I see a lot of postings to BugTraq and other security mailing lists about trying to control the use of USB mass storage devices such as thumb drives.  These things represent a threat to an organizations security both in the ability to bring in malicious things, but also to remove proprietary information. 

There are a few commercial products out there that can control the use of these devices, including GFI Languard PSC.  Everybody always wants a free solution though, and while good, GFI products are not free.

I wrote the following custom group policy file, which will allow you to enable or disable the use of USB mass storage devices.  Its been tested pretty extensively and seems to work well.  It does not disable other USB devices, such as printers and whatnot, so it is a better solution than just disabling USB ports all together.

Directions for Use:

1.)  Take the following blue text, copy it, and paste it into a text  document.  Then, save it as USBSTOR.ADM.
CLASS MACHINE
CATEGORY "Custom Policies"
KEYNAME "SYSTEM\CurrentControlSet\Services\UsbStor"
  POLICY "USB Mass Storage Installation"
   EXPLAIN "When this policy is enabled, USB mass storage device permissions can be changed by using the drop down box.
 
Selecting 'Grant Permission' will allow USB mass storage devices to be installed.  Selecting 'Deny Permission' will prohibit
the installation of USB mass storage devices.
 
IF REMOVING THIS POLICY: Reset to original setting and let policy propegate before deleting policy."
     PART "Change Settings:" DROPDOWNLIST REQUIRED
       VALUENAME "Start"
       ITEMLIST
        NAME "Grant Permission" VALUE NUMERIC 3 DEFAULT
        NAME "Deny Permission" VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
END CATEGORY

2.)  Open a group policy management console (gpedit.msc), and right click on "administrative templates" under "Computer Configuration".  Select "Add/Remove Templates".

3.)  Browse to the text document you just saved and click OK.  You'll now see "Custom Policies" under "Administrative Templates".  Right click on it, select "View", then select "Filtering".  Uncheck the bottom box, labeled "Only show policy settings that can be fully managed".

4.)  Click ok.  Now you'll see the USB policy available for use under the custom policy heading.  From there, you can enable or disable it just like any other policy.

Questions?  Comments?  Post them below as a comment to this article.