Anda di halaman 1dari 1


Lockdown USB to Specific Removable USB Drives - Spiceworks

Like this How-to Article? There's more where that came from!

Join now and follow Matt Tilford to get a notification when this How-to Article is updated or Matt Tilford shares other resources you might be interested in. Are you an IT Pro? Creating your account only takes a few minutes.

an IT Pro? Creating your account only takes a few minutes. Lockdown USB to Specific Removable

Lockdown USB to Specific Removable USB Drives

other resources Matt Tilford has shared CCoommmmuunniittyy Recently we had the need to lock down a

Recently we had the need to lock down a few laptops so they could only use a specific USB pen drive (an encrypted Kingston Blackbox). Rather than buy software to handle this, we implemented the following. Firstly, remove all existing USB stick drivers so they cannot be used

all existing USB stick d rivers so they cannot be used As we are preventing the

B. Select the Advanced tab and click the Environment Variables button.

C. Click the New button below the System Variables panel.

D. In the New System Variable dialog box, type devmgr_show_nonpresent_devicesin the Variable Name text box and 1 in the

1. Variable Value text box.

Name text box and 1 in the 1 . Variable Value text box. E. Click OK

E. Click OK to return to the System Properties dialog box and then click OK again.

F. Select the Hardware tab and click the Device Manager button.

G. In Device Manager, go to View | Show Hidden Devices.

H. Expand the USB Controllers branch in the device tree and look for the washed out icons, which indicate unused device drivers.

I. To remove an unused device driver, right-click the icon and select Uninstall. Remove all "USB Mass Storage Device" entries.

Plug in the devices you want to allow If you wish to allow specific USB sticks insert them now so their drivers are installed. This can also be done after the last step but 2. requires an administrator password to perform the install, doing it now is just quicker.

Check user permissions Make sure the user account being used to log on is not part of the administrators group. Simple enough really, and really they 3. shouldn't be. If they know the local admin password they can install any usb drive they want.

Lockdown USB Finally, change the permissions on the following 2 files:

%systemroot%\inf\usbstor.inf and usbstor.pnf Administrators: Full Control 4. SYSTEM: Deny All CREATOR OWNER: Leave as is Remove all other permissions.

Conclusion And there you have it, only USB drives that have been installed by the administrator will work. This method uses the serial number of the device so a different device of the same model won't work (if you know how to fix that i'd love to hear from you). Print

© Copyright 2006-2013 Spiceworks Inc.