Storage

Disable USB storage under OS X or Windows


Whilst randomly browsing a few days ago I came across a document prepared by the National Security Agency (NSA) that describes how to disable USB storage on Linux, OS X, Solaris and Windows platforms.

For OS X the guide describes disabling USB and Firewire storage:

  1. Log on with an administrator account.
  2. Browse to ‘/System/Library/Extensions' folder on the system disk.
  3. Trash both IOUSBMassStorageClass.kext and IOFireWireSerialBusProtocolTransport.kext which are found in this directory.
  4. Empty the trash.
  5. Reboot the machine.

Disabling USB storage on a Windows platform is only a little more complicated:

  1. From Explorers folder options ensure that hidden files and folders are displayed, file extensions are not hidden and simple file sharing is disabled.
  2. Open up the properties for %systemroot%\Inf\Usbstor.inf (%systemroot% would normally be ‘C:\Windows').
  3. Select the security tab and make sure that all options for all users are set to deny. This must include administrators and SYSTEM.
  4. Repeat the above for %systemroot%\Inf\Usbstor.pnf
  5. If USB storage devices have been used on this machine previously then open up the registry editor otherwise ignore steps 6 and 7.
  6. Browse to the registry location ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor'.
  7. Open up the registry key ‘Start' and change the data value to ‘4'. Close the registry editor.

That's it! If simple file sharing was enabled previously then don't forget to re-enable it.

78 comments
nazimyousaf
nazimyousaf

If we want to disable USB on the network then how it possible

collinsauve
collinsauve

Anyone know if this is possible to do with Group Policy under Windows Server 2003? This would allow you to do this across the entire enterprise (or OU for select users and groups)

dchow
dchow

For those of you wondering where he got this from. Many of the guides are called SNAC: http://www.nsa.gov/snac/ This is also part of a nation-wide Information Assurance program mainly known to DoD and government employees.

Helpdesk
Helpdesk

IT Security is one important issue that needs serious attention by every organization. The pros and cons of any suggestion presented, must be carefully evaluated and collectively decided. As technology advances, new solutions would be available for concerns which have been unjustly addressed or may have been overlooked in the past. As we await these solutions, we might as well be content in implementing what will work for now. Security policies are not carved in stone, right?

nwabunnia_1
nwabunnia_1

But why would anyone want to disable USB storage?

rob_cranfill
rob_cranfill

Typo: Step 2 for Windows says 2) Open up the properties for %systemroot%\Inf\Usbtror.inf but that file name is wrong; it should be "Usbstor.inf".

Meesha
Meesha

1) Policy statements are created and signed that should take care of any security concern. You FIRE them if they don't comply. 2) Many staff have many reasons for need the productivity gains of USB enabled devices. For example, for security reasons, a notebook may not leave the office for simple conference presentations, a USB drive works for this purpose. Some staff have PDAs that synchronize by USB; some staff need cameras, i.e. accident reconstruction, which use USB and SD cards; some staff are disabled and need USB assistive devices. 3) Under the needs of number 2 above, locking the BIOS or locking our USB use would need to be granularly controlled by tech staff who are already overloaded with other similar security objectives. Why are we asking for our lives to be more difficult than needs be? So, why loose the productivity advantages of USB at all simply because you can't find a better way to manage your security? I've already had one staff member fired for installing unauthorized software and the policy backed me up. Why not USB as well? P.S. When we have an external consultant or contractor or vendor in-house using our networks and equipment, we do disable features such as USB, in some cases, internet access, some server access, etc. It's our jobs to be "security conscious" at all times and provide clear expectations of conduct through policy statements not to stop the organization from doing it's business.

jdumont
jdumont

me tarzan... me turn off in bios.

anslemnovich
anslemnovich

it can be done either by group policy or by computer management. allyou need do is type MMC on your run dalog box and you instantly get a reply.

KenDAWG
KenDAWG

If you disable the USB on the host machine, you disable on the network. Or you can put the commands to run these options for you into a login script that runs from the domain controller on a Windows domain. I'm not sure how to accomplish this on a Mac network.

zuben347
zuben347

There are several preconfigured GPOs you can download and deploy to an OU for W2K3. The "Kiosk" one, IIRC, is the strictest, and by default, will not allow any members access to USB ports or permission to burn a CD or DVD. It's under the machine policies.

The Firebrand
The Firebrand

and utterly pointless. Let us review. Fear number one seems to be MP3's malware and god knows what with potential infections showing up on the network. OK. Ever heard of an anti-virus program? I mean a real implementation. A number of years ago as the Systems Engineer for a multinational, one responsability was for protecting a coast to coast network of thousands of devices. The policies I put in place ensured we had 1 outbreak on 7 years. It was locked down in 20 minutes, and eradicated from North America in 4 hours. A decent AV policy will save you in many ways. Next, Mp3 legal responsability. Hmmm... Most companies require employees to sign a policy enjoining them from using corporate resources for illegal activities. Try enforcing it. Graduated enforcement from Letter in your file, to suspension, to firing. Simple, inexpensive, and effective. LAst, but not least, loss of corporate data. This one makes me howl. The weakest point in your corporate data infrastructure is not some yutz with a flash drive, but the sod you trust to do your nightly backups. Usually a late shift. Usually the lowest paid. Usually the best target for corporate espionage. So if you haven't plugged that hole, don't worry about USB's, that's just like howling at the wind. Next we will be stopping them from e-mailing because they might send corporate data to the enemy... That being said, I also believe that the end PC's need to be locked down so that users cannot add, change, or remove programs, printers, or other mission critical devices. Pick your battles, don't re-invent the wheel, and rise to the challenge of integrating new technologies seamlessly and effectively into existing structures to enhance flexability and productivity. Happy, safe employees spend less time messing with your systems, and more time working or jawing harmlessly at the water cooler.

IT_Godson
IT_Godson

What some people don't seem to understand is that information is the new gold that criminals are trying to steal! We lock down usb storage and other portable media storage devices to prevent someone from stealing that info. Most users would not abuse unrestricted access to their computers because most don't know how. The problem comes from people that think they know more about our job than we do and try to circumvent policies established for their protection and the company. Security Issues are... 1)People bringing viruses and other programs on the strorage devices that will infect or bypass security on the local machine. 2)Person needs to finish a project over the weekend but doesn't want to work in the office and takes the project home. Problem is the person has crap security at home and has sensitve files hacked from his/her computer. The problem all IT personal face is balancing security and functionality. It is an ongoing battle and differs from place to place. DoD needs to have much tighter security than your average company or school.

sales
sales

Our company, Securigy, successfully uses internally and RESELLS DeviceLock. Not very known, by very useful. Most of the buyers are financial orgs. Provides granular control to variety of USB and Firewire devices...BTW, same security considerations apply to CD/DVD buiners, floppies, etc...and it takes care of it too...

Justin Fielding
Justin Fielding

I think you're a little harsh and unrealistic in point 1 unless you're working for a high security government agency. You've also missed the point--do you remember all of the military documents which were found on stolen USB keys in Afghan markets? If USB storage was disallowed then that wouldn't have happened.

IT cowgirl
IT cowgirl

Best scenario for outside contractors and vendors is to NOT let them on your production network. Set up an external DSL link on a separate VLAN and add those switchports in the conference rooms and whereever the external contractor sits in the office. Internal contractors who use your company's equipment and has access to your company's information should be locked down.

techrepublic
techrepublic

We are forcasting an FY budget entry of $8000 for a hundred Brother GX6750 Typewriter W/ View Mode And Correction Memory for our entire staff. We have figured out that by the time we get our computer systems secure enough to use they'll just be typewriters, anyway. Why not buy something that is already safe and ready to do the job?

kentkh
kentkh

Just want to added, besides disable the BIOS set password when entering BIOS setup.

Big Ole Jack
Big Ole Jack

now that shouldn't be too hard now...should it?

wesswei
wesswei

It works in linux. With the advent of the latest Ubuntu 8.04, the system policy manager makes this easy for administrators to set up. It puts Windows and Macs to shame when it comes to security. I've been looking for ways to implement such ideas in Macs for awhile but in Windows, forget it. Shutting off the usb listening ports is good for IT environments where you want to shut off the ports completely, but it doesn't do much when one needs to use them.

arlosmurf
arlosmurf

What about internal disk drives? I have worked with a fairly new Dell d620 laptop running WinXP that has USB-connect internal CD burner / floppy drive (hot-swappable). It took me about a week to find this little security mod that had disabled the CD burning capability, and reverse it.

gurudatt33
gurudatt33

hell , dear As per ur openion I would like to secure my usb port on system using software so,if u have any software ideas of downloaded software plz mail me on my personal email id gurudatt33@yahoo.com

rapell
rapell

devices(like flush disks) or it disables the PORT? I think storage as we can see the filename USBStor sounds like usb storage. Okay, i am going to test it on my machine that uses usb keyboard and mouse....if I can't use these devices after the task how do I get back out of the sh*t? (Hint: My pc has only usb devices, and No, you cannot access the drive from the network)

Justin Fielding
Justin Fielding

Please elaborate... I thought this feature was only available starting from Windows Vista.

avatar_man
avatar_man

Could not have said it better myself!

cklammer
cklammer

or you will be locked sooner or later by BIOS on some PCs by some users to the point that the PCs concerned won't even boot without the correct BIOS password given. ... And then see how much fun this is when you have to restart all you machines after some remote update. ... and how much extra (unpaid) overtime you spent to fix this at crunch time. cklam

craiglarry
craiglarry

Let's all put or heads together to see if we can find something of even less interest or practical use.

Jerry M. Gartner
Jerry M. Gartner

no more usb storage - or just remove it from bios - the epoxy is more fun though!

computerguy79-21675236525644372554607442988528
computerguy79-21675236525644372554607442988528

OMG. after reading all these post hopefully I can clear this up for alot of the misconceptions. People, disabling the usb storage device in the registry is the easiest and most effect way to accomplish this goal. Its DOES NOT affect USB input devices like mice and keyboards, just storage devices that utilize the usbstor.sys registry key. When disabled in the registry it will affect the entire computer, but it can easily be switched back on, either through a script or via Group Policy. Disabling at the BIOS level will affect the whole machine as will the registry mod, but again, if you do that you disable USB ports for EVERYTHING; not just storage devices. In windows (XP/2000) all you have to do is log in as an admin, edit the registry, do a GPUPDATE /target:computer (look it up if your not familiar) or a restart, then the drive(s) will work. I work in a high school environment. One of the most abused environments for USB drives: music, videos, games.. all a big headache. I've even shut down floppies, CDROMs, and any other types of removable media. Shutting dwn the USB drives was a lifesaver. if your a beginner and don't want to F-with the registry dwnld USB Drive Disabler from http://www.intelliadmin.com/Downloads.htm They've made it a piece of cake. 'nuff said

Justin Fielding
Justin Fielding

It may well be that users have to use USB devices other than mass storage (like a mouse!!!). If that's not the case and the BIOS offers the option then of course you can do it that way.

dcrum1
dcrum1

I can't imagine being in front of 300+ pc's tring to change something in the bios. That's a nightmare!! No. You create a script using this information and let the script do the work for you. It saves time and $$$$.

autocaddraftsman
autocaddraftsman

Hey, Big Ol Jack. I am not an IT guy, although I play one at my home office. I have no access to the five USB ports on my PC here at work and it is really inconvienient. We are allowed to use our computers at lunch time or break for personal stuff, but if I find some cool download on TechRepublic it does me no good at all because I have no way to take it home. Our e-mail will not allow us to send an attachment with .exe and we can not use the USB ports. I think...and I may be wrong...most IT guys are a little paranoid and maybe just a little Napolionic. I love you guys and I depend on you, but us "civilians" can be trusted to do things right sometimes, not always! Gee, dad, can I have the keys to the PC, please.

ucbrianr
ucbrianr

Wouldn't that shut down all access to the USB port? Not just for storage devices?

jakesty
jakesty

We lock our BIOS out from the casual user getting in. But 99.9% of our users wouldn't know what to do anyways.

rmathis
rmathis

Nope this little trick has been around a long long time. I did it a few times many years back and low and behold forgot about it when I went back to the same machine lol. Its a nice trick it shuts off things of a storage nature only so mice and keyboards will go right past no problem. It's not %100 secure but it is a %99.9 chance of filtering out any unwanted quest. "You can mimic a device on a flash like a mouse and still get information off the target machine"

computab
computab

There is no security tab in Windows properties (Windows XP Home)

The Firebrand
The Firebrand

Woah there Jack! I don't know how he's supposed to answer that without you sounding more morally superior. If it's a small number you'll call him inexperienced, if it's a large one you will call him a fossil. Just what was the point? Liability? Are you mad? What liability? Virus? Try a decent A/V solution. Copyright liability? Try enforcing established corporate processes. I don't know what kind of companies you worked for, but in my universe almost all of them require employees to sign off on not using corporate resources to commit felonies and accept sole responsability in the event it happens. So your so called "liability" simply becomes de-facto evidence. You tell them what they are buying, not the other way around??? Now who sounds like a relic from the 70's? Try supplying them with a tool that meets thier needs, not one that meets yours. Sheesh! Yes there should be some consultation, but at the end of the day IT is a Cost Centre, a drain on corporate monies. If you focus on being a gatekeeper and limitations your department becomes a boat anchor. Usually a bad plan IMHO. One that leads to outsourcing and wholesale housecleaning. But hey, that's just more cash for other companies.

Big Ole Jack
Big Ole Jack

I don't know what kind of fancy schmancy laptops you are buying, but as far as I know, laptops come with their own keyboard and pointing device, so why would anyone need to make use of the USB ports other than for toys like iPods and flash drives? You sound like a total noob trying to teach an experienced pro about the "latest and greatest" in technology when you have quite a lot to learn. I don't know what kind of corporation you work for and what their security policies are, but from my own expereinces, USB ports were a major NO NO and were always disabled because they pose a security risk to the organization. I find it hard to believe that you can't find machines these days with PS/2 ports. Yes, many large PC retailers are shoving Vista and all USB machines down your throat, but you don't have to buy them. You tell them what you are buying, not the other way around. Are you ready to accept the consequences of liability if a user compromises your network's security through a USB port on a PC or laptop?

Justin Fielding
Justin Fielding

Not many machines come with PS/2 these days, especially Laptop's.

Big Ole Jack
Big Ole Jack

because it forces one to enable USB, which like I said before, allows for users to plug in their flash drives and upload all sorts of garbage onto the network or download confidential information from the network onto their flash drives. Although USB is a convenience, it's an easy window for those who intend on doing malicious things. Most companies opt to have their users work through Citrix or thin client sessions and disable both the USB ports and floppy drives. Call it paranoid, but it saves the company time and money in support calls related to users messing up their machines because they installed something they shouldn't have from an external source.

Meesha
Meesha

The key to this type or any type of on-line storage/service is, "good enough for casual use." Making an assumption that your information, images, etc. is protected truly makes the saying come true - ass-u-me.

cklammer
cklammer

Forget e-mail attachments anyway. I upload large files to yousendit.com and have the receiver of the files get the automatic notification e-mail from yousendit.com. Works like a charm. With a free acoount you can upload files up to 1 GB in size and have a monthly download quota of 1 GB - good enough for casual use. cklam

bullens
bullens

Bryan my point I was making exactly earlier in the thread, but the average user does not understand the consequences of what virus infection means to the I.T infranstructer, and the sort of man hours that can be consumed cleaning up any issues that have been caused. they simply see that you are big brother looking over there shoulder preventing them playing games or downloading mp3's or even worse porn...

hforman
hforman

We had a PC stolen with customer information on it. By the time we notified (per state law) all of the customers, it cost upwards of $500,000! That teaches you to watch security issues real fast.

Big Ole Jack
Big Ole Jack

Before I became a VAR, I used to work in many large organizations with hundreds of thousands of users. Needless to say, every PC was locked down at the BIOS level and had the USB ports shut off, even for executives and accounting dept. If they needed a dedicated printer, the IT dept would buy a cheap $500 printer with ethernet capability (HP Officejet has one built in) and we'd connect the printer to the LAN and restrict printing and queue management to only that department or person through the use of AD permissions. We'd not publish the printer in AD, so it wouldn't be visible to the average user. Simple because someone is an executive does not mean they are immune to the security policies that IT has set forth. No USB meant no USB, no exceptions! IT knows more about securing the network from viruses and crap than the CEO or CFO does.

computerguy79-21675236525644372554607442988528
computerguy79-21675236525644372554607442988528

if your mail system doesn't let you send .exe's then try sending the file without a file extension (assuming there isn't an attachment quota on your mail server), then rename the file when you get home. This trick works on some windoze based mail servers. Not sure if exchange 2007 is this savy. Linux based mail servers sniff the whole damn thing out. And IT guys are not paranoid about what you'll take home, its more on what your going bring in. Like a crummy P2P filesharing pgrm that infects the whole damn LAN and all you'd get was a slap on the hand. If such and instance happend, trust me the IT guys would love to ring your neck with the cable from your USB mouse.

unixwolf.edu
unixwolf.edu

99% of IT admins and support staff have to clean up after all the users who think they understand everything about computers and just don't understand what the big deal is. Just like the teenager who wants to borrow the car to joy ride with his (or her) friends and all they have is a drivers permit, and can't understand how they got into that accident. We're the cop who has to clean up the mess afterwards. I won't tell you how to draw, don't tell me...

Salvatus
Salvatus

Auto, It's not that we're worried about the minority of people who could legitimately use the USB ports properly and safely, it's the "other" people who are malicious or just plain ignornant of the risks. Our job is to maintain integrity of the system. That includes limiting the end user's abiliity to foul things up. Unfortunately, some of the valid reasons are a casualty of war. I would trade your "annoyance at lunchtime" to a virus enveloping the network any day.

hevymetl
hevymetl

As an I.T. consultant I don't recommend turning off USB devices for 2 reasons: 1) It causes too many inconveniences to most businesses (unless a full-time I.T. staff is onboard to handle little USB issues) and 2) I like the extra income this brings in from people loading crap on their systems, which I need to fix for over $100 per hour.

SaintGeorge
SaintGeorge

.. you can't really be trusted. You think we are paranoid in the ssme way my 14 yo daughter thinks I am when I won't let her go to raves as some of her seemingly orphan friends do. Even if the work you does not need security, the activities you do in your own free time can and will impact in the performance of your equipment, and will exact from us hours of manpower to make things right again. I'm a external consultant and I have clients who are us resctrictive with their employees as your company is with you, and other who are trusting and confident. I can tell you I get more revenue from the second ones, I love the income. But my job is to keep them in business, not to make money, so I will always say the first is the way to go. Once I suggested that employees should pay for the cost of maintenance derived for the things they do during personal-time. And, sending .exe via mail??? GOSH!!!!!!!!!!!

bullens
bullens

This is the sort of response that I would expect from a non-IT person, it annoys me when people who do not have a true understanding of what running and securing an enterprise network takes; make such broad comments. Security in a must, establishing a robust security policy and holding people to it is something that a company of any size should & must do. Locking things down as much as possible is the only way to prevent intrusions, data theft, malware infections, etc. What is the cost to the company if it's data is lost or stolen, you can pretty much gaurantee that it's worth more than the physical assets that you can quantify... Allowing average joe to strole in to work and insert his USB stick, that has just been pluging into his personal PC at home and "may" be riddled with virus and god knows what; average joe then decided's to upload the last movie that he has illegally downloaded from a p2p site up to the LAN to share with his work colleagues, suddenly the company is liable for storing said material. And you say IT guys like myself are paranoid... yes were are for a dam good reason we have to be to protect the infrastructure that's been put inplace and more importantly ensure that we are not fired for not doing our job, ensuring that the company stays legal and secure. And no users cannot be trusted, they can however be educated, but that does not mean that they will abide by what you are teaching them.

rserao
rserao

Hate to burst you bubble but you "civilians" can be anything but trusted. If you want to do something not business related, like open up phishing email, and downloading every stupid little useless utility in the world, do it on your own machine at home. This way when you get hacked by every 8 year old on the planet it's not your IT department's problem. And as for not being able to take home that "cool" utility you found on TechRepublic? Here's a novel idea... download it from home!!!

Peon
Peon

So .exe does not work ! Can you send any attachments at all ? What about an attachment called homer.doh ? If .zip does not work, what about .zap ? You can name a file almost anything you want. Peon

brian
brian

What about the keyboard and mouse? Most new pc's dont come with ps/2 ports. Even if you selectivly disable the ports a user could unplug the keyboard or mouse and plug in the jump drive. Maybe a group policy setting for this, I'll have to check that out. If anyone knows of hand that would be appreciated.

hforman
hforman

All of the new computers we have received have USB ports only. No PS2 ports, no keyboard plug, no mouse. Just USB. Also, no floppy drives, which is probably a good thing.

Big Ole Jack
Big Ole Jack

because it required a knowledgable IT person to get the thing working on the SCSI bus. With USB, any dumbass with half a brain can plug something in and it will work, even an unauthorized device like a flash drive or iPod full of illegally downloaded MP3s'. I could care less what the user has on his/her iPod or flash drive, but as soon as it's plugged into a PC that is LAN connected, it creates a liability for the company if a virus or spyware makes it way from the device and onto the network servers. Also, the thought of a user or outside contractor walking off with confidential data is a threat in itself and fully warrants shutting down USB at the hardware level.

TBBrick
TBBrick

Dude, I work for a NFP. Having two buildings, we have two networked printer-copiers. Yet, due to confidentiality concerns, there are several users who do need desktop lasers. HR and head of case managers to name two.

thuizenga
thuizenga

We are in the service business and have lots of offices with driver license scanners and signature pads (all usb). So how do you propose we run all these devices. Shutting off USB ports to restrict access is the most ridiculous thing i have heard. You are telling me your pc tech support staff can accuractly disable every USB port on every Network device? With out forgetting a signal one! I believe in network scripts and automation for security. If someone has to do something for every individual pc to make things secure then it will never happen!

WoW > Work
WoW > Work

No local devices? What about a slim laptop that doesn't have an internal CD drive (perhaps we should lock out CD/DVD drives too...) What about PDA/Pocket PCs (distributed by the IT Dept, of course)? As time goes on, you're less likely to find PS/2 ports on systems for mice and keyboards, what then? Who knows, down the road you may find yourself using a USB fingerprint security system. What sucks is, I'm on the fence on this one. As much as I think it's a great idea to disable the use of USB storage at work, for security purposes, there are legitimate reasons people would use them, without security worry. What I like about this feature, is being able to set it on a "master" machine, then being able to clone it out onto new computers, rather than have to set it up on each computer via the BIOS. 'Course, what about disabling it within Computer Management, then making sure "Av'rage Joe User" isn't an Admin to the desktop? Just disable the ones not being used by keyboard, mouse, etc.

SaintGeorge
SaintGeorge

... but, on the other hand, USB stands for Universal Serial Bus, and was intendend to replace all the multiple formats of conectors out there: DB9, DB25, PS/2, etc. Of course that might be a little ambitious because new formats WILL come up, so.. but anyway, that is the reason. You are right pointing out that equipement with ONLY USB ports are a liability. The thing, then, would be to ensure that secure equipment have dedicated ports for mouse and kboard, and that it won't be used with equipmente that need USB ports (printers, scanners, mp3s, cams or whatever)

eclypse
eclypse

The $15,000 MFD has these things called "mailboxes" that provide a place for users to print their private documents. These mailboxes can be secured via passwords and the contents are only printed when the user goes to the MFD. Not that there may not be some drawbacks to this security-wise, but the other benefit we get from this is that is Joe User prints a 5000 page report by mistake, it only eats up disk space temporarily, not the number of sheets of paper that are in the printer.

nhahajn
nhahajn

Maybe he's just trying to sell one of his $15K printers. But seriously, there are lots of legitimate reasons to not block all USB ports, usb keyboards and mice all over now. There is third party software that will only block storage devices, I've never used any so I can't say if tehy work well or not though.

bkinsey
bkinsey

Large network printers are extremely useful, and yeah, you don't want everybody sitting there with individual printers on their desks. But tell the CEO, department heads, any supervisor that deals with confidential data like personnel issues, finance, legal, etc. that they have to print all their documents to the big shared printer down the hall and see where that gets you. Some jobs have an exceedingly legitimate need for local peripherals.

walter.white
walter.white

Smaller remote offices cannot afford the $15K office solution, and so might need the USB scanner/printer capability. Killing the USB port globally here is like killing a fly with a sledge hammer...

Big Ole Jack
Big Ole Jack

That's why you buy a single $15,000 multifunction printer/copier/scanner that connects to the LAN instead of buying every user his/her own personal printer. I truly don't see any impending business reasons why users need to have their own dedicated devices. Every device should be networked and access controlled through directory services and access control lists.

ucbrianr
ucbrianr

I get your point but what about local printers? Scanners? There are lots of legitimate business devices that interface only via USB.

Big Ole Jack
Big Ole Jack

That's why I hate PCs' that only have USB connectors for keyboards and mice because it forces you to leave the USB ports open. There should be no reason I know of to enable USB for users because as soon as they realize it's open, you'll start seeing weird MP3s' flooding the home directories and other crap brought in from the outside, usually malware, games, and virus infected junk you don't want on your network. Also, leaving the USB ports open allows for confidential data to be taken offsite by means of a USB flash drive. Think about it.

TBBrick
TBBrick

...which is why I lock my users out of the BIOS as well.

andrew
andrew

If you are using XP Home then are more than likely not in a corporate environment where you would want to really disable USB access. As well as that you should not expect the Windows crippleware versions to give you much of an advanced setup.

KenDAWG
KenDAWG

In corporate environs, you may want to disable this to prevent sensitive information from leaving the company, because some companies do not have filters in place to disable these devices.

SaintGeorge
SaintGeorge

.. if you want to invest in euros, like. I think Charles de Gaulle tried to do that once - wanted to get francs to rule - but it didn't work. I guess the NSA would take a dim view of it if you tried to disable USDs... Canadian dollars, might be easier to fuc* up though!

teajay9001
teajay9001

If you do not see the Security tab in the folder properties, it is likely that you are using the FAT or FAT32 file system. Windows 2000/XP includes a utility that can safely convert your drive to from the FAT or FAT32 file system to the NTFS file system. WARNING: Do not convert your drive if you are running both Windows 2000/XP and another operating system on the computer (that is, if it is a dual-boot computer) and the other operating system cannot read NTFS drives. To convert a partition to NTFS: 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. Type convert drive: /FS:NTFS, where drive is the drive that you want to convert. For example, to convert drive D to NTFS, type the following line: convert D: /FS:NTFS 3. If you attempt to convert a drive while it is being accessed by Windows 2000/XP, Windows 2000/XP displays a message prompting you to convert the drive when the computer is restarted. Click Yes, quit any running programs, and then restart your computer.

thpsi
thpsi

that the security tab doesn't show in XP Home edition .. anyway, why would i want to disable USD Storage ?!

iain.dingsdale
iain.dingsdale

There is, if you disable simple file sharing, and make sure the partition is NTFS (not FAT32)

Editor's Picks