Blocking USB in Group Policy

45 pts.
Tags:
Group Policy
Group Policy management
Security policies
USB devices
User restrictions
Hi, I would like to block some users from accessing USB in group policy management. Can anyone guide me please? Thanks in advance!
ASKED: May 11, 2009  11:12 AM
UPDATED: August 15, 2013  7:41 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Pressler2904 | May 12 2009 4:45PM GMT

We went through this in my current environment: there is no easy way to block access to USB ports… Some organizations go so far as to fill the USB ports with hot glue I understand. What has worked for us here is to set up a system image with the expected hardware and add a few alternate items (for example, USB Optical Mouse and USB Trackball; different types/brands of monitor). After the image is configured, we disable Plug and Play. No account with User level rights (ALL our user accounts, even the IT dept, have User level rights) can then change or alter the hardware configuration.

It’s pretty severe, I know, but for us it works and it’s the surest way to avoid a massive HIPAA leak…

__________________________________________________________________________________-

Have a look at this similar question/answer.

I didn’t tried personally, but I was told that the user needed to be a local administrator so that it could work.

You can block USB connections through Group Policy, under computer configuration, local policies/security Options, devices. there you can restrict the users. create a separate user group and apply the GPO.

—————————————————————————————————————————
Group Policy.. Block USB

And you can also remove the local administrator permission of corresponding register keys, only leave the group administrator permission to the key, so that even the user is grant the local admin privilege, he/she still can’t use USB storage function via modifying the register key value.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Pressler2904
    We went through this in my current environment: there is no easy way to block access to USB ports... Some organizations go so far as to fill the USB ports with hot glue I understand. What has worked for us here is to set up a system image with the expected hardware and add a few alternate items (for example, USB Optical Mouse and USB Trackball; different types/brands of monitor). After the image is configured, we disable Plug and Play. No account with User level rights (ALL our user accounts, even the IT dept, have User level rights) can then change or alter the hardware configuration. It's pretty severe, I know, but for us it works and it's the surest way to avoid a massive HIPAA leak...
    2,190 pointsBadges:
    report
  • Snsatyendra
    We can use the system registry to disable the usb storage devices (note that other usb devices such as usb mouse,keyboard etc will remain enabled) First navigate to "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesUSBSTOR" Then in right pane double click on "Start" and change the value to 4 (which is currently 3). This will disable all your USB storage devices. To enable them back change the "Start" value to 3 again. I have used this technique in Vista and it works well till the users do not have admin rights. In XP service pack 3 the key UsbStor does not exist by default. So you should manually create a key called USBSTOR in "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet Services". Then create a dword value with name "Start" and set its value to 4. This trick however did not worked on some of the machines which i tried.
    15 pointsBadges:
    report
  • Vishalvasu
    In our organization we followed the instructions in this article and it works fine. Hope this helps you too. http://www.petri.co.il/disable_usb_disks_with_gpo.htm
    95 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following