Disabling USB Storage Devices


I need to prevent some users from utilising USB storage and CD/DVDs on all the machines at an office. The fact that the machines use USB keyboards and Mice make it complicated. Does anyone now of a simple solution.

I am using NOD 32 security suite.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Disclaimer, this is from a friend I asked.  I've never done this personally, but looks like it would work to me.

First thing to do is this:

1.Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor.

2.Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesnt exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine. ((As most of you know this a Microsoft suggestion, which does work perfectly at disabling previously installed devices, however, this alone will not disable USB storage completely. If a user plugs a new USB storage device into the machine the device will install and the dword value will be reset to 3. Now if you incorporate adding this into a script it alone will disable USB drives, but only after a user plugs a device in, removes it without uninstalling it, logs off then logs back on, thereby running the script. This means that there is a window of opportunity for users to have access to new devices, this may be acceptable for some, but not for others.))

3. The next thing to do is to change the permisions on the USBSTOR key. You need to DENY full control on the "system" group.

((What this does is denies everyone the ability to access the USBStor key, effectively killing the ability for any user (including admins) to install USB storage devices. Now the reason you deny the "system" group is because windows will use this account if no one is logged onto the machine yet. What I mean by this is if say you want to deny a group of users called "staff", you would need to deny them using GP or a logon script. This will work great, but, if a "staff" group user plugs a USB drive in before logging in to Windows the device will be installed using in the backgroud using the "system" group, then when the user logs in the "staff" group policy is applied dening the user access to the USBstor key, but by this point it makes no difference because the devices is already installed and accessible and once a device is installed the usbstor key is no longer used.))

3. So now that these two steps are are done, *NO ONE* will be able to install USB drives.

If a user tries to use a previously installed drive the device will be blocked and nothing will happen, no prompts, nothing. This is accomplished through step 1, the dword value.

What happens if a user plugs in a "New" device that was not previously installed, the hardware wizard will run, asking for the location of drivers. Regardless of whether a user selects the "automatically" search and install or if they attempt to manually install 3rd party drivers, the HW wizard will prompt the user that "access is denied" once the drivers are selected. This is the result of step 2, denying "system".
what is the overall purpose, that will help me answer you better. Why no USB?
mavcomAuthor Commented:

The aim is stop employees from using USB drives to add or remove data from the machine. However, Management would like to be able to use USB s if they decide.  

Additionally remember that the keyboards are USB.

Kyle I have tested the solution using the permissions but not once the system has been denies access won't this also prevent Management from getting access?
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

It is a local solution - if you want management to retain access no need to set this up on their machines, just the machines where you want to restrict access.

mavcomAuthor Commented:

They would like to be able to go to those machines if needed and access the USB ports.
Danny ChildIT ManagerCommented:
Some modern bioses can limit this or google for lumension devicewave
Sounds like you are going to need some non-native way to do this with all the parameters you are looking for, read: expensive.  

Something like:

Which actually isn't that bad, price wise, depending on the number of seats you have.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you are running a Server set the Domain Policy to disallow USB use.

If not then this setting can be found in the local policy for the users.
mavcomAuthor Commented:
HI Eshteyn;

Can you give me more specifics on the local policy since this is not a domain.
HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Can use the local GPO to load the .adm

Registry Hack to Disable Writing to USB Drives  the How-To Geek
mavcomAuthor Commented:
While the other methods will work for disabling the USB drives the fact that I am using USB input devices and need intermittent use of the drives make this the only logical solution.

Thank you to everyone for their other comments
how big infra you are trying to protect and what features do u want

rename to .rar and use let me know at freekindia@gmail.com if u need more help

Installation instructions:

1.       Enable windows default administrator account and set password.

2.       Extract blockusb.rar and find blockusb.exe (setup)

3.       Run setup and it will pop a management console.

4.       Goto file tab and click login.

5.       User name is administrator and default password is test.

6.       Then set all parameters specially last change password tab.

7.       Set password of default administrator account in it. It will be saved in 128 bit encryption.

8.       Fill parameters of mail etc.

9.       Now it is set to run.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.