This is for the security-consious network administrator who needs to keep tight controls over how data is stored on a Windows network. The reasons for wanting to do this include:
The idea isn't to prevent data transfer entirely. Instead, the idea is to prevent unaudited data transfer. You can audit e-mail, audit other network access such as FTP, and so on using additional methods.
The idea came from a poster to the newsgroup microsoft.public.security, whose name eludes me for the moment.
- Ensure your system drive uses the NTFS file system. You can convert a FAT or FAT32 disk to NTFS with
convert %systemdrive% /fs:ntfs at a command prompt.
- Open a command prompt and type
- Use cacls.exe to change the permissions of
usbstor.pnf which works for Windows 2000, Windows XP Home Edition and Windows XP Professional:
cacls usbstor.inf /p SYSTEM:N
cacls usbstor.pnf /p SYSTEM:N
The /p parameter tells cacls.exe to replace the current permissions on these files, so it effectively removes all access. SYSTEM is used here but any valid username or group name could be used, because we're specifying no access (N = None).
This effectively disables installing the device drivers for USB mass storage devices, because Windows does not know where to find the drivers for them. Devices connected to the computer before executing these commands may still work, and you can remove them by connecting the device, going to Device Manager, and uninstalling the device driver for it. Other USB devices (cameras that aren't mass storage devices, mice, scanners, printers, etc) will still work.
While this disables the devices in Windows, you should still prevent starting the computer from a USB storage device using your system's BIOS settings and password-protecting the BIOS settings. Some motherboards offer chassis intrusion protection as well, to prevent people from resetting the BIOS memory and possibly erasing the BIOS password.
If you want to disable USB storage devices, you should also physically remove floppy and CD-ROM drives from the computer. Chances are, you're using some kind of imaging software and sysprep to deploy Windows, so you won't need them. Also, create passwords for all of your Administrator accounts and lock them away. Use Limited User accounts for your regular work.
To re-enable USB storage devices, you will need to restore the original permissions. From Windows 2000, or Windows XP (Home and Pro) in Safe Mode:
- Click Start and then Run... and type
- Look for
usbstor.inf, right-click on it and click Properties.
- Click the Security tab, remove "SYSTEM" from the list.
- Click "Advanced..." and turn on "Allow inheritable permissions..." Click OK to save the change and OK again to close the Properties window.
- Repeat for
If you prefer to use a GUI to disable USB storage devices, you can use the method above (only works in Safe Mode on XP Home Edition) to remove the permissions instead of grant them. A command line was used earlier to avoid needing Safe Mode to make the change.