none
Deny usb stick - per user basis on XP

    Question

  • Hi All,

    I need to disable the ability to access usb stick, but only for a couple of users. When that user logs off, the next one not in thar OU needs to be able to access usb sticks. The USBSTOR adm solution is no good for me since it disables the ability for the computer, and sometimes multiple reboots are necessary to revert the policy.

    can I deny a specific executable to run that would prevent usb sticks to show up?

    or any suggestions?

    thanks in advance

    Friday, November 26, 2010 8:54 PM

Answers

  • Hi,

     

    Regarding Voldar’s suggestion, logon scripts are processed with user credentials. To run the script as a workaround, we can create two groups, for example, the group you want access to USB storage named group1, the group you want to deny as group2. Then, grant group1 permission to change the key. Refer to:

     

    1. Change the START value to 4 on all the machines via group policy.

    2. For group1, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor needs to be added via Registry control in GPO (under Computer Configuration – Windows Settings – Security Settings – Registry, create a new entry via right-click Registry and select Add Key) ) to grant group1 permission to change the key.

    3. Use a logon script based on group membership to change back the START value to 3 for group1.

     

    Normally, for the security consideration, we do not recommend granting user permission on that key as WindowsNT.LV as mentioned, meanwhile, there is no optional method is available for Windows XP.

     

    Thanks.

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by wilmackie Thursday, December 02, 2010 8:28 PM
    Monday, November 29, 2010 10:29 AM
    Moderator

All replies

  • Hello,

    USBstor.adm file is computer policy therefore you cannot use it for users as you said. But if you have third party antivirus program you can use it with them like Symantec Endpoint Protection etc.

    Best Regards.

    Fatih


    Everything that has a beginning has an End...
    Friday, November 26, 2010 9:14 PM
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR --> START value is important for the USB access.

    - use a logon script based on group membership to change the START value to 4;
    - use a logout script based on group membership to change back the START value to 3.

    or use GPP registry settings for doing the same thing.

     

    Sunday, November 28, 2010 4:19 PM
  • Logon scripts are processed with user credentials -> and cannot be used to modify HKLM\..\Services values. And I would NOT assign users a permission to change that key, anyways.

    It is not possible to restict any possible USB stick on a per-user basis in XP. In fact, I never disable USB on a users workstations - less or more, they always require an access either to USB storage devices or USB devices like printers.


    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor
    Monday, November 29, 2010 8:24 AM
  • Hi,

     

    Regarding Voldar’s suggestion, logon scripts are processed with user credentials. To run the script as a workaround, we can create two groups, for example, the group you want access to USB storage named group1, the group you want to deny as group2. Then, grant group1 permission to change the key. Refer to:

     

    1. Change the START value to 4 on all the machines via group policy.

    2. For group1, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor needs to be added via Registry control in GPO (under Computer Configuration – Windows Settings – Security Settings – Registry, create a new entry via right-click Registry and select Add Key) ) to grant group1 permission to change the key.

    3. Use a logon script based on group membership to change back the START value to 3 for group1.

     

    Normally, for the security consideration, we do not recommend granting user permission on that key as WindowsNT.LV as mentioned, meanwhile, there is no optional method is available for Windows XP.

     

    Thanks.

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by wilmackie Thursday, December 02, 2010 8:28 PM
    Monday, November 29, 2010 10:29 AM
    Moderator
  • I dont know why you want to restrict an access to USB - if you want to address the information disclosure, users often copy information directly to the Internet webpages like gmail; if you want to address virus issues, check out Software Restriction Policies - http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/dea79527-3875-434f-85a3-00ff74bc0926/#c81f577d-7599-42a3-9682-c7a5a5f1ef76
    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor
    Monday, November 29, 2010 11:53 AM
  • WindowsNT, imagine you have a situation where you need to have a generic user account to be used by two or more users on the same computer. The use of individual windows accounts is not an option in this matter. And yes, you don't have a VDI or any other infrastructure in place, only a Windows XP workstation. You want to restrict as deep as you can the access of this generic account to anything else except what’s needed. And restriction of USB is one of these, and you want to do it. The computer is also used by domain users in the same time and you want to give them access to the USB storage adaptors.

    P.S. Yes, you can give rights on registry keys to users, but you can always restrict the access to the registry for the same users. You only need to know how. With the method described above, we restrict only the storage USB adaptors, not the printers, keyboards or anything else.

    Monday, November 29, 2010 1:04 PM
  • I understand the situation and have multiple kiosk/student computer implementations. But I never restrict USB for accounts like that, sorry (since it does not change anything).

    The answer is "It's not possible by using built-in tools in XP", anyways.


    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor
    Monday, November 29, 2010 2:20 PM
  • WindowsNT.LV : "I dont know why you want to restrict an access to USB "

     

    Here's why: I want to restrict access to usb during exams for students. They log on with this "exam" user and all they have access to is word or excel, and whatever documents the teachers need them to have; they can't go on the web or run any other program. the only problem is they can bring notes on usb sticks...

    Monday, November 29, 2010 8:04 PM
  • Nina, It looks good but it's just a bit confusing... how exactly do you go about granting permission to group 1 to make changes to the key?

    Monday, November 29, 2010 8:05 PM
  • Hi wilmackie,

     

    Please refer to step 2 in my suggestions. For more information, please refer to:

     

    a. Open the GPO you want to use for implementing registry permissions.

    b. Expand Computer Configuration – Windows Settings – Security Settings – Registry

    c. Right click Registry and select Add Key.

    d. Locate the registry key you want to configure permissions for (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor). Select the Registry key and Click OK.

    e. Configure the appropriate permissions and Click OK.

    f. Make the appropriate selection from the Add Object dialog box and Click OK.

     

    If anything is unclear, please feel free to let us know.

     

    Thanks.

    Nina

     

    Thursday, December 02, 2010 2:04 PM
    Moderator
  • Dear Nina,

     

    I want to ask some stupid question, the group that you mentioned, is it group of users or computers? And where should I put the computers (domain computers account) that I want to deploy this USB deny/allow policy? In which OU's?

     

    Thank you.


    Regards, Rafael Hengky
    Thursday, February 10, 2011 5:19 AM
  • Is there anyone could please answer my question?

    Regards, Rafael Hengky
    Wednesday, February 16, 2011 6:18 AM