Menu

Disabling USB storage devices using Group Policy

September 20, 2009 - Security

How to prevent users from connecting USB storage devices

To stop users connecting USB storage devices

The following items must be carried out to ensure that the USB storage driver
cannot be accessed, in cases where the USB storage driver has been installed the
services should be disabled.

1.Deny Access to usbstor.inf and usbstor.pnf

Open the Group Policy Object and drill down to File System

Computer Configuration -> Windows Settings -> Security Settings -> File System

Right click and select Add File…
Enter %SystemRoot%infusbstor.inf
Click OK

Assign the Deny permissions to Authenticated Users and System

Click OK
Click Yes
Click OK

Carry out same procedure for %SystemRoot%infusbstor.pnf

2.Disable the USB Storage Service

The Start Dword value must be set to 00000004 (disable) in the registry

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesusbstore]
"Start"=dword:00000004

To disable this service using Group Policy create an adm template.

Copy the following section into a text editor and save the file as usbstore.adm

CLASS MACHINE
  CATEGORY  !!CATUSBManagement
     POLICY !!POLUSBManagement
        EXPLAIN !!POLUSBManagement_Help
          KEYNAME "SystemCurrentControlSetServicesusbstor"
             PART !!Part00 DROPDOWNLIST
                VALUENAME "Start"
              ITEMLIST
            NAME !!Name00 VALUE NUMERIC 0
         NAME !!Name01 VALUE NUMERIC 1
       NAME !!Name02 VALUE NUMERIC 2
      NAME !!Name03 VALUE NUMERIC 3
     NAME !!Name04 VALUE NUMERIC 4 DEFAULT
    END ITEMLIST
   END PART
  END POLICY
 END CATEGORY

 [strings]
 CATUSBManagement="USB Management"
 POLUSBManagement="USB Storage Service"
 POLUSBManagement_Help="Enables the changing of the startup type for the USB Storage Service.nDisabled should be selected from startup type.nnYou should also set permissons on following files:nn%SystemRoot%InfUsbstor.pnfn%SystemRoot%InfUsbstor.pnf"
 Part00="Startup type"
 Name00="Boot"
 Name01="System"
 Name02="Auto Load"
 Name03="Load On Demand"
 Name04="Disabled"

As this isn’t quite as simple as setting a Group Policy more instructions are included below, detailing how to load adm template using the Group Policy snap-in.

Add Administrative Template usbstore.adm

Open the Group Policy object that you want to edit.Watch Full Movie Online Streaming Online and Download

usbstor-adm-01-small.png

Console tree, Administrative Templates

In the console tree, right-click Administrative Templates
Click Add/Remove Templates

usbstor-adm-02

Add/Remove Templates dialog

Click Add

usbstor-adm-03

Browse to template

Browse to .adm template and open, Click Close

usbstor-adm-04

The adm preference template is added

If you can see the policypreference skip next two screens, if you see:
“There are no items to show in this view”

usbstor-adm-05

Filtering Menu

Right click in left pane
Select
View
Select Filtering…

usbstor-adm-06

Remove Filtering

DeselectUntick
Only show policy settings that can be fully managed

usbstor-adm-07

Preference Preview

Double click the policypreference, in this case USB Storage Service

usbstor-adm-08

Enable Preference

Select Enabled
Select startup type: Disabled
Click ApplyOK

This is a preference rather than a group policy so it will tattoo the registry:

This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed, this setting will remain

A copy of the template used to disable usbstore service can be found here: disable usbstore adm

Adapted from KB823732 KB555324

Leave a Reply