I had someone come to me looking to disable USB storage devices while at the same time, leaving them active for I/O devices like a mouse, CDROM, etc. Of course the goal is to stop people from walking up to a workstation and making off with classified information.

I did find a solution to this and I thought that it was useful enough to pass along to others.

Have a look at how easy it is.

Just open regedit and browse to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

Look for the 'Start' key.

Switch this value to 4, and USB storage devices are disabled.

Switch this value to 3, and USB storage devices are enabled (this is the value by default).

This stops the USB storage drivers from loading when the OS boots up. It's a nice little security feature that is easy to distribute across the enterprise as well. Note that this *only* impacts removable storage, no other USB devices. Pretty kewl huh?



--TH13