<

Disable USB mass storage devices (via the registry)

Published on
15,618 Points
8,018 Views
6 Endorsements
Last Modified:
Approved
Sean Plemons Kelly, CISSP
12 Year IT and Army Veteran. Quick witted and knowledgeable professional who is always willing and ready to share information.
Having issues meeting security compliance criteria because of those pesky USB drives? Then I can help you! This article will explain how to disable USB Mass Storage devices in Windows Server 2008 R2.
In today's day and age, there are many threats to the security of our information systems and networks. USB hard drives, flash drives, and other mass storage devices can potentially pose a threat, not only of data theft, but also as a vector to viruses and other malware that could be introduced into our systems. Disabling these devices can help to provide better security for your systems by removing an avenue of attack.

There are many ways to disable these devices, but in my experience, I have found that one of the most effective methods can be accomplished by simply changing a registry key. A great thing about this solution is that it is easily deployable both on a local machine as well as on a domain.

So, let's get started!

First, let's take a look at the bigger picture... your domain. Since the most expedient way of applying a solution is to deploy a Group Policy Object (GPO), let's see how to do that first:

DEPLOYING THROUGH GROUP POLICY
1) Open up Server Manager.
2) In the left pane, expand Features, then expand Group Policy Management, and continue to drill down until you get to your target domain.
3) Under that domain, right click Group Policy Objects.
4) Name your new Group Policy Object (GPO) "Disable USB Mass Storage", leave Source Starter GPO as (none).
"New-GPO.jpg" tStep 4 - Creating a new GPO
5) Right click on the newly created "Disable USB Mass Storage" GPO, and select Edit GPO
6) Navigate to Computer Configuration > Preferences > Windows Settings > Registry
7) Right click on Registry, and select New > Registry Item.
"New-Registry-Item.jpg" tStep 7 - Creating a new Registry Item
"New-registry-item-properties.jpg" tStep 8 - Registry Item properties
8) Use the following settings for this entry:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Value name: start
Value type: REG_DWORD
Value data: 4
Base: Decimal 
9) Click OK.
10) Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System.
"File-System.jpg" tStep 10 - Navigating to File System
11) Right click in the left pane and select Add File...
12) Expand to C:\Windows\Inf\ and select usbstor (it is an .inf file, but in this view will it not show the .inf).
13) Remove all users and groups except SYSTEM. Click add, type in everyone and click OK.
14) For both SYSTEM and everyone, click on the Full Control checkbox under Deny. Click OK.
15) A window will come up telling you that nobody will be able to access the file. Click Yes.
16) The Add Object window will appear. Select Configure this file or folder then - Propagate inheritable permissions to all subfolders and files, click OK.
17) Repeat steps 11-16, except replace usbstor.inf with usbstor.pnf on step 12.
18) Close out the Group Policy Management Editor window.
19) Head back to the Server Manager window, right click on the domain you want to apply this GPO to, and select Link an Existing GPO...
20) Select your new Disable USB Mass Storage GPO, then click OK.
21) In the right pane, select the Linked Group Policy Objects tab, right click on Disable USB Mass Storage, and select Enforced.

Easy, yeah?

Moving along, we're going to look at an individual computer. Maybe it's a standalone system, or it needs to be exempt from Group Policy. Whatever the reason, it's pretty simple to apply the same fix:
 
DEPLOYING THROUGH A LOCAL MACHINE
1) Click Start, then select Run.
2) Type in regedit.exe, click OK.
"RunAs-Regedit.jpg" tStep 2 - Run prompt
3) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor.
4) In the right pane, right click start, then select Modify...
5) Use the follow settings for this key:
Value data: 4
Base: Decimal
"Regedit-DWORD.jpg" tStep 5 - Entering the value for "Start"
6) Click OK, then close the Registry Editor window.
7) Open Windows Explorer (Windows Key+E).
8) Navigate to C:\Windows\Inf\ , right click on usbstor (it is an .inf file, but in this view will it not show the .inf), select Properties.
9) Click on the Security tab, then click the Edit... button.
10) Remove all users and groups except SYSTEM. Click add, type in everyone and click OK.
11) For both SYSTEM and everyone, click on the Full Control checkbox under Deny. Click OK.
12) A window will come up telling you that nobody will be able to access the file. Click Yes, then click OK.
13) Repeat steps 8-12, except replace usbstor.inf with usbstor.pnf on step 8.

That's it! You can speed the Group Policy process along by executing a GPUPDATE /FORCE on the command line, but the default settings have client systems update every 90-120 minutes.

It should be noted that there are some situation where disabling USB devices might not be ideal. In that situation, you can simply revert the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start DWORD back to 3 to re-enable USB storage devices.



Special thanks to pamgmt for pointing out the usbstor.inf/.pnf info!
6
Comment
  • 5
  • 3
  • 3
  • +5
16 Comments
LVL 66

Expert Comment

by:Jim Horn
Nicely illustrated.  Voting yes.
0
LVL 98

Expert Comment

by:Lee W, MVP
Why not just set a Group Policy to allow reads and disable writes?  Or optionally both?  If you feel it's not as effective, discuss why.  
DisabeRemovableMediaWrites.PNG
0
LVL 9

Author Comment

by:Sean Plemons Kelly, CISSP
Lee W,

Excellent question!

To answer it shortly: Policies don't tattoo, preferences do.

Which is to say, if my DC pushing that GPO goes down or that client is unable to receive GPO pushes for whatever reason, I know that registry change is going to persist, because it is a preference. Unless I caveat that it get removed if it stops being applied.

If I were to do it as you suggested, as soon as the GPO stops being pushed, the system will go back to doing whatever it wanted, interacting with shady USB storage devices, not cleaning it's room, etc.

Cheers!
Sean
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 98

Expert Comment

by:Lee W, MVP
Are you SURE about that - my understanding is that POLICIES Tattoo - Preferences don't.  A preference I can go in an edit after it's been applied... depending on setting, it may get reapplied next logon or next refresh... but for a time, I COULD bypass it.  A policy LOCKS me in.
0
LVL 98

Expert Comment

by:Lee W, MVP
Honestly, the screen shot above is from one client where I implemented this and I've frustrated myself on occasion trying to get around it when I needed to.
0
LVL 9

Author Comment

by:Sean Plemons Kelly, CISSP
0

Expert Comment

by:Eric B
Thank you for a clear and well laid out article.  

In a Microsoft article it mentions the importance of an additional step if the USB storage device has not yet been installed.   It involves setting deny permissions on usbstor.inf, .pnf to prevent the drivers from installing.  https://support.microsoft.com/en-us/kb/823732

Is this critical?  I would hate to think I had implemented yet not have it complete.
0
LVL 9

Author Comment

by:Sean Plemons Kelly, CISSP
pamgmt,

I can't speak for certain if it is critical, however I would think that it is one of those things that couldn't hurt, and it wouldn't be too hard to implement. I will add it into the main article when I get a chance.

Very good catch, I appreciate it!

-Sean
0
LVL 8

Expert Comment

by:Yashwant Vishwakarma
Nice article Sean :)
Voted as Good Article :)

Have a great day ahead :)
0
LVL 60

Expert Comment

by:McKnife
I'd like to comment on
"as soon as the GPO stops being pushed, the system will go back to doing whatever it wanted,"
That is incorrect. Policies are also effective if the DC or the client is offline. That's why I'd definitely vote for for LeeW's method (being easier and more granular) or, if you like to be able to even select what usb drives may be used, the method in my article http://www.experts-exchange.com/articles/18574/Bad-USB-time-to-fight-back.html
0
LVL 9

Author Comment

by:Sean Plemons Kelly, CISSP
Thanks Jim (Sorry for taking so long to say so!) and Yashwant!

McKnife: Your article would be great for an organization that allows any sort of USB drives. Many organizations don't, and thus this is more geared towards those. I would also like to see a source starting that policies continue to affect clients off the domain.

-Sean
0
LVL 60

Expert Comment

by:McKnife
:)
A source? Well let's start with your sources - where do they state the opposite? They don't.
My proof: If I remove my network cable, does that mean all GPO enforcement is gone rightaway/in x minutes/ at next restart? No, GPOs stay in place and are effective forever.
"Your article would be great for an organization that allows any sort of USB drives." - No, I describe how you can easily whitelist any known device you like to see working while all other devices won't, giving you all possible flexibility, if needed. If I were to block any usb storage, I'd switch on all options LeeW outlined just that easy. That will only stop working (due to non-tattooing) if the policy is removed or the computer falls out of scope.
0
LVL 9

Author Comment

by:Sean Plemons Kelly, CISSP
McKnife,

To address your points:
1. I don't remember mentioning my sources (which, if you would take the time to read the second one, does indeed say
A policy is removed when the GPO goes out of scope—that is, when the user or computer is no longer targeted by the GPO
I just requested to see a source for your information. I can say that pinning out an Ethernet cable as O/WO/WBr/WBl/G/Br/WG/Bl makes your network go 50 times faster, but without anything to back it up, it's just an empty statement.

2. Your article would indeed be great for an organization that allows USB drives, allowing the flexibility of allowing only those vetted/issued drives. However, the organizations I handle typically block all USB drives, so a blanket ban is much easier. Additionally, I don't need to download additional software, making it easier to enact on closed networks.

Also, another concept: Use both Policy AND preference, that way if a system goes out of scope, the restriction is still there.

If you have something constructive to say, say it. Otherwise, go harass someone else.
0
LVL 60

Expert Comment

by:McKnife
Sean,

I am not harassing anyone, not intended. An article can receive critical feedback - that does not mean there's someone harassing you and it can indeed be used to improve the article and even the author's knowledge - also my knowledge. It was meant constructive.
I read all the links you posted before, I am an admin for 15 years, I know these things.
Your point is correct - if the GPO is removed, it will not apply anymore. But in what setup would that matter? If I want to secure machines that way, the policy will be left active, so it will apply. And if I remove it, it's a clean way to undo it.

And about GPOs being pushed: there's no push involved with GPOs and GPPs, it's always been a  pull.
0

Expert Comment

by:Anthony Maw
It is sometimes useful to have USB storage devices for different reasons yet maintain access security.  In addition to third-party encryption tools (often supplied by the USB device manufacturer) it is possible to require USB keys to be Bitlocker encrypted but that requires more GPO work.
0
LVL 27

Expert Comment

by:skullnobrains
hmm

it might be worth to note that plenty of malware are hardware based nowadays, more often even when it comes to usb. plugging a camera in order to charge it may very possibly lead to an infection even if the port is disabled

additionally, blocking the usb key in windows is very easy to circumvent for a mildly knowlegeable user.
afaik, in many versions of windows, so-called blocked usb ports appear to work fine when you plug an usb key and reboot. i've even seen cases where the key could be unplugged and replugged afterwards. i'm unsure if the port becomes unblocked or the key/disk is remembered in the device cache

no harm meant, but i believe this should be noted.

i'm unsure about disabling the ports in the bios. this likely will protect bios based computers, but i'm not sure. in my opinion, the only effective way to prevent such problems is using a drill or hammer
0

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month