USB Storage Block

With arrival of USB Pen drive it has become very easier to transfer data from one location to another without difficulty. Now any employee working in his office can easily carry up to 32 GB or even more data of his pending works from home to office easily in his Pocket with a pen drive. So thanks a lot for this technology.
But in some cases this technology has also increased the headache to IT department. The organization where data in very crucial , data can be easily theft with a pen drive. So it is a big challenge for System Administrators to block pen drive through a server. A pen drive however can be blocked by disabling USB Port , But disabling a USB port will disable all USB devices connected to that port. (Printers, Scanners ,Keyboard , Mouse etc.). In a domain environment Thanks a lot for Windows 2008 Server, Where GPO allows to restrict use of pen drive on all the computers in the domain. But unfortunately Windows 2003 server ( that is being used widely) GPO are not capable for this.
So I am going to explain how administrators can block USB storange in their windows 2003 server environment. So here we goes:
1.Search for gpmc.msi package on google download and install it.
Now open Notepad
And type following lines:
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"



Save this file as a adm file say “satishmalanch.adm”

Now in run type “ gpmc.msc “
Now select the OU you want to apply this policy
Click on Action menu and select edit.
Select Computer configuration-Administrative template
Right click and select Add /Remove template click on add
And browse for the ‘’.adm’’ ( in my case satishmalanch.adm) file.

Now againg
select the OU you want to apply this policy
Click on Action menu and select edit.
Select Computer configuration-Administrative template
Expand this and select custom policy-Restrict drive
Click on View menu and check on filtering
And uncheck ‘’Show only the policy that can be fully managed’’
Now edit the custom policy to block usb drive.
Select ‘’Disable USB removable devices”
And click on enable
Also select ‘’stoped’’ for Usb drives status.



Now in you complete domain or OU (depending upon GPO applied )
You can restrict usb drive.

I have tested this trick on windows 2003 standard edition working fine.
On windows 2003 Enterprise I am not sure, but I hope this policy will also
Work in Enterprise edition as well.Please send your valuable comments on this topic at
satishmalanch@gmail.com

…….Regards
Satish Malanch ( System Admin )