How to Block USB Ports on Windows Endpoints

Blocking USB ports should only disable the usage of mass storage devices like external hard disk drives,pendrives, flash memory, memory card readers,bluetooth devices,usb data cards and any such device in which information can be stored. Devices like usb mouse, keyboards should still work with the usb ports. These devices are differentiated as Human Interface Devices or HID.
Why to disable usb ports :
We need to disable USB ports to prevent unauthorized/confidential data transfers.

Mechanism to block USB ports on Windows :

Modify the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\" with value "start" and data = 4

How to enable/disable usb ports :

start = 3 means enable usb ports
start = 4 means disable usb ports

How to disable USB sticks and limit access to USB storage devices :

* Go to Start > Run
* Write regedit in Run box and press Enter
* Now select HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > USBSTOR
* Now double click on Start in the right panel and change its value from 3 to 4





Once this value is modified reboot the computer or restart the explorer.exe process from task manager (this will reload the latest value from registry).

Now try to connect a pendrive/mass storage device. Windows will not read it and thus we have successfully blocked the usb ports.

How Employers Disable USB Ports & How Employees Enable them again :

Lets validate if this was successful by doing another test. Consider that the registry value has been changed to 4 (disable USB storage devices) .
Now , shutdown the machine , connect the pendrive to the usb port and boot the machine.  (Note the pendrive connected has never been connected to this machine .... )
Once the login screen appears , don't login but wait for a minute or so.
The new device is detected by the USB port and is now accessible once you login.

This happens because , if no user is logged onto the machine yet , windows uses the OS Kernel or the SYSTEM user in background to install the new device.
This a hidden user on any windows machine and has a higher authority than the administrator.

Check the value of USBSTOR registry key mentioned above. Value of start has been reset back to 3.
Lets investigate more on how to make a fail-proof solution to block usb ports.

How can I prevent users from connecting to a USB storage device?

Here's a Secure Solution :


1. Change the registry value of USBSTOR from 3 (enable usb ports) to 4 (disable usb ports)
2. Deny full control to the SYSTEM user to access/reset this registry key.




Now try to break this ... let me know if you can break this solution ...

Well now the question arising are : "programmatically setting usb stick ACL ?" or "regedit usb pen drive disable hide"
If you want to do this programmatically , first step is very easy ... we can run regedit in silent mode on remote machines.For step 2 we need to use the subinacl.exe - a tool by Microsoft to set/unsetaccess control lists (ACL) remotely/locally.

CACLS command can be used to display or modify Access Control Lists (ACLs) for files and folders. We can also use cacls to block USB ports.

Run following commands on command prompt :

cacls "C:\Windows\inf\usbstor.inf" /E /D Users Administrators "Power Users" SYSTEM
cacls "C:\Windows\inf\usbstor.pnf" /E /D Users Administrators "Power Users" SYSTEM

0 comments:

Post a Comment

+