Stopping the use of USB drives

I do in our place, can be done via GP, I import a .reg file that disables the usb Store so any usb devices inserted are not detected...

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004
 
Last edited:
If you are running a Domain Controller and have your computers joined to it.

There are options using GPO to allow or deny USB access depending on the user or group.

I work in a school - and we have it set so staff can access usb but students cannot. :D
 
We block USB sticks, they can be blocked via GPOs as above. However, we block ours via our AV.

Andy
 
If you are running a Domain Controller and have your computers joined to it.

There are options using GPO to allow or deny USB access depending on the user or group.

I work in a school - and we have it set so staff can access usb but students cannot. :D
Hmm interesting. Is there anyway to disable usb storage devices, but allow mobile devices to connect via activesync?
 
I would guess if the mobile devices can sync without mapping a drive then yes they should work ok.

It doesnt stop any USB working - it just makes it so when a usb storage device is plugged in you cant see the drive it creates :D
 
I wish I could find a product that works in Citrix/TS environments properly :(

You can. We use GPO on all our machines. We basically remove drive letters. We basically allow C: and the network drives, nothing else.

Then we have policies to allow use of the cd drive in laptops for instance

Kimbie
 
We use a paid up product that allows monitoring and control of USB devices, but as said it costs :)

As do we. We use a product called Sanctuary which can stop anything being used. For all I moan about it every time someone needs to read a CD, it's great for keeping control of the PC's.
No-one can add anything without us knowing about it, and when you do allow USB or CD access, it can shadow copy, so we can see exactly what has been put on or copied off the network.
 
As do we. We use a product called Sanctuary which can stop anything being used. For all I moan about it every time someone needs to read a CD, it's great for keeping control of the PC's.
No-one can add anything without us knowing about it, and when you do allow USB or CD access, it can shadow copy, so we can see exactly what has been put on or copied off the network.

I think most people with a paid up product use this tbh :)
 
You can. We use GPO on all our machines. We basically remove drive letters. We basically allow C: and the network drives, nothing else.

Then we have policies to allow use of the cd drive in laptops for instance

Kimbie

We want to enable staff to use USB sticks, but only pre-approved hardware encrypted sticks...
 
Back
Top Bottom