AllExperts > Internet/Network Security 
Search      
Internet/Network Security
Volunteer
Answers to thousands of questions
 Home · More Internet/Network Security Questions · Answer Library  · Encyclopedia ·
More Internet/Network Security Answers
Question Library

Ask a question about Internet/Network Security
Volunteer
Experts of the Month
Expert Login

Awards

About Us
Tell friends
Link to Us
Disclaimer

 
 
 
 
About Ryan Stewart
Expertise
I can answer questions, provide advice and assist with troubleshooting several areas of internet and network security including but not limited to: Windows XP, Windows Server 2003 & 2008, Windows Vista, Windows 7 and Linux operating systems; planning, design, implementation, management & testing in small business, home and home office environments; server and workstation hardware; in-house and remote system auditing; software-based offensive security (penetration and vulnerability testing); software-based defensive security (firewall configuration, encrypting & securing services with SSL, VPN, AV gateway, antivirus, access control, monitoring & intrusion detection); hardware-based security configuration & techniques; Certificate Authority and SSL certificates; wireless security (WEP, WPA, WPA2, 802.1X).

Experience
I've been an independent IT consultant for 5 years serving small businesses and home users.

Education/Credentials
CISM - Certified Information Security Manager | CCNA Security - Cisco Certified Network Associate Security | MCSA - Microsoft Certified Systems Administrator

 
   

You are here:  Experts > Computing/Technology > Internet/Network Security > Internet/Network Security > How to configure USB Block Policy

Internet/Network Security - How to configure USB Block Policy

Expert: Ryan Stewart - 9/3/2009

Question
Hello Sir,
How are you my name is Ahmad i would like to ask one question regarding USB. I have a network of 50 computers and have a server machine having ISA Server 2000 software. All the pc and connected with domain. I want to block all the USB ports on all the client machines through a group policy as well as all the CD Drives.
Regards.

Answer
Ahmad,
I'm doing well, thanks for asking. I'm going to assume that your goal is to prevent the usage of USB removable disks on all client machines. We can accomplish this by creating a custom .ADM file that will be imported into a Group Policy Object. This will allow you to block the use of USB flash drives / removable disks, but will continue to allow the use of any other USB device that is not a portable disk drive (keyboards, mice etc.). When we're finished, you'll have the same control over the use of the client CD drives as well.

The first thing we need to do is modify the file access permissions for 2 files: usbstor.sys & usbstor.inf  Locate these files and right-click > Properties > Security tab. Remove the line for the SYSTEM account. Make sure you remove the SYSTEM access permissions from BOTH files.

Now, Import this administrative template into your Group Policy as an .ADM file:

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
 POLICY !!policynameusb
  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
  EXPLAIN !!explaintextusb
    PART !!labeltextusb DROPDOWNLIST REQUIRED

      VALUENAME "Start"
      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST
    END PART
  END POLICY
 POLICY !!policynamecd
  KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
  EXPLAIN !!explaintextcd
    PART !!labeltextcd DROPDOWNLIST REQUIRED

      VALUENAME "Start"
      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 1 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST
    END PART
  END POLICY
 POLICY !!policynameflpy
  KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
  EXPLAIN !!explaintextflpy
    PART !!labeltextflpy DROPDOWNLIST REQUIRED

      VALUENAME "Start"
      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST
    END PART
  END POLICY
 POLICY !!policynamels120
  KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
  EXPLAIN !!explaintextls120
    PART !!labeltextls120 DROPDOWNLIST REQUIRED

      VALUENAME "Start"
      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST
    END PART
  END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB Removable Drives"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list.  \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
labeltextusb="usbstore.sys driver status"
labeltextcd="cdrom.sys driver status"
labeltextflpy="flpydisk.sys driver status"
labeltextls120="sfloppy.sys driver status"
Enabled="Stopped"
Disabled="Started"


FYI: In order to view and configure the settings for this .ADM file, you'll need to change the default filtering view for the GPO Editor or GPedit.msc  To do this, open GPedit.msc and click on View > Filtering. Un-select the "Only show policy settings that can be fully managed" box and click OK. The settings for this .ADM template should now be visible in the right pane of the GPedit window.

If you run into any problems or need further assistance, please don't hesitate to ask!

-Ryan Stewart

Ask a Question


 
User Agreement | Privacy Policy | Kids' Privacy Policy | Help
Copyright  © 2008 About, Inc. AllExperts, AllExperts.com, and About.com are registered trademarks of About, Inc. All rights reserved.