Storage

Video: Disable USB storage under OS X or Windows


Hollywood would have IT pros believe that the biggest threat to network security comes from international super hackers or high school kids trying to download games like global thermonuclear war. In reality, we face a far more mundane threat--our end users, particularly those wielding USB storage devices.

These pocket-sized devices can store a tremendous amount of data and make it easier than ever before for employees to carry off sensitive company information. But even if your users aren't planning to cart off your latest R&D project, USB storage devices (external hard drives, camera, memory stick, MP3 players, etc.) can be a headache in other ways. Employees may use your networks to download music to their USB-based MP3 players. New USB flash drives, such as SanDisk's U3 smart drives, can even run software directly from the device--a perfect tool for the end-user who wants to run unauthorized software on your network.

If you're concerned about USB storage devices on your network and don't feel a written policy alone will protect your data, disabling the devices is your next step. In this IT Dojo video, I show you how to disable USB storage devices on both Apple OS X and Windows.

The United States National Security Agency (NSA) described the process in a March 2008 document from the agency's Information Assurance Directorate. Although this video only covers Windows and OS X, the NSA document covers Linux and Solaris 9 and 10.

Once you've watched this IT Dojo video, you can read the original TechRepublic article, download PDF version of this tip, and learn more about mitigating the risks poses by USB storage devices with the following resources:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

41 comments
gotmilkcrazy
gotmilkcrazy

may be you will enjoy it www.myusbonly.com

hktown
hktown

Found it on google. www.myusbonly.com

serapio_rios
serapio_rios

Disable USB storage under Windows on your acount in Spaces Microsoft hava a storage called Skydrive or something called skydive ok it is perfect to storage, controled and acceced in remote locality. You can almacenate documents, pictures, imagenes, musica and video

No User
No User

Will it lock out Scanners, Printers and Signature Pads? Is it strictly to lock out USB thumb drives and hard drives? Does it disable Cameras? If it disables everything that has limited appeal but if you can be selective then it's a real winner! That said, if it doesn't disable Scanners, Printers, Signature Pads and Cameras how would you go about disabling them? Could it be done individually for each device?

DRendolf
DRendolf

The freeware NetWrix USB Blocker tool will do all this tedious stuff automatically and across your entire domain. Not for Mac unfortunately, but all Windows clients are supported. Download from www.netwrix.com

ioanv
ioanv

Hi, I had to disable the USB storage devices for all users on my network. It is a nice feature, IT Dojo. Thank you! I would also recommend http://www.intelliadmin.com/USBRemoteDisabler_Free.exe to disable usb storage device usage (for windows only). It is free and it is doing the job.

BarcodeMan
BarcodeMan

I recommend automatically encrypting any device plugged into the USB port.

dennis_london
dennis_london

Since this is the IT Dojo, and I have studied martial arts for many years, let me explain the countermeasure to this attack. At a Blackhat conference a couple of years ago there was a gentleman who showed a windows machine that was configured much like the video suggests. All USB storage device drivers were removed/disabled. People tried with all sorts of USB sticks and cards but nothing worked, not even the Japanese guy who tried his reconfigured camera (that was pretty funny actually). Then the demonstrator plugged in his mouse to show that the USB port was still a functioning port which would allow keyboards, mice, and in some instances printers to continue to work. Then it happened, he reached into his pocket and pulled out the USB stick, inserted it and everyone watched in amazement as he pulled files onto it like it was nothing. What he had done was reflash the USB to be registered as a mouse which is nothing more than changing the device ID (and a few other options which will not be mentioned for security reasons). So don't rely on just removing the drivers, you need a holistic approach which will monitor and block access based on the users rights and permissions. This will need to done at levels beyond just the local machine permissions. If you really want to go through the trouble to upset all your users and have to constantly be explaining yourself and the decision then by all means, go ahead and follow the instructions from the article. Personally, I would rather utilize a DLP (Data Loss Prevention) solution which will provide the appropriate protection from the core to the edge. If users can't access the files they can't steal the information. If they need to work with sensitive data but can't email or ftp the data out then we have mitigated yet another risk. Granted, for some this is going to be an excellent solution while others are going to need to look for a DLP vendor to provide more. Security is an education and I consider myself a life long student.

Copilot1
Copilot1

Direct and to the point Bill. Uhhh...nice outtakes? You a funny guy!!

sbostedor
sbostedor

umm - deny access to thw Windows folder for the Administrator account? That's crazy. Not only will you disable the USB drives, you'll make the machine unmanageable and in some cases, useless. Do NOT follow the advise here as a solution to the problem.

Bill Detwiler
Bill Detwiler

USB drives are extremely convenient, but they also represent a serious security risk. In the following IT Dojo video, I show you how to disable USB storage devices on both Apple OS X and Windows. Original post and video: http://blogs.techrepublic.com.com/itdojo/?p=112 If you think disabling USB storage devices is right for your organization, do you think end-users will understand and/or support the policy? John Sheesley recently suggested (http://blogs.techrepublic.com.com/decisioncentral/?p=107) that end users have a "sense of entitlement" when it comes to using these ubiquitous devices and may look for ways to circumvent policies that block their use. Before implementing a controversial policy, which is sure to draw end-user ire, is it necessary to get end-user buy in?

leif.lynch
leif.lynch

If you are trying to install a local printer and it has a built in card reader, you will have to give system control of the usbstor.inf file to get the drivers installed. Once installed you can deny control again.

gotmilkcrazy
gotmilkcrazy

Try this call myusbonly it can help your office to admin. the usb hub on the pc~~it is easy to use

mckinnej
mckinnej

Although the security nazis are all probably twittering with glee over this, there are a couple of fundamental things wrong with this solution. One, it is a heavy-handed approach that causes too many other problems. Someone else has already described this, so I won't go any further other than advise you to warn your Help Desk to brace for the wrath of some frustrated users. Two, USB drives are NOT a security problem! There is one right here on my desk and it hasn't made an attempt at stealing any information even though it was alone all night with my PC. Obviously it's the users that are the risk. If you don't trust them, why do they have access to the information? If you have critical information floating around uncontrolled in your organization then you have a much more serious problem than USB drives. Besides, the USB drives are just one method they can use. What are you going to do next, disable the printers? Good luck with that.

Bill Detwiler
Bill Detwiler

Wow! That was a big screwup. I haven't done that in a long time. But it has been fixed and I apologize for the error. To clarify, the original video showed us editing the security settings on the Windows root folder (not what you want to do), while at the same time correctly indicating (through on-screen graphics) that you should be editing the files: %systemroot%\Inf\Usbstor.inf %systemroot%\Inf\Usbstor.PNF The written instructions contained the correct process although I spotted a typo in the original article and also fixed that. Again, I offer my sincerest apology for the error and promise to do everything possible to prevent similar incidents in the future.

mcatron
mcatron

You have to admit - that certainly would stop all USB storage, though! In the PDF file it says to deny all access to two specific files in the WINDOWS\INF folder; not entire directories. That might not kill the whole computer.

Tearat
Tearat

Yes its all Hollywood special effects A lot like ghosts never seen one so they don't exist They say a lot of people in Japan know they exist But I have not seen them as well so they don't exist I have seen the world but is it still there if I close my eyes I hear things but if I dont do they still exist Or is silence the only true sound that exists in this strange world If I touch something I feel it but if I am not touching it does it still feel the same It's a strange world where we all know how little we know But if we know that Do we know all we need to know

dcavanaugh
dcavanaugh

USB sticks don't steal files, users do. Controlling behavior with technology is futile. User education is the first line of defense, followed by policy, with enforcement limited to the worst offenders. It costs time and money to do all of this. Like any other pure overhead expense, this is something to be minimized. Funny how we never calculate the cost of lockdowns in terms of lost productivity. By the time we are finished "protecting" the data, it is of little use to the people who need it. Meanwhile, the determined evader will be at worst mildly inconvenienced. And if we can't stop the determined evader, why bother with anyone else? This is "feel good security" that makes the auditors happy -- nothing more. I can think of 100 things an IT department can do to deliver more to the bottom line than a silly lockdown like this.

jamesdtuttle
jamesdtuttle

In the earlier thread on this issue, one of the comments made was "Try supplying users with solutions that meet their needs, not yours". It was right on target. If you have a security problem, find the most egregious offender, and fire them.

btd
btd

A qualified No. End-users will scream over the smallest thing like it's the end of the world ("But I like to be able to watch You-Tube at work"), but they'll eventually get used to it. The only support you need is from the company administrators (CEO, Pres., VP and management). If they won't back you on policies there's not a whole lot of point. Standing your ground on why Frank or Jill can't torrent movies at work to their jump drives is easier if you don't have a boss doing the same thing saying "it's no big deal".

dave.schutz
dave.schutz

Instead of locking the USB ports, makes it difficult to use some printers, I prefer to have a written policy concerning use and handling of company data. Users can take files on floppy disks, email them home, etc. Locking the USB drives does little to stop data theft. It's much more important to have a policy concerning data and constantly reinforce the policy so users understand what is required of them and why.

stephenrmcguire
stephenrmcguire

I can see why disabling USB drives could seem like the right idea, but it is pretty silly to think it is really doing anything. I agree there are too many other easy ways to get around it: paper for small files, ftp for anything, burn to CD/DVD, email, etc. Disabling USB only causes user irritation. It's a nice idea, in theory, but silly in reality.

georgepotwin
georgepotwin

I can see this for extra sensitive computers systems that the end user has no need to move data from, but not on regular run of the mill computers on the network. Education and auditing is the way to go. I see a USB drive or external USB HD as a great tool for system admins. Can you disable the USB's from everyone except Admin's?

george.kennedy
george.kennedy

We implemented this on 3,300 PCs about 6 weeks ago - 3 complaints so far !! A few different steps to achieve management of USB memory sticks ( or any USB Mass storage devices)... Other USB Devices remain unaffected. Decisions to be made...... 1. Control load of usb - previously used / new devices. 2. Decide wether previously used devices should be read only, read/write or not accessible. 3. Stop new devices installing. Point 1. above :- Run Regedit Go to HKLM\system\currentcontrolset\services\USBstor Create or change the Dword labelled 'start' from 3 to 4. This stops previously used devices loading.... Point 2 above:- If the devices have to be read only then don't perform step 1. above. create Dword WriteProtect with a value of 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect=dword:00000001 A value of 0 will be read/write. Point 3. above:- Remove 'system' from the permitted users list on the USBSTOR driver..... No new usb mass storage devices can load. Flash drives USB hard drives MP3s Cameras USB CD & DVD drives etc etc etc.. All other USB devices will still work. This works on 3,300 PCs - Policies are in place also. Staff must accept the policies once,(a logon banner), before they access the network. Hope this helps...

scoopboys
scoopboys

You are both right - the companion article decribes denying access to usbstor.inf and usbstor.pnf, but the video describes and displays denying access to the systemroot. TR - want to amend the video so dumb admins don't prevent systems from working at all?

peebriches
peebriches

If you cannot trust your users to act in accordance with your IT policy, then perhaps those users should NOT be logging onto your systems in the first place. I agree with "dcavanaugh" & in my humble experience, the tighter you lock your systems down the more you will need to manage them to maintain the status quo. It takes a long time to get end-users to use new technology and more importantly to use said technology in a responsible manner. The challenge is always going to be keeping information secure and the only way to do this is with more and more sophisticated audit/security/doc management tools so you know who is accessing your information and when and what it has been used for..not an easy task..but one I would rather have than removing access to new technology by the draconian steps taken by blocking USB ports.

george.kennedy
george.kennedy

I agreee to a point that policies are very important & the sholud be part of staff terms & conditions of employment. How do you know that the policies are being accepted by staff ? Answer - a policy accentance banner when staff logon to the PC. So now we have a record of who accepted the policies & who hasn't yet.... Staff can still ignore these policies & remove data from the company & loose it !! That's where I feel that IT professionals can enforce these policies with a technical solution... A flexible one. Perhaps read only for some users. Read/write for others. No access to USB Mass storge for others.. This is achievable via Active Directory Organisational Units. & scripts... Rgds..

verrice
verrice

You need to read entire posts before jumping up and down waving a pitch-fork and torch. My point was exactly the opposite of what you're portraying it to say. You HAVE to give them access... I also said I'm not in favor of preventing USB drive access. That's what I was getting at. Your sarcasm, however, is indeed appreciated. (see I can do it too) ;-)

herlizness
herlizness

Employees need access to data that you do not want to get out. It's a fact. As IT if you 'trust' -anyone- with data, you're not skeptical or cynical enough for this field. Policies don't work, even when they're coupled with 'disciplinary action'. The only way to ensure something happens is to make it non-optional. you bet ... employees can't be trusted; contractors can't be trusted; vendors can't be trusted; PEOPLE cannot be trusted, not even YOU Lock the doors ... don't let anyone in .. just go out of business, dammit! the security risks are just NOT worth it

tprescott
tprescott

It really isnt a silly idea. For a financial institution like us, this is being highly recomended by out State Auditors. We have no floppies or cd burners on our PC's for all except admins.

verrice
verrice

While I don't agree with the idea of disabling USB drives, the points made about blocking access to data, etc, are not well thought out. Employees need access to data that you do not want to get out. It's a fact. As IT if you 'trust' -anyone- with data, you're not skeptical or cynical enough for this field. Policies don't work, even when they're coupled with 'disciplinary action'. The only way to ensure something happens is to make it non-optional. That said... there are risks you have to accept; and often trusting employees with data is indeed a bone of contention. Data and employees go hand in hand, they all need it or it'd be useless, and any employee, from CEO down, could be a source of theft. It's a fact of life. Moreover, the risk of accidental loss of data is far greater than intentional theft. An employee who has downloaded sales figures onto a usb drive for use elsewhere may have good intentions and intend no harm. That, however, doesn't mean they couldn't lose said drive and someone with ill-intent find it. Welcome to the never ending struggle... we in IT who love technology and all it's advances, who are forced to constantly battle against it and walk the thin red line.

george.kennedy
george.kennedy

"Can you disable the USB's from everyone except Admin's?" Short answer - Yes. Active Directory OUs & scripts enable this....

gotmilkcrazy
gotmilkcrazy

try the software call myusbonly it can give you a unique experience of managing you own PCs usb hub in the office or home get the trial to try first www.myusbonly.com

MetalFR0
MetalFR0

Yes, the TriGeo SIM appliance has the ability to lock down USB devices except for admins, & you can "whitelist" USB devices as well, so scanners & other things that users may need are still available. If memory serves, you can also whitelist specific USB drives as well, so if your tech team needs to use USB drives in their troubleshooting process but aren't logging on as an admin, they can still do their jobs. Just make sure they keep a close watch on that drive!

Bill Detwiler
Bill Detwiler

Wow! That was a big screwup. I haven't done that in a long time. But it has been fixed and I apologize for the error. To clarify, the original video showed us editing the security settings on the Windows root folder (not what you want to do), while at the same time correctly indicating (through on-screen graphics) that you should be editing the files: %systemroot%\Inf\Usbstor.inf %systemroot%\Inf\Usbstor.PNF The written instructions contained the correct process although I spotted a typo in the original article and also fixed that. Again, I offer my sincerest apology for the error and promise to do everything possible to prevent similar incidents in the future.

NickNielsen
NickNielsen

Somebody's got to clean up after somebody stupid enough to do that. Might as well be us! :D

SKDTech
SKDTech

...smart, knowledgeable and responsible we wouldn't have jobs. A user can be completely trustworthy and still compromise a network and/or data through a simple mistake. Thumb-drives can be lost or misplaced and even unknowingly infected with viruses or other malware. There have been more than a few scares in recent years due to stolen or lost data that was sensitive in some nature. One that affects me personally, for example, is the laptop of the employee who worked for the VA that was stolen while containing a large number of veteran records. Was the employee inherently a dishonest person? I am assuming not since they worked for the VA. Were they supposed to take that information out of the workplace? If I recall correctly the answer is no. Policies are all well and good but they are always going to end up being broken by someone. Locking down USB drives is just one more step that can be taken to secure information and protect your network. Nothing that can be accessed is completely secure but the more roadblocks you put in the way of the people who shouldn't have access to it, whether it be access audits/info security/doc management tools/physical security management or a combination of all, the less likely it is that someone is going to be able to get at it without authorization and the more likely you are going to be able to catch the ones who are actively trying to cause harm.

Editor's Picks