We need a way to prevent users from copying anything to and from USB drives unless they are a system administrator. What can be done to remove this access for security purposes.
We need a way to prevent users from copying anything to and from USB drives unless they are a system administrator. What can be done to remove this access for security purposes.
Microsoft has a knowledge base article on this very issue (KB555324). You have to create a custom Group Policy ADM. O'Reilly has an easier to grok writeup at:
Disabling USB Storage With Group Policy | WindowsDevCenter.
Hope this helps.
Another option would be to use USBSecure. It's a small deployable script which reads a white list of usb devices from a file share. So you can explicit allow usb storage devices for some users or allow vendor specific devices (e.g. all usb keyboards and mice from logitech). oh, and it's freeware.
If you are working with Windows Vista and above, there are Group Policy options that give you fine grained control over which USB devices are allowed or not allowed. (If you have to support WinXP, see the other answers listed here.)
In Windows Vista or above, go to the group policy editor and drill down to: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions
There you will find options to white list of black list devices either by specific device IDs or by the class of device. There is also a very important policy at the bottom that allows you to block everything not covered by the other polices.
All you have to know is either the Hardware ID of the device or the Device Class guid. Both of these things can be found in Device Manager if you plug a device into the machine.
Using the policies that are there you could, for example, allows all mice and keyboards, allow a specific model of a USB scanner, and block everything else.
In Windows, you can disable the USB Storage driver by setting a registry key. This could be configured in a GPO and applied to a limited set of machines. If you want to allow a subset of USB storage devices you will probably have to turn to a third-party product that runs some sort of agent.
Epoxy works great
A quick and dirty fix will be to use a group policy disabling access to usb devices, take a look at the following article. There are also commercial products which can accomplish the same thing, with better grained security.
GPO will disable the drivers:
http://support.microsoft.com/default.aspx/kb/555324
All solution are nice, but you need also to think about a process to be able to load data from USB.
I am in a bank at the moment and by default all USB port are lock with a GPO who will not load disk.
Problem is they dont have a process when an external consultant come to load some data, its a real pain to transfer iso file, or any documents, because if you cant plug USB key, also you cant plug laptop on the network.
If you lock all your USB, dont forget you still need sometime a way to load data from USB, and 5GB of data across the web/mail is not always an answer.
Security always come with a price.
i think better solution is DeviseLock software: http://www.devicelock.com/ It is real useful and have huge functional.
MyUSBonly from AC Element Company and StopUSB from EverStrike will also work.
Both of them ask for a password if you want to mount a new, unknown USB device.
To be honest, both could be better designed, but at least they do the job.