Owner DANDEMO\Domain Admins
Created 1/20/2009 2:05:54 PM
Modified 1/20/2009 3:19:26 PM
User Revisions 8 (AD), 8 (sysvol)
Computer Revisions 2 (AD), 2 (sysvol)
Unique ID {5C45547D-874A-40EF-A74E-5976A30CC20A}
GPO Status Enabled


Links














Location Enforced Link Status Path
DanDemo No Enabled DanDemo.loc

This list only includes links in the domain of the GPO.


Security Filtering


The settings in this GPO can only apply to the following groups, users, and computers:







Name
DANDEMO\GPUser


WMI Filtering










WMI Filter Name None
Description Not applicable


Delegation


These groups and users have the specified permission for this GPO



























Name Allowed Permissions Inherited
DANDEMO\Domain Admins Edit settings, delete, modify security No
DANDEMO\Enterprise Admins Edit settings, delete, modify security No
DANDEMO\GPUser Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No


Computer Configuration (Enabled)


Policies


Windows Settings


Security Settings


File System


%SystemRoot%\inf\usbstore.infhide


Configure this file or folder then: Propagate inheritable permissions to all subfolders and files






Owner  

Permissions









































Type Name Permission Apply To
Deny DANDEMO\Deny USB Drive Full Control This folder, subfolders and files
Allow CREATOR OWNER Full Control Subfolders and files only
Allow NT AUTHORITY\SYSTEM Full Control This folder, subfolders and files
Allow BUILTIN\Administrators Full Control This folder, subfolders and files
Allow DANDEMO\Domain Admins Read and Execute This folder, subfolders and files
Allow DANDEMO\Domain Users Read and Execute This folder, subfolders and files
Allow BUILTIN\Users Read and Execute This folder, subfolders and files





Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled

Auditing
No auditing specified

%SystemRoot%\inf\usbstore.pnf


Configure this file or folder then: Propagate inheritable permissions to all subfolders and files






Owner  

Permissions































Type Name Permission Apply To
Deny DANDEMO\Deny USB Drive Full Control This folder, subfolders and files
Allow CREATOR OWNER Full Control Subfolders and files only
Allow DANDEMO\Domain Admins Read and Execute This folder, subfolders and files
Allow DANDEMO\Domain Users Read and Execute This folder, subfolders and files
Allow NT AUTHORITY\SYSTEM Full Control This folder, subfolders and files





Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled

Auditing
No auditing specified


User Configuration (Enabled)


Preferences


Windows Settings


Registry


Registry item: Start


General







Action Replace
Properties
















Hive HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\Services\USBSTOR
Value name Start
Value type REG_DWORD
Value data 0x4 (4)

Common


Options













Stop processing items on this extension if an error occurs on this item No
Run in logged-on user’s security context (user policy option) No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Item-level targeting: Security Group

























Attribute Value
bool AND
not 0
name DANDEMO\Deny USB Drive
sid S-1-5-21-3082481891-2805113795-337179952-1111
userContext 1
primaryGroup 0
localGroup 0
Description



Changes Registry Value: SYSTEM\CurrentControlSet\Services\USBSTOR\Start (4=Disable USB Drives; 3=Enable USB Drives) This setting will change the registry USB Drive Start Value to 4 which is disabled. Thus, the USB Drive is not allowed to be installed. There is a limitation of this policy. That is, it only does it’s job if the driver is already installed. If the driver is installed after the policy is executed, windows automatically changes the value back to 3 upon driver installation. Therefore, when using this setting, you must also pair it with the setting to disable the installation of the driver USBSTOR.INF. This can be done via group policy “Computer Configuration\Policies\Windows Settings\Security Settings\File System” and denying access to users that should not have access to drives.  The files that need to limit access to are: “%SystemRoot%\inf\usbstore.inf” and “”%SystemRoot%\inf\usbstore.pnf”

Comments (12)

  1. Anonymous says:

    before these step I have use default option which are locate computer configurationpolicysystemremovable disk storagethere I have enable deny disk option and all remove able storage, is successfully disable usb but I am facing issue my cdrom still block I need to reopen my cdrom and block usb drive any step you have kindly send to me on my id below
    toytoyslibra@gmail.com

  2. Anonymous says:

    Outstanding info! Keep those ports secured! Of course, be careful not to "disallow" USB printers and other stuff that may be needed.

  3. Anonymous says:

    Went through your comprehensive document but unfortunately was unable to toggle between enable /disable as net start usbstor errored for allow user. My workaround was to create 2 Registry Items within User ConfigurationPreferencesWindows SettingsRegistry The first with a value of 4 targetting the Deny group I created. The second with a value of 3 targetting the Allow group I created. Each of these groups populated the Computer ConfigurationWindows SettingsSecurity SettingsFile SystemObject name with explicit deny for the Deny Group and explicit allow for the Allow Group.

    I shall be expanded the area of control to a small test group to see if their are any further issues. Thanks for the initial advice.

  4. Deepak Talreja says:

    Hi

    Very good & informative. I hv some query if u can solve.

    We had implemented the GPO in which "Regedit" couldnot run setting was done for each of the PC in the Win2k8 domain.  Now I want to know how to get it enabled. Please advise or email me the links on

    deepakbt@ravin-it.com

  5. Max says:

    hi!

    will this block printers and usb mouses=?

    thanks,.

    bye

  6. Riccardo says:

    In my environment I had to deny access to usbstore.inf and usbstore.pnf files to the system account as well, otherwise new drives would be installed and accessible the first time

  7. Anurag Pathak says:

    Hi,

    Very good information.

    but i have one query, through this exersice you can block only pendrive right ???

    but when i plug USB hard disk is working fine, it is opeing properly.

    i also update the policy as well as, i also restart the system but still i got the same result.

    so kinldy tell me is there any other strp to block CD rom, USB HARD DISK, Pen Drive & etc.

    Thanks & Regards,

    Anurag

    anurag.pathak88@gmail.com

    kindly give me the replay on my above mail address.

  8. User in group disable on Targeting Editor says:

    I'm stuck at adding "User in Group" after select the targeting editor screen click New Item then Select Security Group.

    mschnlnine.vo.llnwd.net/…/Screen_Shot_A_Group_Policy_Management_Editor_Disable_Adding_USB_Drive_and_Memory_Sticks_via_Group_Policy%20Preferences%20%5BTargeting%20Security%20Group%5D.jpg

    We have user in groups but is not able to select.

    Much appreciated can email me a feedback at tchuan@gmail.com

  9. AccessPatrol says:

    Hey guys,

    I want to introduce to you guys a software called AccessPatrol –
    http://www.accesspatrol.com

    AccessPatrol allows you to remote control the USB access of your networked computers. If you are in an office and you want to control all of your employee’s USB access, you can set this up easily with AccessPatrol.

    AccessPatrol can be downloaded as a free trial from the website!

  10. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application

  11. akki says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?

    http://www.movieboxapkdownload.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows,
    Cartoons and many more such things on your smartphone.
    http://www.aptoideapkdownload.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble.

    http://www.vidmatedownloadapk.com/

    Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.

    http://www.shareitforpccdownload.com/

    http://www.shareitforpccdownload.com/shareit-for-pc-windows-10-8-1-7-mac-free-download/

    SHAREit for PC lets you transfer files between devices like phones, tablets and computers. With the wide area of sharing compatibility, sharing across anything is easy now. This is the best and the fastest alternative for USB sharing.