- Worldstart's Tech Tips And Computer Help - http://www.worldstart.com -

Blocking Unauthorized USB Devices

Note: This tip may not apply to all versions of Windows.

In terms of computer security and privacy, USB devices are usually the weakest point. Even the strongest firewall or security software can be bypassed just by plugging in a USB drive.

With the growing amount of data a single USB flash drive can hold (up to 128 GB) and the increase to data transfer speed (with USB 3.0) you can imagine how easy it is to copy data to such a device. Using the newest generation of USB devices, data thieves can copy your entire hard drive in minutes.

Besides data theft and privacy issues, USB devices are now the main method of propagation for computer viruses and spyware. Inserting an unknown USB device into a computer can be dangerous. As most of the worms transmitted this way are new, they could go undetected even by the best security suites.

So, how can we protect our privacy and data from such a security risk? By giving access to the computer to only those USB devices that we trust.

This is easily done by modifying NTFS permissions on a few Windows system files to allow only specific users the right to install USB devices on that computer.

Note: To follow the steps below in Windows Vista and 7, you need to be logged in with an administrator account or have administrator rights for the computer. Windows XP users, see the notes throughout the article for similar steps.

The files we need to modify are located in the Windows\inf folder on your primary partition (usually C :).

To make it easier to navigate to the folder and make sure you can find it regardless of how your partitions are set up, we are going to use a shortcut.


Go to the Start Menu and type the command %windir%\inf into the search field. Then press the Enter key to confirm.

Note: In Windows XP, go to the Start Menu and click on Run, then type in the command %windir%\inf and press the Enter key.

This will open an Explorer window directly to the inf folder. Scroll down the list of files and folders until you reach the files usbstor and usbstor.PNF (they should be next to each other).


Now, to modify the NTFS permissions for these files, right-click on each file and select Properties (the last item on the contextual menu).


In the Properties window go to the Security tab and click the Edit… button. A new window containing NTFS permissions for the file will open.

Note: In Windows XP, if you do not see the Security tab, go back to the inf folder window and click on Tools and then click on Folder Options…. Next, go to the View tab and uncheck the Use simple file sharing box (the last one under Advanced settings). After you click OK to apply, you should see the Security tab.

Warning! Do not deny permissions to the SYSTEM group. In addition, you must allow access to these files to at least one group of users. If you check Deny on all users, you will not be able to install new USB devices on that computer (until you reinstall Windows).


Here you can see a list of all the user groups active on your computer. Select the user or user group you want to block from installing USB devices and check the Deny box next to Full control (under Permissions for users). To confirm and exit, click the OK button.

If you receive a Windows Security warning, click Yes twice to apply the settings. Also, remember that you need to go through these steps and change permissions on both files.

To reverse these settings and allow the blocked users to install USB devices, log in with your administrator account (one that still has access to the files), follow the steps above and uncheck all the Deny boxes for that user.

~Cosmin Ursachi