How to prevent users from connecting USB storage devices
To stop users connecting USB storage devices
The following items must be carried out to ensure that the USB storage driver
cannot be accessed, in cases where the USB storage driver has been installed the
services should be disabled.
- Deny Access to usbstor.inf and usbstor.pnf
- Disable the USB storage service
1.Deny Access to usbstor.inf and usbstor.pnf
Open the Group Policy Object and drill down to File System
Computer Configuration -> Windows Settings -> Security Settings -> File System
Right click and select Add File…
Assign the Deny permissions to Authenticated Users and System
Carry out same procedure for %SystemRoot%infusbstor.pnf
2.Disable the USB Storage Service
The Start Dword value must be set to 00000004 (disable) in the registry
To disable this service using Group Policy create an adm template.
Copy the following section into a text editor and save the file as usbstore.adm
CLASS MACHINE CATEGORY !!CATUSBManagement POLICY !!POLUSBManagement EXPLAIN !!POLUSBManagement_Help KEYNAME "SystemCurrentControlSetServicesusbstor" PART !!Part00 DROPDOWNLIST VALUENAME "Start" ITEMLIST NAME !!Name00 VALUE NUMERIC 0 NAME !!Name01 VALUE NUMERIC 1 NAME !!Name02 VALUE NUMERIC 2 NAME !!Name03 VALUE NUMERIC 3 NAME !!Name04 VALUE NUMERIC 4 DEFAULT END ITEMLIST END PART END POLICY END CATEGORY [strings] CATUSBManagement="USB Management" POLUSBManagement="USB Storage Service" POLUSBManagement_Help="Enables the changing of the startup type for the USB Storage Service.nDisabled should be selected from startup type.nnYou should also set permissons on following files:nn%SystemRoot%InfUsbstor.pnfn%SystemRoot%InfUsbstor.pnf" Part00="Startup type" Name00="Boot" Name01="System" Name02="Auto Load" Name03="Load On Demand" Name04="Disabled"
As this isn’t quite as simple as setting a Group Policy more instructions are included below, detailing how to load adm template using the Group Policy snap-in.
Add Administrative Template usbstore.adm
Open the Group Policy object that you want to edit.Watch Full Movie Online Streaming Online and Download
In the console tree, right-click Administrative Templates
Click Add/Remove Templates
Browse to .adm template and open, Click Close
If you can see the policypreference skip next two screens, if you see:
“There are no items to show in this view”
Right click in left pane
Only show policy settings that can be fully managed
Double click the policypreference, in this case USB Storage Service
Select startup type: Disabled
This is a preference rather than a group policy so it will tattoo the registry:
This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed, this setting will remain
A copy of the template used to disable usbstore service can be found here: disable usbstore adm