?
Solved

Disabling USB Storage by Group Policy

Posted on 2011-03-06
5
Medium Priority
?
1,765 Views
Last Modified: 2012-06-27
Points of My Scenario:
1. I am admin of a Windows Server 2003 domain
2. Workstations have Windows XP Pro, SP3
3. I have implemented a group policy to prevent the use of USB storage as per Microsoft KB555324 (http://support.microsoft.com/default.aspx?scid=kb;en-us;555324)
4. It works ONLY if the workstation has been exposed to a USB flash drive and "gpupdate /force" command is executed.
MY CHALLENGE: Although the policy works, it only works to block the same flash drive used to expose the workstation to USB storage (see point #4): other flash drives still have access.
QUESTION: What can I do to ensure the policy blocks all USB storage media?
0
Comment
Question by:waforbes100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 35051053
A very similar question was asked here September 2008.  The responses seem to parallel what you have already done.

Server has a GPO that does what you want, although I don't know if these policies are available in XP.  Certainly disabling all removable media would do the job, but this would also disable floppy disks, ZIP drives and CD/DVDs.

An alternate possibility is a hardware approach.  Disconnect the front panel USB connector(s) from the motherboard.

0
 

Author Comment

by:waforbes100
ID: 35056456
To DrKlahn: I need to retain USB input capability (e.g. mouse, keyboard). Additionally, I have disabled all media that the policy allows, but the problem persists.
0
 
LVL 28

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 600 total points
ID: 35063503
Presumably the USB mouse and keyboard are attached through the back panel.  That is why I suggested disconnecting only the front panel USB connectors.
0
 
LVL 1

Accepted Solution

by:
dhanraj114 earned 1400 total points
ID: 35066314
I have tried the given KB on my Server 2003 and Windows XP Pro network. But it sometimes blocks and sometimes releases the USBs. More blocking from GP also blocks keyboard, mouse, printer and scanner also. I was not succeeded in this. Finally i have adopted a third party software named DeviceLock, which is the perfect software for a network. It allows user based permissions, and users are fetched from Domain. It works fine with me. I suggest you for any third party software.
0
 

Author Closing Comment

by:waforbes100
ID: 35082503
My solution was to configure GPO to deny access to the USBSTOR.SYS file. In 100% of test workstations it worked!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question