Summary of methods to disable USB port in registry, USB disk in group policy, USB disk in group policy and USB disk in registry

Time:2021-6-14

In the local area network of enterprises and institutions, in order to protect the security of computer files and trade secrets, we often need to disable the USB interface of computer, prohibit the use of USB disk and mobile hard disk, and prevent the behavior of copying computer files through USB disk, mobile hard disk and even mobile phones and other devices with USB storage function. So, how to manage USB interface and disable USB disk? In my opinion, it can be realized through the following ways: one is through the registry and group policy (if you think this method is complex, you can directly see the second method at the bottom of the article); the other is through the computer U port management software and USB shielding software, which is relatively simple:

1、 Disable USB interface by registry and group policy

1. USB device uses USB interface. After searching on the Internet, we know that it uses the following two configuration files or registry files, usbstor.inf and usbstor.png. The registry file is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor

2. It’s easy to know the location of the USB configuration file or the registry. There are two ways to disable the USB device. One is to enable the user to disable the two configuration files through group policy, and the other is to disable the USB device through the registry.

The following two experiments are carried out in windows   The experiment passed in 2003

Through group policy, of course, this should be applied in the domain environment, and it should be ensured that those who have not used USB devices (there will be changes in the registry file) hahaha.

As shown in the figure below, in the management tool domain security policy computer configuration Windows settings security settings file system, right-click add file or folder. Find C:: (Windows) inf ⁃ usbstor.inf   And usbstor.pnf  


Then, OK, a dialog box will pop up, which is an important step. Through this, you can set the access level of different users. Of course, if you choose to refuse here, you can choose the permission of different user groups to refuse these two files according to the actual situation. As shown in the figure below  


OK, OK, the following window will pop up, of course, OK, but if you didn’t do it in the previous step, you can reset the access rights of different user groups here (click Edit security settings button)! OK, you can. After the domain group policy is refreshed, it will take effect.  


If you have used a USB device, (or not a domain controller?) Oh, of course, it’s done through the registry key!

Find the registry location of the key value, HKEY_ LOCAL_ Machine / system / currentcontrolset / services / USB hub (under 2000 system) or HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\usbstor(XP   or   In the right sub window of the corresponding USBhub (or usbstor) branch, double-click the “start” key, and in the pop-up value setting window, check the number. If it is 4, it indicates that the USB port permission of the computer has been restricted;

If it is 3, it means that the USB port permission of the computer has been enabled. Here, make sure it is 4!!!


As follows:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
“Type”=dword:00000001
“Start”=dword:00000004
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,55,00,53,00,42,00,53,00,54,00,4f,\
  00,52,00,2e,00,53,00,59,00,53,00,00,00
“DisplayName”=”USB   Mass storage driver“
Just restart the machine.

2、 Through the special U disk shielding software and USB disable software, the control of computer USB storage device is realized.

At present, there are special USB interface disable software and USB shielding software in China, which can also effectively disable the use of computer USB interface, and disable USB disk, mobile hard disk, mobile phone and other devices with USB storage function, which are relatively more powerful and easier to operate. For example, there is a “general trend to USB port management software” (download address:  http://www.grabsun.com/monitorusb.html)。 After installation on the computer, you can disable the use of USB storage devices such as U disk and mobile hard disk in real time. At the same time, it can only be used by a specific USB flash disk, only copying files from the USB flash disk to the computer is allowed, and copying files from the computer to the USB flash disk is prohibited (or you have to enter a password to copy them), thus greatly protecting the security of computer files. As shown in the figure below:

 

Figure: disable U disk and mobile hard disk through USB interface management software

At the same time, although we prohibit the use of U disk and USB storage devices, computer users can still send computer files through e-mail, Internet disk, forum, FTP and other tools. Therefore, it is also necessary to prohibit computers from sending e-mail, uploading on Internet disk, uploading via FTP and uploading attachments on forums, so as to prevent the leakage of secrets through the above-mentioned network channels. As shown in the figure above.

In addition, the general trend to USB disable software can also prevent the computer from opening the registry, opening the group policy, entering the computer security mode, starting the computer from the USB flash disk, and starting the computer from the CD-ROM drive, so as to prevent some skilled employees from bypassing the system monitoring and re enabling the USB flash disk and mobile hard disk by modifying the above function modules in reverse, Thus, the management and protection of U disk and USB interface are realized thoroughly.

In short, whether it is through the registry, group policy to prohibit U disk, shielding USB interface, or through the special computer U disk management software, computer USB interface shielding software can achieve the control of U disk, mobile hard disk, can achieve a certain network management effect. However, compared with the registry and group policy, the computer USB interface shielding software has more functions and stronger protection. Enterprises and institutions can choose which scheme to adopt according to their own needs.