Disable USB mass storage devices (via the registry)

Sean Plemons Kelly, CISSPInformation Systems Security Engineer
CERTIFIED EXPERT
13+ Year IT and Army Veteran. Quick witted and knowledgeable professional who is always willing and ready to share information.
Published:
Updated:
Having issues meeting security compliance criteria because of those pesky USB drives? Then I can help you! This article will explain how to disable USB Mass Storage devices in Windows Server 2008 R2.
In today's day and age, there are many threats to the security of our information systems and networks. USB hard drives, flash drives, and other mass storage devices can potentially pose a threat, not only of data theft, but also as a vector to viruses and other malware that could be introduced into our systems. Disabling these devices can help to provide better security for your systems by removing an avenue of attack.

There are many ways to disable these devices, but in my experience, I have found that one of the most effective methods can be accomplished by simply changing a registry key. A great thing about this solution is that it is easily deployable both on a local machine as well as on a domain.

So, let's get started!

First, let's take a look at the bigger picture... your domain. Since the most expedient way of applying a solution is to deploy a Group Policy Object (GPO), let's see how to do that first:

DEPLOYING THROUGH GROUP POLICY
1) Open up Server Manager.
2) In the left pane, expand Features, then expand Group Policy Management, and continue to drill down until you get to your target domain.
3) Under that domain, right click Group Policy Objects.
4) Name your new Group Policy Object (GPO) "Disable USB Mass Storage", leave Source Starter GPO as (none).
"New-GPO.jpg" tStep 4 - Creating a new GPO
5) Right click on the newly created "Disable USB Mass Storage" GPO, and select Edit GPO
6) Navigate to Computer Configuration > Preferences > Windows Settings > Registry
7) Right click on Registry, and select New > Registry Item.
"New-Registry-Item.jpg" tStep 7 - Creating a new Registry Item
"New-registry-item-properties.jpg" tStep 8 - Registry Item properties
8) Use the following settings for this entry:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Value name: start
Value type: REG_DWORD
Value data: 4
Base: Decimal 
9) Click OK.
10) Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System.
"File-System.jpg" tStep 10 - Navigating to File System
11) Right click in the left pane and select Add File...
12) Expand to C:\Windows\Inf\ and select usbstor (it is an .inf file, but in this view will it not show the .inf).
13) Remove all users and groups except SYSTEM. Click add, type in everyone and click OK.
14) For both SYSTEM and everyone, click on the Full Control checkbox under Deny. Click OK.
15) A window will come up telling you that nobody will be able to access the file. Click Yes.
16) The Add Object window will appear. Select Configure this file or folder then - Propagate inheritable permissions to all subfolders and files, click OK.
17) Repeat steps 11-16, except replace usbstor.inf with usbstor.pnf on step 12.
18) Close out the Group Policy Management Editor window.
19) Head back to the Server Manager window, right click on the domain you want to apply this GPO to, and select Link an Existing GPO...
20) Select your new Disable USB Mass Storage GPO, then click OK.
21) In the right pane, select the Linked Group Policy Objects tab, right click on Disable USB Mass Storage, and select Enforced.

Easy, yeah?

Moving along, we're going to look at an individual computer. Maybe it's a standalone system, or it needs to be exempt from Group Policy. Whatever the reason, it's pretty simple to apply the same fix:
 
DEPLOYING THROUGH A LOCAL MACHINE
1) Click Start, then select Run.
2) Type in regedit.exe, click OK.
"RunAs-Regedit.jpg" tStep 2 - Run prompt
3) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor.
4) In the right pane, right click start, then select Modify...
5) Use the follow settings for this key:
Value data: 4
Base: Decimal
"Regedit-DWORD.jpg" tStep 5 - Entering the value for "Start"
6) Click OK, then close the Registry Editor window.
7) Open Windows Explorer (Windows Key+E).
8) Navigate to C:\Windows\Inf\ , right click on usbstor (it is an .inf file, but in this view will it not show the .inf), select Properties.
9) Click on the Security tab, then click the Edit... button.
10) Remove all users and groups except SYSTEM. Click add, type in everyone and click OK.
11) For both SYSTEM and everyone, click on the Full Control checkbox under Deny. Click OK.
12) A window will come up telling you that nobody will be able to access the file. Click Yes, then click OK.
13) Repeat steps 8-12, except replace usbstor.inf with usbstor.pnf on step 8.

That's it! You can speed the Group Policy process along by executing a GPUPDATE /FORCE on the command line, but the default settings have client systems update every 90-120 minutes.

It should be noted that there are some situation where disabling USB devices might not be ideal. In that situation, you can simply revert the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start DWORD back to 3 to re-enable USB storage devices.



Special thanks to pamgmt for pointing out the usbstor.inf/.pnf info!
6
17,989 Views
Sean Plemons Kelly, CISSPInformation Systems Security Engineer
CERTIFIED EXPERT
13+ Year IT and Army Veteran. Quick witted and knowledgeable professional who is always willing and ready to share information.

Comments (16)

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
:)
A source? Well let's start with your sources - where do they state the opposite? They don't.
My proof: If I remove my network cable, does that mean all GPO enforcement is gone rightaway/in x minutes/ at next restart? No, GPOs stay in place and are effective forever.
"Your article would be great for an organization that allows any sort of USB drives." - No, I describe how you can easily whitelist any known device you like to see working while all other devices won't, giving you all possible flexibility, if needed. If I were to block any usb storage, I'd switch on all options LeeW outlined just that easy. That will only stop working (due to non-tattooing) if the policy is removed or the computer falls out of scope.
Sean Plemons Kelly, CISSPInformation Systems Security Engineer
CERTIFIED EXPERT

Author

Commented:
McKnife,

To address your points:
1. I don't remember mentioning my sources (which, if you would take the time to read the second one, does indeed say
A policy is removed when the GPO goes out of scope—that is, when the user or computer is no longer targeted by the GPO
I just requested to see a source for your information. I can say that pinning out an Ethernet cable as O/WO/WBr/WBl/G/Br/WG/Bl makes your network go 50 times faster, but without anything to back it up, it's just an empty statement.

2. Your article would indeed be great for an organization that allows USB drives, allowing the flexibility of allowing only those vetted/issued drives. However, the organizations I handle typically block all USB drives, so a blanket ban is much easier. Additionally, I don't need to download additional software, making it easier to enact on closed networks.

Also, another concept: Use both Policy AND preference, that way if a system goes out of scope, the restriction is still there.

If you have something constructive to say, say it. Otherwise, go harass someone else.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sean,

I am not harassing anyone, not intended. An article can receive critical feedback - that does not mean there's someone harassing you and it can indeed be used to improve the article and even the author's knowledge - also my knowledge. It was meant constructive.
I read all the links you posted before, I am an admin for 15 years, I know these things.
Your point is correct - if the GPO is removed, it will not apply anymore. But in what setup would that matter? If I want to secure machines that way, the policy will be left active, so it will apply. And if I remove it, it's a clean way to undo it.

And about GPOs being pushed: there's no push involved with GPOs and GPPs, it's always been a  pull.
Anthony MawSysstems Administrator

Commented:
It is sometimes useful to have USB storage devices for different reasons yet maintain access security.  In addition to third-party encryption tools (often supplied by the USB device manufacturer) it is possible to require USB keys to be Bitlocker encrypted but that requires more GPO work.
CERTIFIED EXPERT

Commented:
hmm

it might be worth to note that plenty of malware are hardware based nowadays, more often even when it comes to usb. plugging a camera in order to charge it may very possibly lead to an infection even if the port is disabled

additionally, blocking the usb key in windows is very easy to circumvent for a mildly knowlegeable user.
afaik, in many versions of windows, so-called blocked usb ports appear to work fine when you plug an usb key and reboot. i've even seen cases where the key could be unplugged and replugged afterwards. i'm unsure if the port becomes unblocked or the key/disk is remembered in the device cache

no harm meant, but i believe this should be noted.

i'm unsure about disabling the ports in the bios. this likely will protect bios based computers, but i'm not sure. in my opinion, the only effective way to prevent such problems is using a drill or hammer

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.