Enable/Disable USB storage devices on your network

0 Likes
over 13 years ago
We've had a problem of late with many viruses being brought into the company network via USB storage devices.

Long term we are looking at using ZENworks Endpoint Security Manager to solve our end point security woes.

In the meantime I created two simple ZFD application objects. Both of them are just a simple registry key that is forced to run on user login and no distribution is shown to the end user. The registry key is set to "distribute always".

Corresponding is two eDirectory groups aptly named USB-Enable and USB-Disable. Based on group membership a person will either have access to use a USB storage device or not. By default a person is placed in the USB-Disable group upon account creation.

This does not prevent USB mice nor printers from being used.

To disable usb storage devices:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\
DWORD "start" value=4

To enable usb storage devices:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\
DWORD "start" value=3

Hope that somebody finds this useful!

Editor's Note


Laura's tip will only work if the USB storage driver is already installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time. See this MS article http://support.microsoft.com/kb/823732 for more information about this, and a way to prevent the USBSTOR for being installed.

One other setting you may wish to look at: if you create
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies,"Writeprotect"=1 
then you will only be able to read from USB storage. not write to it.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended