SecurityGuy.org

If you ever wanted to disable the use of USB storage devices at your organization, like USB flash drives or external hard drives, this article is for you.

Look no further. You can do it with the built-in tools you have in your Active Directory environment.
First, download the Group Policy Management Console here. Install it.

To prevent users from using usb drives, you will need USB block ADM file (98).

To prevent users from writing to usb drives, you will need USB write protect ADM (77).

An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.

You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.

Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.

Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail… Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

Adding .ADM files to the Administrative Templates in a GPO

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed, yet remember it can only be used effectively on Windows Server 2003-based Active Directory.
   If you do not have GPMC or cannot install it then you’ll need to edit the GPO via the regular means, i.e. from Active Directory Users and Computers management tool (dsa.msc).
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
3. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.
4. In the Add/Remove Templates window click Add.
5. Browse to the location of the required .ADM file and click Open.
6. In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.
   Now re-open the Administrative Templates section and browse to the new settings location.

Disabling GPO settings filtering

Many custom Administrative Templates require you to remove the requirement to show policy settings that can be fully managed in the GPO editor. To do so follow the next steps:

1. After completing the above procedure, browse to the newly added Administrative Template section.
   Note that the section is indeed listed, however in the right-pane is empty.
2. Right-click an empty spot in the right pane and select View > Filtering.
3. In the Filtering window click to un-mark the “Only show policy settings that can be fully managed” option. Then click Ok.
   Notice how the available options are now displayed in the right pane.

You can now configure these options as you please.

Replicating the added .ADM files across the domain

When adding new .ADM files to any GPO you actually place new features in the Administrative Templates section for that GPO. These settings should be accessible from any DC, and should apply to any computer that is affected by that GPO.

However, if the .ADM files were added, for example, when sitting on DC1, how do you make sure they are also replicated to DC2, DC3 and so on?

Well, luckily for us, in most cases there are no additional configuration steps involved. When adding the new .ADM file it is automatically uploaded to the following location on the DC that was used to edit the GPO (usually - the PDC Emulator,

%SystemRoot%\SYSVOL\sysvol\domain name\Policies\{GPO GUID}\Adm

Because all of the SYSVOL folder is shared and automatically replicated all over the domain, the uploaded .ADM file will automatically replicated to all the GPO instances on all DCs in the domain.

However this might cause a problem when using too many templates and too many GPOs, especially on slow WAN links.

In Windows Server 2003, the size of the Administrative Templates has grown when compared to the same .ADM files in Windows 2000. As a result, the entire set of Administrative Templates has grown to almost 1.75MB. When you multiply this size by each Policy that SYSVOL contains, you can see that much space is devoted to these templates.

For example, for a large corporation with 1200 GPOs in place, the entire SYSVOL folder (where the GPOs are located on each DC) can take up more than 1GB of hard disk space. Replicating such a folder over the WAN (especially when promoting a new DC) can be very problematic.

Removing .ADM files from an existing GPO

Whenever you do not need the added feature anymore you can simply reverse the process and instead of adding new .ADM files - removing them.

Before removing an Administrative Template, make sure you modify its policy settings and wait for Group Policy to refresh on all the computers that were supposed to be effected by the GPO. This is because removing an Administrative Template that was previously installed does not change or remove any Registry settings that the GPO deployed when Group Policy was last processed.

UPDATE: http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html is one good resource on locking the drives, too. Just run the exe’s from the bottom of the post and you should be fine.

Tags: disable usb

This entry was posted on Friday, September 26th, 2008 at 4:05 pm and is filed under Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.