By now, you should know that using USB storage on your computer is a potential security risk. Rather than risk malware infections (e.g. Trojans, keyloggers, or ransomware), it may be better to completely disable USB storage devices if your system has lots of sensitive data on it. Here’s how to do that on Windows, Mac, and Linux.
Blocking USB Storage: Advantages and Disadvantages
If you’re concerned about the potential for malware to be introduced to your computer via USB storage, then it is wise to consider disabling support. But it comes with a key disadvantage.
Most obviously, you’ll be unable to use USB storage on your computer. If you’re able to use cloud storage with ease, this shouldn’t be a problem. However, if you need a means of regularly exchanging data between two computers and the cloud isn’t an option, it might be tricky. Consider a tool like Resilio Sync to create a virtual share between PCs.
Meanwhile, blocking USB can prove to be time intensive if you don’t know what you’re doing. We’ve provided steps below for doing just that on Windows 10, Mac, and Ubuntu 18.04.
How to Disable USB Storage on Windows
Blocking USB storage on a Windows computer is straightforward. You also have several options; the first two below are for Windows 10 Home PCs.
1. Manually Edit the Registry
Begin by pressing Win + R, then enter “regedit”.
Agree to the User Account Control message, then browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. Here, double-click Start (or right-click > Modify) and edit the value.
To disable, change the value to 4. Should you need to re-enable USB storage at any time, simply change back to 3. Click OK when you’re done.
Note that if you’re planning on making changes to the system registry, you should make a registry backup first.
2. Create a Registry Script
Alternatively, you can perform a text-based version of the same task by creating two empty TXT files in Notepad. Launch the text editor, and input
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR] "Start"=dword:00000004 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum] "Count"=dword:00000000 "NextInstance"=dword:00000000
Save the file as disableusb.reg, taking care to ensure that the .TXT file extension has been replaced with .REG, otherwise it won’t work! Next, repeat the procedure, saving as enableusb.reg.
With the second file, make an edit to the line:
Changing it to:
Save the file when done. Now, whenever you need to disable USB storage, run disableusb.reg. Any devices already attached will be unaffected, however, until they’re replaced. Should you need to re-enable USB storage, use enableusb.reg. Save the files somewhere easy to remember.
Preventing others from using enableusb.reg shouldn’t be too difficult. Only an administrator account can run the file, so as long as you don’t share your profile (and keep it locked when you’re away from keyboard) it should be simple to keep secure.
3. Use Group Policy Editor
A third option is available to Windows 10 Pro and Enterprise: editing the setting for USB storage in the Group Policy Editor.
Press Win + R to start, and enter “gpedit.msc”. This opens the Group Policy Editor, where you should expand Administrative Templates > System > Removable Storage Access. In the right-hand pane, you’ll see several items that control media access on your computer. Three of these need to be enabled:
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
In turn, double-click each item and click the Enabled radio button. Click OK to confirm before moving onto the next item.
Now, whenever a USB storage device is attached, an Access is denied message will appear in Windows Explorer when you attempt to open the drive letter. To reverse this, change the three settings listed above so that each is set to Disabled.
How to Restrict USB Storage Devices on Mac
To restrict USB storage on your Mac, first use our guide to disabling System Integrity Protection (SIP).
Then open Utilities > Terminal and unload the driver.
Next, open /System/Library/Extensions and rename (or move to a safe place) IOUSBMassStorageClass.kext. A sensible rename might be to change the .KEXT extension, so you can easily find it again should you wish to re-enable USB storage.
With that done, return to the Terminal and enter:
sudo touch /System/Library/Extensions
This will delete the cache files, forcing a rebuild without reference to the renamed file. Now, USB storage devices should not be accessible when connected. Other USB devices should work without issue, however.
How to Block USB Storage Devices on Linux
Need to block USB storage on your Linux computer? Do this by opening the Terminal and using the mv (move) command to “hide” the USB driver:
sudo mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /home/user1
Now, when a USB storage device is attached, it won’t work. In short, it will remain inaccessible. Note that this would be undone in the event of a kernel update.
Or Better Yet: Control USB Access, Don’t Ban It
While USB and portable flash storage can prove a major issue, there is very little that can be done. Put simply, while USB flash storage can be password protected, this doesn’t prevent data theft, only data loss.
The only real solution is to control USB access. At home, this means making sure you don’t let anyone access your computer without your knowledge (and attention), and keep it locked when you’re not using it. In the workplace, limiting USB access to a manageable proportion of users would seem a sensible IT policy. This might mean disabling USB drive access.
For work-from-home projects and other remote working activities, where data from work is required, a dedicated private VPN is a more secure option. See our articles on why you should be using a VPN and the best and most reliable VPNs to use.