Solved

Windows XP and USB Storage

Posted on 2011-03-22
14
1,082 Views
Last Modified: 2012-05-11
I have to disable USB drive storage on all my XP PCs since we do not want people using USB flash drives, drive key's or whatever you want to call them.  I have made the change to the registry key:  HKLM\System\CurrentControlSet\Services\USBSTOR\Start to a value of 4.  The problem is that for whatever reason they randomly get set back to 3 and the USB drives will work.  What else can I do to disable them for good?  Can the registry key be deleted?

Thanks
0
Comment
Question by:ryanthompson
  • 4
  • 2
  • 2
  • +5
14 Comments
 
LVL 2

Expert Comment

by:jimponder
ID: 35193160
Can you set the permissions on that registry entry to not allow any changes except by the administrator?
0
 

Author Comment

by:ryanthompson
ID: 35193179
I could try that.  I'm just wondering how they are getting changed?  The users are not smart enough to do anything in the registry let alone find the registry editor.
0
 

Expert Comment

by:getperkin2
ID: 35193183
How about disabling the usb support in the system bios? as long as you don't need it for something else.
0
 

Expert Comment

by:bwinkworth
ID: 35193200
This article may help you out either locally or in a domain using a template and group policy
http://www.petri.co.il/disable_usb_disks_with_gpo.htm
0
 

Author Comment

by:ryanthompson
ID: 35193203
Thought about that but they all have USB keyboards and mice.  Plus some have printers and signature pads.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35193207
To do the job properly you need to install something like McAfee DLP or a simular product. There is NO secure way to do it with a simple registry fix unless your users and user logings and registry is tied down VERY VERY Tightly.

http://www.mcafee.com/us/products/data-protection/data-loss-prevention.aspx
0
 
LVL 9

Expert Comment

by:discgman
ID: 35193233
Found this arcticle, I think it might help.

What does Microsoft have to say about it?
If you, the administrator, want to establish a minimum level of security, it is absolutely necessary to control which users can connect USB memory sticks to a computer. Unfortunately, a default Windows XP or Windows 2000 installation comes with no limitations on who is able to install and use USB storage media. Microsoft knowledge base article 823732 contains instructions on how to disable USB storage access for a certain group of users; however, the article only distinguishes between whether or not a USB storage device has been installed on a particular computer. Furthermore, the instructions are limited to a stand-alone computer. According to the general rule of thumb "If it's tedious, there is a better way", I try to avoid techniques that force me to repeat certain tasks for each computer that I manage. That's what group policy objects (GPO) are for.

Suggestions?
Mark Heitbrink describes how to disable USB storage devices entirely on all or some computers in the network. He employs an ADM template in a group policy object that disables the USB storage driver (USBSTOR). The ADM template simply sets the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 4 (Disable). But his technique has a serious drawback. It only works if the USB storage driver is already installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time. In that case, USBSTOR remains enabled until the GPO is re-applied, usually at the next reboot. If the storage device is plugged in during that reboot, it will still be available because the USBSTOR driver is started before any GPOs are processed.

The Howto!

If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732, we get a more reliable solution. Firstly, we need to prevent USBSTOR from being installed unless the currently logged on user is allowed to use USB storage. We do that by restricting access to USBSTOR.INF and USBSTORE.PNF in a GPO such that PNP can't automatically install the driver. This is possible because when PNP installs a driver, the installation is performed using the priviledges of the currently logged on user. Secondly, we need to make sure that USBSTOR is not started when a USB storage device is plugged in. For that we use Mark's ADM template. The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices.

In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects.
In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)

Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage.

Repeat the above two steps for USBSTOR.PNF.
Download USBSTOR.ADM.
Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog.
You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled.

Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick.

Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor.

Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:ryanthompson
ID: 35193245
Bwinkworth:  I have set that GP object up but it didn't solve the problem.

Also I have Zenworks patch management and there is a policy that it can push out to disable USB drives support but they will still start to work.  I don't know if it is updates that re-enable them or what?

Can that USBSTOR Registry key be deleted?
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35193262


Do you have a active directory environment?   if so then you can apply a group policy that will disable Disable USB disks.

There is an administrative template that you can add to group policy called USB_Removeable_Drives Template

You'll have to unpack the template and add it to group policy and you will have that setting available.

check out this article:
How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

here's the link to the template:

USB_Removable_Drive_ADM file
http://www.petri.co.il/software/usb_removable_drives_adm.zip
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35193282


there is a program called SPECOPS UPDATE which will allow you push out a gpupdate or force to all computer or select number of computers.  

SPECOPS GPUPDATE

http://www.specopssoft.com/products/specops-gpupdate
0
 

Expert Comment

by:bwinkworth
ID: 35193319
According to this article it can be deleted but I'm not sure if it's going to get re-created when you plug in another USB device.
http://www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog

BW
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 35193338
All of that is well and good BUT do your computers and CDR/w/rw? Do they have floppy disks? (Yes they still exist!!

If you are serious about domain security and the data on your network then dont mess about in the registry and play with GPO hacks that work some of the time.
Put your hand in your pocket and put inplace a solution that is written for the job.  How much does it cost? How much is your data worth/Network integrity worth?

Like i said earlier, something like McAfee DLP will do it all for you.  You can even allow certain USB sticks access while blocking all others.
0
 
LVL 4

Expert Comment

by:mathi28
ID: 35239405
if you are looking for commercial software then try

http://www.manageengine.com/products/desktop-central/control-usb-devices.html
0
 

Author Closing Comment

by:ryanthompson
ID: 35296653
Looking into the McAfee.  Thanks for the info.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now