Restricting Read and Write Access to USB Storage Devices

Q: Is there an easy way to block users from writing data to USB storage devices that are connected to their Windows XP systems? I want to prevent users from bringing their personal USB tokens to work and writing confidential company information to them.

A: In Windows XP SP2 and later, you can use the WriteProtect (REG_DWORD) registry setting to prevent users from writing data to USB storage devices. When WriteProtect is set to 1, the Windows driver for USB storage devices will reject user write requests to USB storage devices that are connected to XP SP2 systems. The WriteProtect value is located in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlStorageDevicePolicies registry container. In Windows domain environments, you can also enforce this setting centrally by defining and using a custom Group Policy Object (GPO) administrative template that controls the WriteProtect registry value. Note that the WriteProtect registry setting can't prevent users from writing to FireWire devices.

If you're considering upgrading your XP clients to Windows Vista, you should be aware that Windows Server 2008 and Vista include more powerful options for restricting which devices users can connect to their system and whether they have read and/or write access to those devices. You can use the new device restrictions to do two things. First, you can use GPO settings to prevent the installation of device drivers for a certain device class such as a particular USB token type. Second, you can use the new device restrictions to leverage GPOs to control the type of access (e.g., read or write) users get to different types of removable storage devices, including CDs, DVDs, tape drives, floppy disk drives, and USB tokens. These new restrictions let you restrict user write access to USB storage devices.

To restrict the installation of certain device drivers on Server 2008 and Vista systems, you must use the Prevent installation of devices using drivers that match these device setup classes GPO setting that's located in the Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDevice Installation Restrictions GPO container. This setting requires you to enter the global unique identifier (GUID) of the device type in the associated Group Policy Editor configuration item. You can easily retrieve the GUID for a USB token from the Windows Device Manager by opening the properties of the USB token (which are typically located in the Device Manager’s Disk drives container), selecting the Details tab (shown in Figure 1), and selecting Device class guid from the Property drop-down list to reveal the USB token’s GUID in the Value section of the window.

To restrict read or write access to a removable storage device on Server 2008 and Vista systems, you must use the GPO settings that are stored in the Computer ConfigurationAdministrative TemplatesSystemRemovable Storage Access GPO container. You can remove read and write access to all removable storage devices by enabling the All Removable Storage classes: Deny all access setting. However, enabling this setting will also restrict user access to legitimate backup or storage devices. To define more granular device access restrictions, such as to restrict read or write access to a USB token, use the Custom Classes: Deny read access or Custom Classes: Deny write access GPO settings. Note that you must know the USB token’s GUID to use these settings.