USB Memory Stick GPO settings

enty66
enty66 used Ask the Experts™
on
We are trying to allow users of the XP Pro stations on our Windows 2003 Server domain access to use their USB memory sticks whilst still maintaining securityof the XP pro stations i.e. we wish users to be able to use their USB memory sticks without being able to anything else whic hwould compromise security. Is there a GPO setting that allows this? Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2011

Commented:
"without being able to anything else whic hwould compromise security"

Could you clarify exactly what you want to prevent them from doing with thier thumb drives?

Author

Commented:
Yes sorry it does sound a little vague. Basically we want users to be able to use their thumb drives i.e. put them into the usb slot and use them to retrieve/save their work. I could do this by making them members of the Power Users group or local administrators group BUT this would give them far too much control over the local machine.
Top Expert 2007

Commented:
Not sure this is possible without VISTA.

How are they being restricted today ?

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yes i believe Vista has vast improvements over the gpo control of usb devices. At the mo they are simply prohibited to use them but this is becoming more and more of an inderence.
are you saying you want them to be able to copy work from their USB pen drives onto the PC BUT NOT SAVE BACK TO THE usb IE Prevent corporate info from potentially being taken off site on the pen drives.
The below reg entries allow you to read from the USB and copy to the PC but prevent you from writing back from that PC to the USB, you can of course then put the USB in another PC not in that domain ie laptop or without these reg entries and write to the USB as it only affects PCs not the actual USB.

I implemented a Group Policy in our Org to prevent just this using an ADM file which stops dating being taken off site, but still allows the use ie reading of USB drives it also can be used for USB Floppies and CD drives.

Anyhow below are the reg entries, try them on a PC.
But DO NOT have a USB device in when you use the reg, Just check the reg location as its just the dword that does the work.

BELOW are 2 simple Reg files if you double click the top one it disables USB pen drives and the other re-enables the USB pendrives

*************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]

"Start"=dword:00000004
**************************************************************************

The one below re-enables your USB pen drive

***************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]

"Start"=dword:00000003
**************************************************************************

Basically its just the dword.
Im not sure to be honest if I understand what your trying to do, but if this is what your trying to do throughout the company I will paste the ADM file and instructions on how to implement it.
Sorry if Ive totally mis understood what you are trying to achieve
Another possibility....I haven't personally used GFI's endpointsecurity, but i have used other GFI products and I like them very much. From what you are trying to accomplish I think this may be worth taking a look at anyways. GFI's endpointsecurity is fee based, but they do offer 30 day trials.
http://www.gfi.com/endpointsecurity/


Hope this helps.
Heres the .ADM file I mentioned earlier.
Its late over here so Im off to bed.

Save the below as a
".adm" file
call it along the lines of USBSTORAGE.ADM

Then install it as an adm file into a new group policy called what ever you want and under.
HOW TO ADD AN ADM FILE
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm
Once the adm is installed continue below with a new Group Policy called USB write prevent, or whatever you want.

Computer Config>Admin Templates >
You will see a new policy called Custom Policy settings.
In the right hand side when you drill down into the last section ie Restrict Drives you wont at first see anything. Dont worry, right click in the right hand side in the empty white area and select
View>filtering> then tick Only show configured policy settings, untick Only show policy settings that can be fully managed.
You will now have the option to enable/disable writing to USB pen drives/USB CD Drives/USB Floppy drives
ADM file below
************************************************************

CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
     PART !!labeltextusb DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
     PART !!labeltextcd DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
     PART !!labeltextflpy DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
     PART !!labeltextls120 DROPDOWNLIST REQUIRED
 
       VALUENAME "Start"
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB Removable Drives"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
labeltextusb="usbstore.sys driver status"
labeltextcd="cdrom.sys driver status"
labeltextflpy="flpydisk.sys driver status"
labeltextls120="sfloppy.sys driver status"
Enabled="Stopped"
Disabled="Started"
***************************************************************************
ONLY SAVE INSIDE THE ASTERIXS

Author

Commented:
Thanks for that, although it is not exactly what i was meaning it is extremely useful. My problem, i think, is much less complex. Basically, i want to allow users the ability to insert and install usb pen drives without going to the extreme lenghts of making them members of the power users or local admins group which would also give them the ability to delete local system files at will.
Most Valuable Expert 2011
Top Expert 2011
Commented:
Ya know what? Last time I inserted a stick in under a limited user's profile, windows installed it just fine.....
Got you.
Yes it should allow them to install the usb device,
The users I allow to read from their USBs certainly DO NOT have install rights as they are standard domain users.
Most Valuable Expert 2011
Top Expert 2011

Commented:
enty66

Any update?
Would be interested to find out the outcome as he should not of needed to of changed group membership to get the USB sticks to activate

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial