In my previous article â€œHow to use Group Policy to make USB drives read only on Windows XPâ€ I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices.
Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.
How to block existing USB Storage Devices
To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.
If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled
How to block new USB Storage Devices
This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on â€œActionâ€ menu and then â€œAdd Fileâ€. Navigate to C:\Windows\Inf and select â€œUsbstor.infâ€ and press â€œOKâ€. Now click on â€œUsersâ€ in the security tab and then click in the â€œDenyâ€ â€œFull Controlâ€ tick box then click OK.
Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.
Click â€œYesâ€ to the security warning.
Then click OK.
Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.
Now repeat the steps above and this time select â€œC:\Windows\Inf\Usbstor.pnfâ€
You should see something like the images below in your group policy.
Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.
See the Microsoft article about this option at http://support.microsoft.com/kb/823732