How can I prevent users from writing to USB removable disks (USB flash drives)?
USB removable disks (also known as flash drives or “Disk on Key” and other variations) are quickly becoming an integral part of our electronic life, and now nearly everybody owns one device or another, in forms of small disks, external hard drives that come enclosed in cases, card readers, cameras, mobile phones, portable media players and more.
Portable USB flash drives are indeed very handy, but they can also be used to upload malicious code to your computer (either deliberately or by accident), or to copy confidential information from your computer and take it away.
Microsoft has introduced some changes into Windows XP Service Pack 2 that allow an administrator some control over how USB Removable Disks (or flash drives) are handled. A new storage device policy named WriteProtect makes it possible to prevent all removable USB drives from being written to. Users can still read from these devices, but are not longer able to write to them.
This tweak will only work in Windows XP SP2 and above.
You can also Disable Writing to USB Disks with GPO.
Block writing to USB Removable Disks
To block your computer’s ability to use USB Removable Disks follow these steps:
- Open Registry Editor.
- In Registry Editor, navigate to the following registry key:
- Create the following value (DWORD):
and give it a value of 1.
Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you’re supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.
- Close Registry Editor. You do not need to reboot the computer for changes to apply.
Users trying to write to any USB Removable Disk will now get an Access Denied message.
Enable writing to USB Removable Disks
To return to the default configuration and enable your computer’s ability to use USB Removable Disks follow these steps:
- Go to the registry path found above.
- Locate the following value:
and give it a value of 0.
You can download a .REG file that configure this setting right HERE (1kb).
You may find these related articles of interest to you:
- Adding New Administrative Templates to a GPO
- Controlling IE cache size via GPO
- Disable USB Disks
- Disable USB Disks with GPO
- Disable Writing to USB Disks with GPO
- Download GPMC
- Download Group Policy ADM Files for All Microsoft Operating Systems
- Download Group Policy Settings Reference
- Download Office 2000 Reskit Tools
- Download Office System 2003 Reskit Tools
- Download Office System 2003 SP2 ADMs and Explain Text Update
- Download Office XP Reskit Tools
- Event logs archiving with GPO
- Understanding Administrative Templates in GPO