Thursday, September 10, 2009

How to disable USB removable disks flash drives by using Group Policy (GPO)?

How to disable USB removable disks flash drives by using Group Policy (GPO)?


I have seen this question several times at different message boards, so I've decided to write an article about it.

USB removable disks (also known as flash drives or "Disk on Key" and other variations) are quickly becoming an integral part of our electronic life, and now nearly everybody owns one device or another, in forms of small disks, external hard drives that come enclosed in cases, card readers, cameras, mobile phones, portable media players and more.

Portable USB flash drives are indeed very handy, but they can also be used to upload malicious code to your computer (either deliberately or by accident), or to copy confidential information from your computer and take it away.

As a variation to Disable USB Disks, you can prevent users from using any portable USB removable disk or flash drive by using a custom .ADM file that can be imported into the Local Group Policy (thus effecting only the local computer) or by using Active Directory-based Group Policy Objects (also known as GPOs).

Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how to add or remove an .ADM file from the Administrative Templates section in GPO.

Note: This tip will allow you to block usage of USB removable disks, but will continue to allow usage of USB mice, keyboards or any other USB-based device that is NOT a portable disk.

It's worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.

Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems or higher.

In KB 555324 written by fellow MVP Simon Geary he has provided a nice sample .ADM file that can do just that, and also added other removable storage media to it. You can effectively block usage of any drives containing removable media, such as USB ports, CD-ROM drives, Floppy Disk drives and high capacity LS-120 floppy drives.

However, the original .ADM was pretty simple, so I added a must-have explanation and changed some of the wording in it. By using the file provided below you will also be able to understand the exact settings and scenarios in which the blocking will or will not be successful.

Download the USB_removable_drives_ADM file (2kb)

After downloading the .ADM file, read Adding New Administrative Templates to a GPO.

You might also be interested in reading Disable Writing to USB Disks with GPO.

Note: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.

Follow these steps:

  1. In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.

  1. Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.

  1. Now you will be able to see the new settings in the right pane:

  1. You can now configure any of the above settings:

An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.

You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.

Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.

Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail... Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

No comments:

Post a Comment

Popular Posts