Blocking Access to USB Drives

While there’s no denying that USB storage devices like “pen” or “keychain” drives can come in very handy in a pinch, you need to think seriously about the security repercussions of allowing end users to attach these devices to their PCs. With storage capabilities of 1 to 10 GB (don’t forget those funky MP3 players) not uncommon, an unethical user could easily walk out the door with an amazing amount of very sensitive information, literally in their front pocket.

Compounding the issue is the fact that most of these devices do not require the installation of any special drivers, relying on the native plug-and-play capabilities of operating systems like Windows XP instead. That means that just about any user can plug one of these devices in, and then transfer information to it like any other drive. Remember when companies used to worry about sensitive information leaving the organization on a floppy disk? It almost seems laughable now by comparison. While the vast majority of users will use these devices for legitimate purposes, it’s your job as an administrator to recognize that they still present a security risk, and one that should be addressed in the same manner as your organization’s other security policies and procedures.

Blocking access to USB storage devices is done in one of two ways. The first procedure is for systems that have not had a USB storage device installed yet, and the second for ones where a USB device has already been installed.

On Windows XP systems, the easiest way to check whether a USB storage device has already been installed is to fire up Regedit and browse to HKLM\SYSTEM\CurrentControlSet\Services. If you find a “key” (folder) here named USBSTOR, a USB storage device has already been installed.

Assuming that one hasn’t been installed, disabling future installations is quite simple. Just browse to the %systemroot%\inf folder, and look for 2 files – usbstor.inf, and usbstor.pnf.

To stop users from installing USB storage devices, open the Properties of these files to the Security tab, and then Deny the Full Control permission to the users or groups that you don’t want to be able to attach a USB drive to the system. It’s that simple.

If you find the USBSTOR key already present in the Registry, a device has already been installed. To stop these devices from functioning, you’ll want to switch its value from 3 (in hexadecimal) to 4, as shown below. Don’t forget that all the normal Registry warnings apply here – back it up first, you do this at your own risk, your computer might explode, etc.

Now, it’s obvious that this “manual” method won’t be of much help in very large environments, but it shows you how the mission is accomplished. If you want to go further with things, you could always create a fancy script to deploy these Registry and permission settings via a logon script or even Group Policy.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.