disable usb devices

[yepiknowiam]

I have been trying to disable usb devices and not sure what step I am missing.

I set up a startup script to change the usbstor reg key from "3" to "4".
Also used a group policy adm file to do the same thing. I've read if the
device was never installed it will work the first time.

I found another site that was telling me to assign deny permissions to the
system account on the file: c:\windows\inf\usbstor.inf and usbstor.pnf

I've done that and was able to log on as the administrator and plug in a
usb drive. The permissons were correct on those two files.

Is there something else missing? I feel as I'm close, but not sure what is
missing.

Any ideas?

 

[Steve Riley [MSFT]]

Every time I see this, I have to ask: why do you want to do this? What
security threats are you trying to mitigate by disabling USB storage
devices?

 

[yepiknowiam]

Trying to prevent users downloading possibly sensitive files/information and
bringing it home to work on. They could easily lose a thumb drive and we are
a financial institution. It's a preventive measure. I believe there are
many risks with usb devices.

 

[Steve Riley [MSFT]]

Will you then also work to disable the following:

* FireWire ports
* Writable CD/DVD drives
* PCMCIA/CardBus slots
* SD Card/Memory Stick/etc. slots
* Internet access (Hotmail, Gmail, Yahoo Mail, FolderShare, and so on)
* Printers and photocopiers
* Digital cameras
* Telephones

You see, there are many ways people can export data from your organization.
You're looking at only one mechanism.

For most of the history of computer security, we defenders have been
struggling to keep the bad guys out. Well, we've reached that point -- with
modern operating systems and properly-written applications, the bad guys
indeed are mostly kept out.

Now, for various reasons, we've had to turn our attention to a completely
different kind of task -- applying more controls over what authorized users
can do with data they're allowed to see. Think about this for a moment! It's
a completely different task, one that requires new thinking, new processes,
and new technologies.

You can't use old-style bad-guy-prevention methods anymore. Attempting to
limit "containers" (be it the network or a PC or a memory module) has
limited utility here. Instead, we must adopt new methods that allow data
sources to protect themselves. Essentially, the notion of portable access
control, where the object -- in this case, a file -- controls its own access
and enforces its own policies, rather than relying on the container -- a
file share.

Yes, this is rights management. IMHO, it's the only way we can truly start
to mitigate the "authorized user threat" (I hate that term, but so far
haven't come up with anything better). Implementing such a system -- say,
Windows RMS -- requires a fundamental shift in thinking about the roles and
work of information security. But I don't see any other way. Blocking USB
drives just won't cut it: you'll simply create what I call a "circumvention
vulnerability," something that encourages users to look for ways to get
around the security policy. And I promise you, they'll find many.

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com