How do you prevent users from using USB drives which circumvent security

security windows usb-flash-drive

We need a way to prevent users from copying anything to and from USB drives unless they are a system administrator. What can be done to remove this access for security purposes.


Microsoft has a knowledge base article on this very issue (KB555324). You have to create a custom Group Policy ADM. O'Reilly has an easier to grok writeup at:

Disabling USB Storage With Group Policy | WindowsDevCenter.

Hope this helps.


Another option would be to use USBSecure. It's a small deployable script which reads a white list of usb devices from a file share. So you can explicit allow usb storage devices for some users or allow vendor specific devices (e.g. all usb keyboards and mice from logitech). oh, and it's freeware.


If you are working with Windows Vista and above, there are Group Policy options that give you fine grained control over which USB devices are allowed or not allowed. (If you have to support WinXP, see the other answers listed here.)

In Windows Vista or above, go to the group policy editor and drill down to: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions

There you will find options to white list of black list devices either by specific device IDs or by the class of device. There is also a very important policy at the bottom that allows you to block everything not covered by the other polices.

All you have to know is either the Hardware ID of the device or the Device Class guid. Both of these things can be found in Device Manager if you plug a device into the machine.

Using the policies that are there you could, for example, allows all mice and keyboards, allow a specific model of a USB scanner, and block everything else.


In Windows, you can disable the USB Storage driver by setting a registry key. This could be configured in a GPO and applied to a limited set of machines. If you want to allow a subset of USB storage devices you will probably have to turn to a third-party product that runs some sort of agent.


Epoxy works great

Related

How do I get nginx to issue 301 requests to HTTPS location, when SSL handled by a load-balancer?
Why do hosting companies charge so much just for RAM?
Why did this website DNS change fail in some parts of the US
How to set OpenVPN client bind address?
Debugging a timeout with ldap auth on apache
What are the benefits of XServe hardware and Mac OS X Server?
ubuntu - how can I avoid typing a password on every admin action?
Edit Hard Disk Serial Number with VMware
Restore default ownership in CentOS after terrible chown [duplicate]
Force NTFS permissions inheritance for newly created files
Postfix: lost connection with *somehost* while receiving the initial server greeting
How to give rights to one user for the restart of a service