The scenario: You want to prevent
users saving files to a USB drive, probably for security, and to prevent data
theft. After this registry tweak users can still read from the USB drive.
Before you use the registry to disable USB settings, launch explorer and make sure
you can save files; check that 'New' on the shortcut menu has not been
already disabled by a Group Policy.
Our mission is to find a specific
Control setting in the registry, create a new Key and
then add a DWORD value called WriteProtect.
1) Launch Regedit
2) Navigate to this key:
HKLM\System\ControlSet001\Control
3) Create a New Key called StorageDevicePolices. Ignore the
existing key called plain 'Storage'.
4) Create a New: 'DWORD (32-Bit) Value'. Name this new value:
WriteProtect
5) Edit the
'Value data'. What I do is double click WriteProtect, then click in the
'Value data:' set to 1. If it displays as 0x00000001 (1) this is
a good sign it is going to disable saving to the USB drive.
6) To check the fruits of your labours, close the registry editor and
restart the computer.
Screenshot showing how the registry can disable USB with WriteProtect =
1.
To Use the Registry to Enable USB Settings
It's easy to employ the registry to enable USB settings. Launch
regedit and use 'Find' to get to StorageDevicePolices. There, seek the
setting WriteProtect and set its Data = 0 (zero). This means reverse
the protection.
Guy
Recommends: The Free Config Generator
Solarwinds' Config Generator is a free tool, which puts you in charge of
controlling changes to network routers and other SNMP devices.
Boost your network performance by activating network device features
you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that
it will provide the impetus for you to learn more about configuring the SNMP
service with its 'Traps' and 'Communities'.
The overall learning point is that WriteProtect requires a new parent
folder or Key called StorageDevicePolices (see above screenshot).
Do you find the
WriteProtect value in HKCU** or
HKLM? Answer:
HKLM.
Do you have to add a value, or modify an existing setting? Answer: Add a new
key then a new value.
Is it a String Value or a DWORD? Answer: DWORD (32-Bit Value)
Do you need to Restart, or merely Logoff / Logon?
Answer: Restart
Tip: Add this Value, WriteProtect to Regedit's Favorites menu
** HKLM is an abbreviation of HKEY_LOCAL_MACHINE, and HKCU is shorthand for
HKEY_CURRENT_USER. These acronyms are so well-known that you can even use them in .reg files, Windows 7will understand and obey the registry instruction.
The concept is simple; create a text file with notepad, then type, or
copy and paste the above 4 lines. Crucially, save the file not as
a .txt, but with a .reg extension.
Once you have the information about the key, the settings and the
value in that file, there are at least three ways of importing the
information into your registry.
Double-click the .reg file.
Right-click the .reg file, select Merge from the drop-down menu.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
As far as I can see, Group Policy does not have a default setting to disable drives
containing removable media, such as USB ports, CD-ROM drives. However
you can apply ADM templates which extend Group Policy to use customised
settings.
Here is an ADM for Windows Server 2003:
CLASS MACHINE CATEGORY !!category CATEGORY !!categoryname POLICY
!!policynameusb KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY
POLICY !!policynamecd KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY
POLICY !!policynameflpy KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3
DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART
END POLICY POLICY !!policynamels120 KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120 PART !!labeltextls120 DROPDOWNLIST
REQUIRED
VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3
DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART
END POLICY END CATEGORY END CATEGORY
[strings] category="Custom Policy Settings" categoryname="Restrict
Drives" policynameusb="Disable USB" policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy" policynamels120="Disable High
Capacity Floppy" explaintextusb="Disables the computers USB ports by
disabling the usbstor.sys driver" explaintextcd="Disables the
computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the
flpydisk.sys driver" explaintextls120="Disables the computers High
Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports" labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive" labeltextls120="Disable High
Capacity Floppy Drive" Enabled="Enabled"
Disabled="Disabled"
Guy's Challenge - Download
this free device backup utility
(CatTools)
CatTools is a free program for backing up configuration settings on
hardware devices. Here is Guy's challenge. If you
download CatTools, then it will not only take care of backups, but
also it will show you something new about the hardware on you
network. I could give you a money back guarantee - but CatTools is
already free! Thus, I just make a techie to techie challenge, you
will learn more about your network if you:
This is a job for Regedit. Firstly you research the correct hive of
HKLM. Then create the key StorageDevicePolices. Next add a DWORD
called WriteProtect. A value of 1 means disable USB in the registry.
If you like this page then please share it with your friends
