Disabling USB Storage With Group Policy

The security threat posed to companies by USB flash drives has been known for some time now. LabMice has a good summary of both the tremendous usefulness of these devices and the dangers they pose to businesses, both in terms of being a potential malware vector and a channel for stealing sensitive information from companies. What can be done to prevent such misuse of technology?

Policy First

Start by updating your company's security policy to provide guidance to employees concerning the proper use and misuse of USB storage devices. If you want to allow employees the convenience of using these devices, you need to give them clear guidance on what management expectations are for using them and what the consequences will be for misuse. The misuse of technology like this is generally not something you solve by more technology -- it's fundamentally a management issue and needs to be addressed at the policies and procedures level first.

When your boss hears that anyone can now walk into an office and take a USB key from his pocket and grab megabytes of confidential business data and walk out with it undetected, her first response might be to ask, "How can we lock down our computers to prevent this from happening?" The networking staff then run around looking for some commercial product to buy that blocks use of USB drives, and suddenly you're adding another layer of software on top of your network, increasing complexity and making it harder to maintain. If your boss reacts like this, you need to respond by pointing out that USB storage technology can have significant benefits for worker productivity and that the risks posed by this technology are not fundamentally different than those of floppy drives and CD burners (though the small form factor of USB keys makes them a bit easier to hide). Then after your boss has dialed down, you need to point out that what really needs to be done is to make a management decision concerning what constitutes acceptable use for this technology and then update the security policy and communicate the changes to employees.

Related Reading Windows Server Hacks 100 Industrial-Strength Tips & Tools By MitchTulloch Table of Contents Index

Of course, the reality sometimes is that maybe you don't have a written security policy for your company, or maybe you have one but management won't buy into it and violations are never punished. Perhaps your boss says, "It's your problem, you're the admin -- fix it" and walks away. In that case, your next step might be to update your resume. On the other hand, if you're the All-Powerful Administrator of your network, then you may simply decide to disable use of USB storage devices completely on all your computers. Where do you start?

Ways of Disabling USB Storage

There are commercial products that can solve your problem, and a good example of one is IntelliPolicy for Clients from FullArmor. While this is a great product, it should not be thought of as a solution to the problem of disabling USB storage capability on your computers. That's because you don't buy a powerful, full-featured product like this simply for a single feature it can offer. Instead, you buy a product like IntelliPolicy as part of your overall planning for building a security architecture that can help you manage the real risks your network faces. So if your network needs a security overhaul, take a good look at a product like this and evaluate its usefulness. But if you already have a robust security architecture in place and just want to add one extra piece of functionality like disabling USB storage capability, you should look elsewhere.

As it turns out, a simple solution is to extend Group Policy to handle the problem of disabling USB storage on Windows machines. Group Policy is the de facto tool for managing the configuration of machines on Windows-based networks (that is, networks that have Active Directory deployed). And Simon Geary, a Microsoft MVP (Most Valuable Professional) in the area of Directory Services, has come up with a simple illustration of how powerful Group Policy is and how easily it can be extended. All you need to do is create a new administrative template (.adm file) that defines a policy setting for disabling the usbstor.sys driver on Windows machines. Then you import your .adm file into a Group Policy Object (GPO) and you now have the option as administrator for disabling USB storage on any domain or organizational unit to which your GPO is linked. Here's a knowledge base article that contains the code for the .adm file, and below is a figure showing what the new policy setting looks like:

Figure 1. The new policy setting to disable USB drives

Simon's work is typical of many others in the Microsoft MVP program, which recognizes outstanding individuals who contribute their time and energy to the worldwide user community by answering questions, offering advice, and sharing their knowledge in a professional manner. If you have technical questions concerning any Microsoft platforms or products, a good place to get your questions answered is by posting them to an appropriate newsgroup on Microsoft Technical Communities, where MVPs generally hang out and are eager to answer your questions. You can access these newsgroups using either your web browser or a NNTP newsreader.

I may sound a bit like an advertisement for the MVP program, and I am, but I've been tremendously impressed by the members of this community since I joined it, and I'm honored to know many of these people including Rodney and Mark who live right here in my own home town of Winnipeg, Canada. And they even like beer!

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.

Return to the Windows DevCenter.