General discussion

Locked

How to disable to USB Devices

By surveymaster.shivaram ·
I would like to know how to disable USB devices ( USB hard drives or Small Storage devices) for all users through group policy in Windows 2000. I would like to do this as a HIPPA security policy in Health industry.
Thanks

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by willcomp In reply to How to disable to USB Dev ...

Interesting question. Don't think you can do it with group policy or even local settings. A USB key is strictly plug and play on Me, 2000 and XP.

Seems that olny fix would be to disable USB ports in BIOS and then password protect BIOS access.

Maybe someone else has a better solution.

Good luck.

Collapse -

by ewgny In reply to How to disable to USB Dev ...

To disable in 2K I think all you need to do is disable usbstor.dll
Deploying a restriction may be easier via a scripting solution that would rename the .dll
In XP see this link
http://tinyurl.com/5g67u
As far as deploying with group policy, a friend of mine was succesful with a custom adm to restrict drives. My thoughts are that you may be able to use his method to restrict all Letters that are not currently assigned to a drive (either locally or mapped to a drive). Since a USB drive needs a letter, you can restrict all available letters therefore not allowing one to be available for assignment.
Hiding Drives in Group Policy
1> Find a file called system.adm file that is located in C:\Winnt\inf and make a backup Copy. Copy this file to a location to work on it.
2> Open the File with Notepad.exe, and as it is a huge file, you need to Search for the word !!NoDrives
3> This will bring you to the correct section of the system.adm file you want to modify. It will look like this.
POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!CEGOnly VALUE NUMERIC 84
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863
;low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0 (Default)
END ITEMLIST
END PART
END POLICY
4> You will notice that each Drive has a Hexidecimal number associated with it. For multiple drives these numbers are Added together. Eg. The Hexidecimal # for C: is 4. You need to find out the Hexidecimal value for the drive you want to hide. I have listed them all below:

Collapse -

by ewgny In reply to

A = 1 N = 8192
B = 2 O = 16384
C = 4 P = 32768
D = 8 Q = 65536
E = 16 R = 131072
F = 32 S = 262144
G = 64 T = 524288
H = 128 U = 1048576
I = 256 V = 2097152
J = 512 W = 4194304
K = 1024 X = 8388608
L = 2048 Y = 16777216
M = 4096 Z = 33554432

Total = 67108863

4> For more than one Drive you need to add them up. For example, if you wanted to Hide C: E: and G: the Value Numeric would be 84. Add the Drives to the section in the system.adm file using the Same Format as is already listed. This will give you these options when you Open Group Policy later on.

5> Now you need to find the [strings] section of system.adm. It is usually at the end of the file but is large, so search for "ABOnly". Here you need to add the String that you will see in Group Policy. Use the same format as below. Remember the name MUST match what you put up above. See Blue Example

[strings]
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
ABOnly="Restrict A and B drives only"
ALLDrives="Restrict all drives"
COnly="Restrict C drive only"
DOnly="Restrict D drive only"
CEGOnly=?Restrict C, E and G Drives only?
RestNoDrives="Do not restrict drives"


6> Save the system.adm file. Now you need to copy to C:\Winnt\inf on ALL your W2K Domain Controllers and any Windows 2000 Professional machines that you use to modify Group Policies. Make Sure you have backed up the original system.adm before copying over it.

7> Now Open up AD, and go the the Group Policy Object of the Default Domain. Go to Users|Administrative Templates|Windows Components|Windows Explorer and find the Policy that says "Hide these specified drives in My Computer" Define the Policy, and your added Drives should be available to hide in the Drop Down Box.

Collapse -

by ewgny In reply to

I would think that once an adm is created you can import it into a new "drive restriction" policy that you create (skipping his step 6 & 7)Which in turn would replicate to the other DC's.
You should then have control via group policy on restricting any Drive letter instead of
the Windows default selection of a few drive letters and few combo's of drive letters

Collapse -

by ewgny In reply to

I would also not recommend editing the Default Domain policy as he stated above, but create as I mentioned a "Drive restricton" policy and test it in a test OU

Collapse -

by rich.leclair In reply to How to disable to USB Dev ...

Or you can just disable it in the registry. The key you want is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. in that key there is a value called "start" you want to change the value data of this from 3 to 4. this will disable all USB Storage devices from this machine. I believe you can create a Group Policy to use this. Also if you are really paranoid you can disable USB Hubs also, They are the the keys above USBSTOR (usbhub and usbhub20) this is done the same way. This makes it so you can not use a USB Hub on the machine also.

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums