What happens if the users bring their own USB memory sticks and connect them to the computers at their office?With the size of USB storage devices increasing so much in recent years, the risk is increasing as more and more data could possibly be stolen or lost accidentally.
You can restrict access for installing new USB storage devices by changing the permissions of these files:
Type %windir%\inf in Explorer address bar or RUN dialog box and press Enter. It’ll open “inf” folder.
- %SystemRoot%\Inf\Usbstor.pnf
- %SystemRoot%\Inf\Usbstor.inf
To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
- Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
- Right-click the Usbstor.pnf file, and then click Properties.
- Click the Security tab.
- In the Group or user names list, click the user or group that you want to set Deny permissions for.
- In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
Note In addition, add the System account to the Deny list. - Right-click the Usbstor.inf file, and then click Properties.
- Click the Security tab.
- In the Group or user names list, click the user or group that you want to set Deny permissions for.
- In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
You can disable USB storage access for a certain group of users this disabling and re-enablement of USB ports is based on a simple registry entry
If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate, and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
- In the right pane, double-click Start.
- In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
- Quit Registry Editor
To setup read only USB storage device operation, follow these steps below:
1. Click on the Start Button and type in Regedit and hit Enter.
2. Navigate through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. Right click on Control and select New and then Key. Call the new key StorageDevicePolicies.
4. Right click on StorageDevicePolicies and select New and then Dword. Call the new dword WriteProtect.
5. Right click on WriteProtect and select Properties. Set the value to 1 and hit OK.
The computer is now configured to disable writing to USB storage devices.
Free tool - http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html (two versions: local and remote)
To re-enable USB storage devices, you will need to restore the original permissions. From Windows 2000, or Windows XP in Safe Mode:
- Click Start and then Run... and type
%systemroot%\inf
- Look for
usbstor.inf
, right-click on it and click Properties. - Click the Security tab, remove "SYSTEM" from the list.
- Click "Advanced..." and turn on "Allow inheritable permissions..." Click OK to save the change and OK again to close the Properties window.
- Repeat for
usbstor.pnf
.
Software wroth to try : Windows Network USB Drive Blocker 2.0.1.5