Saturday, September 15, 2012

How to Disable USB Group Policy SettingsWindows 8

How to Disable a USB Drive in Windows 8Windows 8 Group Policy Disable USB

Preventing users from attaching their USB sticks to your computers is a challenge worthy of Group Policy.

For maximum protection I recommend you test not one, but four GPO settings to disable the USB drive.

Methods for Disabling a USB Drive with a Group Policy

Computer or User Configuration?

You have two main tactics, firstly, to prevent users from installing USB drivers, and secondly twart them from reading from a USB device.  The problem with preventing installing a driver is that one may have been installed already; in which case policy will be ineffective.

My preferred tactic is to foil people reading from the USB drive.  The problem here is they can still write, or even execute programs on the drive.  Good news, I have a Plan B whereby we employ sister group policies to disable write, and separately, to disable execute.  The only problem now is that nobody can use a USB drive.

If this is not the outcome you want, then set these three policies in the User Configuration (rather than the Computer section), and deny them to administrators.  This double negative means that administrators can use the USB ports unhindered, while ordinary users are denied access.

Windows 8 Group Policy Disable USB Driver Windows 8 Group Policy Disable USB

Only in the Computer Configuration section can you configure a policy to: 'Prevent installation of removable devices'

Launch GPMC or Gpedit on Windows 8, now expand:

Computer Configuration
. Administrative Templates
... System
..... Device Installation
....... Device Installation Restrictions
......... Prevent installation of removable devices
          (Enable)

This policy setting prevents the installation of devices that are not specifically described by any other policy setting.

If you enable this setting, Windows is prevented from installing the device driver.

Note 1: As with many Windows 8 Group Policies, check the logic, for instance, Prevent -- > Enable.  This means you cannot use the USB drive.

Note 2: In keeping with a modern trend there is no need to reboot, or even logoff before this policy bites.  You may however, like to run the command-line Gpupdate on the Windows 8 client.

Windows 8 Group Policy Disable USB Read / Write

Setting group policies in either the Computer, or User Configuration can prevent people from reading (or writing) to a USB device, or copying files to the USB stick.  Using a policy in the Computer Configuration section is simple and absolute.  While configuring 'Removable disks: Deny read access' in the User Section is more flexible, it leaves you open to permissions problems, or to be realistic, opening the door for administrators to remove data from machines.Windows 8 Group Policy Removable Disks Deny read access

Computer Configuration
. Administrative Templates
... System
..... Removable Storage Access
....... Removable disks: Deny read access
        (Enable)

Normally you would also Enable the 'Deny execute access', and 'Deny write access' next-door group policies.  As I mentioned earlier, you could also set the same policies in the User Configuration.

Note 3: To reverse this group policy I set Removable disks: Deny read access, back to 'Not configured' rather than setting it to: 'Disable'

Guy Recommends: SolarWinds Free Wake-On-LAN UtilitySolarwinds Wake-On-LAN

Encouraging computers to sleep when they're not in use is a great idea - until you are away from your desk and need a file on that remote sleeping machine!

WOL also has business uses for example, rousing machines so that they can have update patches applied.  My real reason for recommending you download this free tool is because it's so much fun sending those 'Magic Packets'. Give WOL a try - it's free.

Download your free copy of SolarWinds Wake-On-LAN

Registry Techniques to Disable USB Access

Another strategy to frustrate users with USB sticks copying files from your Windows 8 computer is to disable the USBSTOR service in the registry. This method highlights the fact that a knowledgeable and determined local administrator could reverse this attempt to disable USB access - unless your Group Policy disables regedit too.  Anyway, you can research thus:

Launch Windows 8's regedit and drill down to:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
  • Change the 'Start' type to 4 = Disabled.

You could also do the same thing at:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3
  • Again, set 'Start' from 3 to 4.
Disable USB Access Using Deny Permission on the .INF and .PNF Files

This is my least favourite method, there is an element of closing the door after the horse has bolted, because it won't work if the user has already used their USB stick.  Also users are likely to research methods to reverse this process.

  • Launch Windows Explorer, and then browse the %SystemRoot%\Inf folder.
  • Locate the Usbstor.inf file, right-click then select Properties.
  • You want the Security tab. 
  • Click on Edit [Key Point] For the Group or user names set 'Deny' Full Control.
  • N.B. Repeat the 'Deny' procedure for Usbstor.pnf.
Registry Research For Windows 8 Group Policy

Experimenting with USBSTOR led me to wonder where in the registry the other group policies tattooed their settings.  I found the aboveDisable USB settings at this place in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D3598721-D2A9-44EA-90C9-55E08A006B29}User\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

My technique was to launch Regedit and export the entire registry, I called the file: USBEnable.reg.  Next I made the change to, 'Removable disks: Deny read access', then I exported it again into USBDisable.reg.  Next I ran either WinDiff or this PowerShell script:

# PowerShell script to find registry differences
$strReference = Get-Content "C:\PShell\USBEnable.reg"
$strDifference = Get-Content "C:\PShell\USBDisable.reg"
Compare-Object $strReference $strDifference

Note 4: The script took about 15 minutes to complete.  You could improve on my experiment by exporting only the HKEY_CURRENT_USER branch of the registry.

Note 5: See more on PowerShell Compare-Object.

»

Troubleshooting Windows 8 USB Group Policies

Get a Test Machine
If possible get a test Windows 8 machine and use Gpedit, rather than risking a domain OU with GPMC. Your final mission may well be a group policy in a domain, but this does introduce extra layers for troubleshooting, for example Domain Controller replication and update delays.

Like their predecessors, Windows 8 Group policies make changes to the registry, a fact which you can turn to your advantage by creating your own .adm template based on registry keys, then importing these settings into your Group Policy.  That said this advanced technique is only useful if there is no existing policy in the Administrative Template section.

Get a Simple Policy Working
If a group policy that I am attempting to apply does not work, I go back to basics and get a simple policy to work just to make sure I am not making a fundamental mistake.  Also a strange thing happens once I get one policy working it seems easier to get other more tricky settings to do what I ask of them.

Read the Policy Carefully
Be careful with double negatives in group policies, for instance, 'Turn off xyz...' Disabled, would mean a user gets xyz.  Check your logic with a quick look at the description of a policy you are about to apply.

Download Windows 8 Group Policy Settings

Solarwinds Config GeneratorGuy Recommends: The Free Config Generator

SolarWinds' Config Generator is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices.  Boost your network performance by activating network device features you've already paid for.

Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its 'Traps' and 'Communities'. Try Config Generator now - it's free!

Download your free copy of Config Generator

Here Other Windows 8 Group Policies to Disable Settings
  • Prohibit access to Control Panel
  • Configure automatic updates (For Windows 8)
  • Enforce disk quota limit.
  • Require a password when a computer wakes.
  • Turn off Autoplay.
  • Do not allow pinning programs to the Taskbar.
  • Windows Firewall: Do not allow exceptions.
  • Prohibit connection to roaming Mobile Broadband networks.
  • Internet Explorer is a fertile area, for example: 'Disable change proxy settings'

Enlightened administrators can find ways of using Windows 8 group policies to make life easier for their users, for example, on low-spec machines 'Always render print jobs on the server'.

Summary of Windows 8 Disable USB Group Policy Settings

If you need to increase security by preventing users from attaching their USB sticks, then there are four group policies to help you achieve your goal.

You can prevent installation of removable device drivers.  But this may not work, if a USB stick has been attached to the Windows 8 machine previously, and the driver is already there.  Thus my first choice would be a policy to disable the ability to read from the USB drive.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)