We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Securing Information on Win2K Box - Disabling USB Flash Drives, CD Writer, Floppy Disk Drive etc

The_Maverick asked
Medium Priority
Last Modified: 2010-04-11
Hi All,

I've been tasked with securing a Windows 2000 PC.

At present the users have full administrator rights - we now want to lock down the PC - so that regular users will NOT be able to copy data from the hard drive to a USB Drive or burn it to a CD or write it to a floppy (but administrators need to be able to do this).

The PC is stand-alone.

Any hints / suggestions / pointers etc would be very much appreciated.

Thanks in advance,

Watch Question

First, you need to minimize access for each of your users to User access instead of Administrator.
Next, you need to do the following steps:
http://support.microsoft.com/kb/231289 is where you can find the details of the instructions, below is modified for local computers.
1) click start
2) click run...
3) type mmc and press ok
4) select File on the top menu
5) click Add/Remove Snap-In...
6) click Add... Button in the Stand-alone Tab
7) Select Group Policy Object (GPO)
8) Click Add
9) make sure that it says Local Computerin the Group Policy Object:
10) select Removable Storage(Local) and click Add
11) click finish
12) Click OK
13) Select User Configuration > Administrative Templates > Windows Components > Windows Explorer
14) Select "Prevent Access to drives from My Computer"
15) Select Enable and choose the restrictions from the dropdown
16) Select Removable Storage (Local) > Libraries
17) Right-Click on the name of the device you want to disable usage
18) Click Properties
19) click Security Tab on the top
20) Change settings on User or just remove it
21) Click OK
22) Click File > Save
23) name the file with .msc to modify in the future

I hope this helps.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Oh yeah!  This does not disable the USB.  This is kinda tricky since it is hard to specify every USB flash drives.  I assume that you do not want to block out USB printers and scanners.

If you just want to block all the USB as well then you need to disable the USB boards and the onboard USB hubs.  You probably should think about blocking out the Mutimedia Card Readers as well.  If you want to block all of this then you should block all USB devices.  If you want to print then you need to either use a network printer or a Parallel printer.

Onboard USB can be disabled in the BIOS which means that you need to password protect the BIOS.


Thanks for that.

At this stage knocking out the USB via the BIOS is an option, but it might mean having to replace mouse & keyboard (mouse is an expensive trackball), and cabling is difficult (the PC is on a fishing boat).

Would prefer a GPO solution if you know of any ???

George LobIT Manager

Is there a reason you cannot just locke the CPU in a cabinet? This would be your most simple way of doing it.
Locking up is a better solution, then disable user rights to shutdown with GPO.  But if that's not an option InfoStranger's solution is good, and as far as the mouse and keyboard goes, find a USB -> PS2 adapter (many laptops even come with PS2 splitters to connect both the mouse and keyboard via single PS2 jack) .  Or steal one :).  I throw them away on a daily basis.  

However, some BIOS are pretty advanced, and can even lock down devices (such as the 2nd IDE device (CD-ROM), USB, and others, dependant on the povided password.

Oh, you can also buy software for about $25 to make this happen.
George LobIT Manager

Phr0stByte, you may want to give him the name and link to the software if you know them.
George LobIT Manager

Have a look at this, it's a way to block USB storage devices, but allow other USB devices to work:

Wish I could, and sorry I can't just pull something out of my hat !

I was just too lazy to find them now, and I assumed he didnt want to pay for his solution.  If, Maverick, you're interrested I'll look into it, but I would spend too much time with it otherwise... because "just any" program doesn't cut it for me :).

Nice link to petri, gvlob :)
George LobIT Manager

It's really amazing what you can find on the net :-)
Top Expert 2006

Good link gvlob.

We are using same thing to block USB storage devices.

While your link will disable the USB device if it has been installed.

We use one more thing.
We delete usbstor.inf and usbstor.pnf files from c:\windows\inf\

Now, if someone try and put a usb device, it will not install in first place.

But, this is helpful only if it has not already been installed on the machine.
George LobIT Manager

Prashsax, the only problem I would have with that is I would not be able to us a USB device if I ever wanted to unless I restore those files. I personally hope that he can just lock it up. The user does not need any access to the CPU. If the computer locks or a hard shutdown needs to be performed, then someone in charge should do that anyway.


Hi All,

Thanks for all the feedback.

Unfortunately, physically locking the PC up isn't an option as the unit is installed on a large fishing boat that goes out for 6 weeks at a time (service calls are somewhat difficult!) - if the unit goes down then they'd have to stop fishing (at a cost of around $4000 per hour), and head back to land (2 to 3 days to make the trip). All those things considered, they won't take the risk of not being able to get into the box. One might argue that a key be given only to the captain, but he's the one we're trying to keep the data from, so that doesn't work either!

I appreciate that whilst they have physical access to the machine they could always move the disk to another PC and access the data that way (we don't want to get into things like EFS), so at this stage it's more a case of "making it difficult" for them to get at the data, but we accept that it's not going to make it impossible (although it takes something like 20 minutes with a screw driver to remove the facia that it's mounted behind (about 20 long wood screws)).

Happy to pay for any software that helps - $$$ isn't an issue.

At this stage the project has been put on hold for a few days, so I'm going to have to wait to see what final direction they want me to take. In the meantime I'll take a closer look at all of this, and (in all probability) close the question off by the end of the week.

Many thanks again for all of your input.



Products that look useful to me are DeviceLock (http://www.devicelock.com/),  DeviceWall (http://www.devicewall.com/pro/), GFI EndpointSecurity (http://www.gfi.com/endpointsecurity/) , or Takeware (http://www.takewaregatekeeper.co.uk/features.html), in that order.

GFI is the best-known name among those.  but much like Norton looks a little over-priced and bloated.  However, I also believe you'd get the best support from them.  

Also, keep in mind, that I haven't used this kind of technology myself, so my opinion is nothing more.  I have only looked into this software, but decided it was beyond our companies budget.

Otherwise I also came across these other names:

DeviceShield, Sanctuary Device Control, Reflex Disknet Pro, Safend Port Protector

Now, if you;re losing $4000/hour when this PC is down, I HOPE you have a 2nd machine aboard... :)

And don't forgot InfoStrangers first post.  That will plug "most" of the holes.


Thanks for your help everyone - sorry it took me so long to get back here and finalise things.

In the end the client has chosen to leave things the way they are, but there's still benefit here to me in that I'll be able to look these up in the future.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.