A way to block USB Storage device.

DeNzMoR
DeNzMoR used Ask the Experts™
on
Hello,

I would like to know if theres a way to block USB storage key, External HDs and even DVD writter with a policy. My director asked me this because the competition is really strong in our domain and it would be easy for some people to steal informations and sell it to our competitions. I thought about blocking the drivers (.sys) to be installed on the computer, but its going to hard to be sure that we block every kind of usb storage device.

If you know a software or a policy that could do it, it would really be appreciated.

Thanks for your time and your help

Alex
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
The best way I can think of would be to disable USB. That would unfortunately affect other device you may be connecting to the PCs.

Author

Commented:
actually I cant do that.. since kbs and mouses are usb :)
Most Valuable Expert 2011
Top Expert 2011
Commented:
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2011
Top Expert 2011

Commented:
It talks of a few KB articles....

How to disable the use of USB storage devices
http://support.microsoft.com/kb/823732

but mainly this one....

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
http://support.microsoft.com/kb/555324
Check out this link Im answering on this self same subject.

http://www.experts-exchange.com/Storage/Misc/Q_22602808.html

I have implemented a custom Group Policy which Totally disables ONLY the USB devices I want disabled,
IE
USB Pen Drives/Hard Drives
USB Floppy Drives
USB CD drives
But it still allows USB keyboards and mice and printers etc to be used.

We had a requirement for the exact same problem at work, as I am the sys admin for a major financial org it is imperative to protect sensitive data going a miss via usb drives and cd writers etc.
The cd writers was a piece of cake via group policy.
I can guranttee that the custom .adm file that I implemented works a charm, it now allows me to LOCK ONLY CERTAIN USB DEVICES BUT STILL ALLOW OTHERS TO WORK.
I can also allow certain users to have read access of their usb drives so they can copy data from the USB drives onto the PC but they cant copy data BACK to the usb drives.
Check it out it works a charm via Group policy.
Theres a couple of quick registry examples that you can use as a quick test but its the custom .adm THAT YOU NEED FOR THE DOMAIN
sORRY JOHNB6767 NEVER NOTICED YOUR COMMENT,
Most Valuable Expert 2011
Top Expert 2011

Commented:
np...  :)

Author

Commented:
Ok, I had a meeting and now they changed their mind.. They will allow flash drive and such, but only in read only mode. So basicly I need to be able to connect a USB flash drive or external drives / cd -burner but all in read only. I know theres some softwares who do it like Devicelock, but 1st I want to know if its possible to do it without investing money for a 3rd party. Also they might not have active directory in place yet, so I was wondering if its possible to install ADM files locally on every computers.

Thanks a lot for your time, its really appreciated.

Alex

Author

Commented:
I just read rpartington post.. Im going to try that..

Thank you big time!
Most Valuable Expert 2011
Top Expert 2011

Commented:

Author

Commented:
Thanks John, it seems to work like a charm!! I just need to disable de write option for the DVD/CD Burner.
Most Valuable Expert 2011
Top Expert 2011

Commented:
Disable the CD burning Service...Should stop the Built in's from burning....
GPO
User Config
Admin Templates
Windows Config
Windows Explorer
Remove CD Burning Features

However this does not prevent them using nero or roxio etc it only diables windows inbuilt cd burning.
One way would be to totally remove the cd drive from those users who dont need to use a cd via group policy or simply remove any burning software they already have on their PC and then remove any install rights so they cant install nero etc and use the cd GPO above to prevent cd burning via windows.
We have a mixture of all sorts as we have countless requirements. however the USB reg is a life saver along with the usb adm, again a mixture of both to suit differant user requirements set by management.

Author

Commented:
I cant really remove the cd/dvd rom drive since they will receive demos from our customers and the divsion will be in HK, so its going to be hard to fully control everything there. They might be administrator to their computer, I dont know yet and I want to be sure they cant use 3rd party burning software or the one built-in in windows.

Once again, thanks for you help!
I was speaking obviously about normal inbuilt CD drives but dont forget about removable USB CD/DVD drives as well on the laptops, the adm file covers them for us.
Group Policy covers everyone when it comes to the prevention of burning to CDs via the windows inbuilt burning capability.
Youcould have your local onsite techie at HK check that they havent installed nero etc if they have you can uninstall this and use Group Policy to prevent even local admin accs on the domain reinstalling. We use DameWare which allows me to remotely check all pcs remotely in the domain, it shows virtually everything including which software is installed on every PC across the domain without actually remoting onto the PCs.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial