No announcement yet.

Need to disable USB thumbdrives but still allow USB keybaord

  • Filter
  • Time
  • Show
Clear All
new posts

  • Need to disable USB thumbdrives but still allow USB keybaord


    I'm looking to disable the USB port on all the workstations. I would like to just do it thru the BIOS and put a password and be done with it, however all the stations are using USB keyboards/mice so this is currently is not the best option. I would like for the workstations to still be able to use the USB mouse and keyboard but I need to make it so that you can not hookup any USB thumbdrives or any other USB device for storage unless it's the local administrator.

    I know there is 3rd party software to do this however i'm looking to do this without having to pay for extra software, is there any freeware?

    Any suggestions?

  • #2
    Link to instructions to disable removeable drives via GPO

    Pretty good instruction set to disable removeable drives.


    • #3
      What a cracking set of instructions. Very thorough! Maybe could be a tips and trick or a new article.
      Server 2000 MCP
      Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **


      • #4
        I _strongly_ advise you to try this in a non-productive environment since I am not very deep into Group Policies and therefor take no responsibility for any errors or problems that might occur. Try/use at your own risk.
        Like editing the registry, I think this sort of caveat should precede any article that involves editing GPOs in any way shape or form. Seriously people, if you don't know already, be careful. Some of this stuff is not reversable and you will break AD if you do it wrong. Sorry, I've had a few close calls lately.

        Proven e-Commerce Solutions
        340 N. 12th St.
        Suite 200
        Philadelphia PA 19107


        • #5
          I recently figured out how to disable ONLY USB storage devices(flash/Jump/external HD's) completely without disabling keyboards, mice, etc.

          I decided to go this route after trying every other option I could find on the internet. So far this is the only way I have found to completely kill USB drives.

          First thing to do is this:

          1.Run regedit and navigate to HKLM\system\currentcontrolset\services\USBstor.

          2.Change the value of the dword "Start" from 3 to 4. If the dword "Start" doesnt exist, create it. This will prevent a previously installed USB device from loading when the device is plugged into the machine. ((As most of you know this a Microsoft suggestion, which does work perfectly at disabling previously installed devices, however, this alone will not disable USB storage completely. If a user plugs a new USB storage device into the machine the device will install and the dword value will be reset to 3. Now if you incorporate adding this into a script it alone will disable USB drives, but only after a user plugs a device in, removes it without uninstalling it, logs off then logs back on, thereby running the script. This means that there is a window of opportunity for users to have access to new devices, this may be acceptable for some, but not for others.))

          3. The next thing to do is to change the permisions on the USBSTOR key. You need to DENY full control on the "system" group.

          ((What this does is denies everyone the ability to access the USBStor key, effectively killing the ability for any user (including admins) to install USB storage devices. Now the reason you deny the "system" group is because windows will use this account if no one is logged onto the machine yet. What I mean by this is if say you want to deny a group of users called "staff", you would need to deny them using GP or a logon script. This will work great, but, if a "staff" group user plugs a USB drive in before logging in to Windows the device will be installed using in the backgroud using the "system" group, then when the user logs in the "staff" group policy is applied dening the user access to the USBstor key, but by this point it makes no difference because the devices is already installed and accessible and once a device is installed the usbstor key is no longer used.))

          3. So now that these two steps are are done, *NO ONE* will be able to install USB drives.

          If a user tries to use a previously installed drive the device will be blocked and nothing will happen, no prompts, nothing. This is accomplished through step 1, the dword value.

          What happens if a user plugs in a "New" device that was not previously installed, the hardware wizard will run, asking for the location of drivers. Regardless of whether a user selects the "automatically" search and install or if they attempt to manually install 3rd party drivers, the HW wizard will prompt the user that "access is denied" once the drivers are selected. This is the result of step 2, denying "system".

          Now that we know how to disable USB storage devices we need to find an efficient way to do this without driving through the registry on each and every machine.

          I'll show you what I did to accomplish this next time.