How to Disable USB Storage Devices on Windows, Mac, and Linux
Pinterest Stumbleupon Whatsapp
Advertisement

By now, you should know that using USB storage on your computer is a potential security risk 5 Ways Your USB Stick Can Be a Security Risk 5 Ways Your USB Stick Can Be a Security Risk USB drives are useful for so many different things, but they can be problematic and dangerous if you don't take the right precautions. Read More . Rather than risk malware infections (e.g. Trojans, keyloggers, or ransomware), it may be better to completely disable USB storage devices if your system has lots of sensitive data on it. Here’s how to do that on Windows, Mac, and Linux.

Blocking USB Storage: Advantages and Disadvantages

If you’re concerned about the potential for malware to be introduced to your computer via USB storage, then it is wise to consider disabling support. But it comes with a key disadvantage.

Most obviously, you’ll be unable to use USB storage on your computer. If you’re able to use cloud storage with ease, this shouldn’t be a problem. However, if you need a means of regularly exchanging data between two computers and the cloud isn’t an option, it might be tricky. Consider a tool like Resilio Sync to create a virtual share between PCs Syncthing or Resilio Sync: How Should You Share Files on Linux? Syncthing or Resilio Sync: How Should You Share Files on Linux? Syncthing and Resilio Sync (previously BitTorrent Sync) can sync files between your computers and require zero knowledge of how to set up a server. But which solution works best for you? Read More .

Meanwhile, blocking USB can prove to be time intensive if you don’t know what you’re doing. We’ve provided steps below for doing just that on Windows 10, Mac, and Ubuntu 18.04.

How to Disable USB Storage on Windows

Blocking USB storage on a Windows computer is straightforward. You also have several options; the first two below are for Windows 10 Home PCs.

1. Manually Edit the Registry

Begin by pressing Win + R, then enter “regedit”.

Run regedit to disable USB storage

Agree to the User Account Control message, then browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. Here, double-click Start (or right-click > Modify) and edit the value.

Disable USB Storage Devices on Windows

To disable, change the value to 4. Should you need to re-enable USB storage at any time, simply change back to 3. Click OK when you’re done.

Note that if you’re planning on making changes to the system registry, you should make a registry backup first How to Back Up and Restore the Windows Registry How to Back Up and Restore the Windows Registry Editing the Registry unlocks some cool tweaks, but can be dangerous. Here's how to back up the Registry before making changes so they're easily reversed. Read More .

2. Create a Registry Script

Alternatively, you can perform a text-based version of the same task by creating two empty TXT files in Notepad. Launch the text editor, and input

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]

"Start"=dword:00000004 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum]

"Count"=dword:00000000

"NextInstance"=dword:00000000

Save the file as disableusb.reg, taking care to ensure that the .TXT file extension has been replaced with .REG, otherwise it won’t work! Next, repeat the procedure, saving as enableusb.reg.

With the second file, make an edit to the line:

"Start"=dword:00000004 

Changing it to:

"Start"=dword:00000003 

Save the file when done. Now, whenever you need to disable USB storage, run disableusb.reg. Any devices already attached will be unaffected, however, until they’re replaced. Should you need to re-enable USB storage, use enableusb.reg. Save the files somewhere easy to remember.

Preventing others from using enableusb.reg shouldn’t be too difficult. Only an administrator account can run the file, so as long as you don’t share your profile (and keep it locked when you’re away from keyboard) it should be simple to keep secure.

3. Use Group Policy Editor

A third option is available to Windows 10 Pro and Enterprise: editing the setting for USB storage in the Group Policy Editor.

Press Win + R to start, and enter “gpedit.msc”. This opens the Group Policy Editor, where you should expand Administrative Templates > System > Removable Storage Access. In the right-hand pane, you’ll see several items that control media access on your computer. Three of these need to be enabled:

  • Removable Disks: Deny execute access
  • Removable Disks: Deny read access
  • Removable Disks: Deny write access

In turn, double-click each item and click the Enabled radio button. Click OK to confirm before moving onto the next item.

Now, whenever a USB storage device is attached, an Access is denied message will appear in Windows Explorer when you attempt to open the drive letter. To reverse this, change the three settings listed above so that each is set to Disabled.

How to Restrict USB Storage Devices on Mac

To restrict USB storage on your Mac, first use our guide to disabling System Integrity Protection (SIP).

Then open Utilities > Terminal and unload the driver.

kextunload /System/Library/Extensions/IOUSBMassStorageClass.kext/

Next, open /System/Library/Extensions and rename (or move to a safe place) IOUSBMassStorageClass.kext. A sensible rename might be to change the .KEXT extension, so you can easily find it again should you wish to re-enable USB storage.

Disable USB storage on Mac

With that done, return to the Terminal and enter:

sudo touch /System/Library/Extensions

This will delete the cache files, forcing a rebuild without reference to the renamed file. Now, USB storage devices should not be accessible when connected. Other USB devices should work without issue, however.

How to Block USB Storage Devices on Linux

Need to block USB storage on your Linux computer? Do this by opening the Terminal and using the mv (move) command to “hide” the USB driver:

sudo mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /home/user1

Now, when a USB storage device is attached, it won’t work. In short, it will remain inaccessible. Note that this would be undone in the event of a kernel update.

Or Better Yet: Control USB Access, Don’t Ban It

While USB and portable flash storage can prove a major issue, there is very little that can be done. Put simply, while USB flash storage can be password protected, this doesn’t prevent data theft, only data loss.

The only real solution is to control USB access. At home, this means making sure you don’t let anyone access your computer without your knowledge (and attention), and keep it locked when you’re not using it. In the workplace, limiting USB access to a manageable proportion of users would seem a sensible IT policy. This might mean disabling USB drive access.

For work-from-home projects and other remote working activities, where data from work is required, a dedicated private VPN is a more secure option. See our articles on why you should be using a VPN and the best and most reliable VPNs to use The Best VPN Services The Best VPN Services We've compiled a list of what we consider to be the best Virtual Private Network (VPN) service providers, grouped by premium, free, and torrent-friendly. Read More .

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ReadandShare
    May 24, 2018 at 4:23 am

    For casual home computer users, I think these steps will suffice??

    1. Put in a BIOS (boot) password. Without password, the computer won't fully boot. As well, the computer won't boot off any USB drive at that others might stick in.

    2. Put in a Windows password (or use Win Hello face / fingerprint recognition). When you step away and Windows lock screen kicks in (either automatically or manually), sticking in a USB drive won't do anything to your computer.

    For extra safety, disable "autorun" in Windows. And sign in as standard user, not admin user.