Re: Disabling USB ports and external disk drives

From: Alexander Suhovey (asuhovey_at_hotmail.com)
Date: 07/30/04 

Date: Sat, 31 Jul 2004 03:13:45 +0400

Why, I think it's quite reliably... If you disable, say, usbstor driver
(That's what generally suggested, and UserLock acts same way i
suppose. Or which exactly registry mods do you mean?) then user will not be
able to use any USB Storage device and AFAIK it's quite reliable solution.
For added reliability you can change DACL for service(driver) in question.

HOW TO: Disable the Use of USB Storage Devices in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

Here's an administrative template I use
(watch for line wraps in [strings]section!):

;=============8<============
;Removable media, serial ports and
;parallel ports access policy settings.
;
;Original Template from (in russian):
;http://portal.sysadmins.ru/board/viewtopic.php?t=13680&start=7
;
;Version: 1.0.2

CLASS MACHINE
 CATEGORY !!CATDESCR
 KEYNAME !!REGKEY
  POLICY !!FDDDESCR
   KEYNAME !!FDDREGKEY
   #if VERSION >= 3
    EXPLAIN !!FDDEXPLAIN
   #endif
   VALUENAME "Start"
   VALUEON NUMERIC 4
   VALUEOFF NUMERIC 3
  END POLICY ; Block FDD

  POLICY !!USBDESCR
   KEYNAME !!USBREGKEY
   #if VERSION >= 3
    EXPLAIN !!USBEXPLAIN
   #endif
   VALUENAME "Start"
   VALUEON NUMERIC 4
   VALUEOFF NUMERIC 3
  END POLICY ; Block USB

  POLICY !!CDROMDESCR
   KEYNAME !!CDROMREGKEY
   #if VERSION >= 3
    EXPLAIN !!CDROMEXPLAIN
   #endif
   VALUENAME "Start"
   VALUEON NUMERIC 4
   VALUEOFF NUMERIC 1
  END POLICY ; Block CD-ROM

  POLICY !!LPTDESCR
   KEYNAME !!LPTREGKEY
   #if VERSION >= 3
    EXPLAIN !!LPTEXPLAIN
   #endif
   VALUENAME "Start"
   VALUEON NUMERIC 4
   VALUEOFF NUMERIC 1
  END POLICY ; Block LPT port

  POLICY !!SERDESCR
   KEYNAME !!SERREGKEY
   #if VERSION >= 3
    EXPLAIN !!SEREXPLAIN
   #endif
   VALUENAME "Start"
   VALUEON NUMERIC 4
   VALUEOFF NUMERIC 1
  END POLICY ; Block Serial ports
END CATEGORY ; Block devices

[STRINGS]
CATDESCR="Block removable storage/ports"
REGKEY="system\currentcontrolset\services"

FDDDESCR="Block Floppy drives"
FDDREGKEY="system\currentcontrolset\services\flpydisk"
FDDEXPLAIN="This policy removes the ability of user to access floppy drives.
Note that this is not a standard registry-based policy. You will need to
explicitly disable this policy to revert changes."

USBDESCR="Block USB Storage"
USBREGKEY="system\currentcontrolset\services\usbstor"
USBEXPLAIN="This policy removes the ability of user to access USB Storage
drives. Note that this is not a standard registry-based policy. You will
need to explicitly disable this policy to revert changes."

CDROMDESCR="Block CD-ROM drives"
CDROMREGKEY="system\currentcontrolset\services\cdrom"
CDROMEXPLAIN="This policy removes the ability of user to access CD-ROM
drives. Note that this is not a standard registry-based policy. You will
need to explicitly disable this policy to revert changes."

LPTDESCR="Block LPT ports"
LPTREGKEY="system\currentcontrolset\services\parport"
LPTEXPLAIN = "This policy removes the ability of user to access LPT ports or
any devices connected to LPT ports. Note that this is not a standard
registry-based policy. You will need to explicitly disable this policy to
revert changes."

SERDESCR="Block Serial ports"
SERREGKEY="system\currentcontrolset\services\serial"
SEREXPLAIN="This policy removes the ability of user to access Serial ports
or any devices connected to Serial ports. Note that this is not a standard
registry-based policy. You will need to explicitly disable this policy to
revert changes."
;=============8<============

hth,
Al.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:RiyOc.217426$XM6.2024@attbi_s53...
> In my opinion you can not do that with Group Policy. I have seen registry
mods that
> claim to do such but I have not seen them work reliability or at all. One
option may
> be to configure the cmos of computers to disable usb and firewire or try a
third
> party add on of which there are links for below for Device Lock and
Disknet Pro. ---
> Steve
>
> http://www.reflex-magnetics.com/products/disknetpro/
> http://devicelock.securitybyte.com/
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823732 -- may
work for you'
>
> "VEZF" <anonymous@discussions.microsoft.com> wrote in message
> news:76bc01c4766e$2c478020$a401280a@phx.gbl...
> > Hello everyone.
> >
> > Does anybody know how can I disble USB ports and external
> > disk drives with Group Policies?
> >
> > Thanks a lot for your answers.
>
>

Relevant Pages

  • Re: What program is used to write events to the event log??????
    ... The intent of Safer is for it to be applied from AD in GPOs. ... that they are refteshed by the sce policy engine. ... > registry files is that while apparently the restrictions are aplied...you ... >>> issue....whenever there is an exe being started it normally writes this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Registry settings management for 16 computers through Group Po
    ... AutoLogonCfg="Configure Automatic user logon" ... This ADM fiel is working fine. ... policy templete. ... the key needs to be located under Approved Registry Key ...
    (microsoft.public.windows.group_policy)
  • Re: Windows Explorer NoNetCrawling
    ... It seems to say that any registry key ... MS-MVP-Windows Server--Group Policy ... Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub: ... >> Automatically search for network folders and printers. ...
    (microsoft.public.win2000.group_policy)
  • Re: Domain Policy
    ... Never changed so many registry ... keys, specially on the PDC. ... manage Group Policy remotely to undo your changes. ...
    (microsoft.public.win2000.security)
  • Re: Group Policy problem
    ... Start Registry Editor. ... Locate and click the following registry key for the domain controller: ... This step provides a temporary solution until you disable the Group Policy ... controller policy, and local security policy. ...
    (microsoft.public.windows.group_policy)